Cassandra: Distributed Access Control Policies with Tunable Expressiveness

Cassandra: Distributed Access Control Policies with Tunable Expressiveness p. 1/12 Cassandra: Distributed Access Control Policies with Tunable Expressiveness Moritz Y. Becker and Peter Sewell Computer Laboratory, University of Cambridge, U.K.

Cassandra: Distributed Access Control Policies with Tunable Expressiveness p. 2/12 Cassandra: Yet Another PSL? Cassandra distributed Trust Management rule-based policy specification language (PSL) role-based: activation, deactivation, actions distributed: credential management

Cassandra: Distributed Access Control Policies with Tunable Expressiveness p. 2/12 Cassandra: Yet Another PSL? Cassandra distributed Trust Management rule-based policy specification language (PSL) role-based: activation, deactivation, actions distributed: credential management Why YAPSL? wide range of applications need tunable expressiveness formal semantics: language and dynamics distributed query evaluation with guaranteed termination practical foundation: real-life case study

Cassandra: Distributed Access Control Policies with Tunable Expressiveness p. 3/12 Cassandra Overview perform action activate role deactivate role request credential Interface Cassandra Entity Access Control Engine invoke modify grant access C remote query Policy Evaluator Policy (rules & credentials) Resources (Actions) query

Cassandra: Distributed Access Control Policies with Tunable Expressiveness p. 4/12 Access Control Semantics (1/2) What: specifies dynamic meaning of 4 requests Why: makes subtle design decisions explicit

Cassandra: Distributed Access Control Policies with Tunable Expressiveness p. 4/12 Access Control Semantics (1/2) What: specifies dynamic meaning of 4 requests Why: makes subtle design decisions explicit can perform action on s service? deduce permits

Cassandra: Distributed Access Control Policies with Tunable Expressiveness p. 4/12 Access Control Semantics (1/2) What: specifies dynamic meaning of 4 requests Why: makes subtle design decisions explicit can perform action deduce permits on s service? can activate role deduce canactivate add hasactivated on to s service? s policy

Cassandra: Distributed Access Control Policies with Tunable Expressiveness p. 5/12 Access Control Semantics (2/2) can deactivate s role deduce candeactivate on under the assumption isdeactivated deduce all isdeactivated on s service? remove all corresponding hasactivated, from s policy

!! & & & & & " " # ' ' 56 7 $ ) * '* ( % % ' 56 56 ) ) * '* ( 6 % 7 % Cassandra: Distributed Access Control Policies with Tunable Expressiveness p. 5/12 Access Control Semantics (2/2) can deactivate s role deduce candeactivate on ) $ # ( "( under the assumption isdeactivated deduce all isdeactivated on s service? remove all corresponding hasactivated, ) $ # ( from s policy can request credential deduce canreqcred deduce +,..0 ) '243 1 +-,/..0 +,..0 "( ) '243 1 ) '243 1 from to get?

8 8 8 A F : F E F O 9 : O O Cassandra: Distributed Access Control Policies with Tunable Expressiveness p. 6/12 Policy Specification entities control access to their resources with a Cassandra policy a policy is a set of rules based on Datalog rules are of the form K @NM E =>4? GHJI BDCE M KK @NM =>? I OK GHJI I FLK BDCE @ ; =>4? :<; (where, are entities and constraint domain) BDCE P HJI I P is a constraint from the

Q Q Q Q Y ] \ c R ca S c c Cassandra: Distributed Access Control Policies with Tunable Expressiveness p. 6/12 Policy Specification entities control access to their resources with a Cassandra policy a policy is a set of rules based on Datalog rules are of the form a XNb \ UV4W ^_J` ` ZD[\ b aa XNb ] UV W S ] ]La ^_J` ` ZD[\ X T UV4W S<T (where, are entities and constraint domain) ZD[\ d _J` ` d is a constraint from the predicates with special access control meaning: permits, hasactivated, canactivate, candeactivate, isdeactivated, canreqcred

e e e e e y r m q i g p t g q p m q w f i g p t g w w Cassandra: Distributed Access Control Policies with Tunable Expressiveness p. 6/12 Policy Specification entities control access to their resources with a Cassandra policy a policy is a set of rules based on Datalog rules are of the form u lnv p ij4k rsjt ndop v uu lnv ij k t wu rsjt t qlu ndop l h ij4k g<h (where, are entities and constraint domain) ndop x sjt t x is a constraint from the predicates with special access control meaning: permits, hasactivated, canactivate, candeactivate, isdeactivated, canreqcred Example: suppose a hospital s policy contains canactivate vdoctor NHS vcertifieddoctor izy u canactivate i y l l {} y l l v {} Alice ~

ˆˆ ˆˆ Š Œ Cassandra: Distributed Access Control Policies with Tunable Expressiveness p. 7/12 Constraint Domains for Tuning Expressiveness ƒ /, The simplest constraint domain: Œ Ž true false < <

Ÿ Ÿ «ª «Ÿ «Ÿ ª Ÿ ³³³ À ¼ ¾ Â Ä ª ³³³ Constraint Domains for Tuning Expressiveness, The simplest constraint domain: /ž œ š ª ª ª ª Ÿ< false true, a useful one for complex policies: ²± š ««µ Ÿ ž ³³ Ÿ< Ÿ ž ³³ Ÿ< L ½» º ¹ «Ÿ< Ÿ< Ÿ< Ÿ ž ³³ Ÿ< L Ÿ ž ³³ Ÿ< L ŸÁ à ŸÁ ŸÁ ŸÁ Ÿ< Ÿ< Ÿ< Ÿ< ŸÁ ŸÁ Cassandra: Distributed Access Control Policies with Tunable Expressiveness p. 7/12

ÔÊ Ó Ó Ò Ò Í Ê Ö Û Ú Õ Ö Ù Ê Ö È Ù Ê Õ Ñ Ê ÝÝÝ é å è ç ê ì Õ Ì ÝÝÝ Å í í í Å Constraint Domains for Tuning Expressiveness, The simplest constraint domain: È/É Æ Ç Å Ï Ñ Ð Ï ËËÌ Ù Õ Ø Õ Õ Ø Õ Ê<Ø Ì Ê< false true ËËÌ, a useful one for complex policies: Æ²Ü Å Ù Ö á Ö à Ù ß Ê É ÞÝÝ Ê< Þ Ê É ÞÝÝ Ê< LÞ ËËÌ æ ä ã Ù â Ö Ê<Ø Ê< Ê<Ø Ê< Ê<Ø Ê< Ê É ÞÝÝ Ê< LÞ Ê É ÞÝÝ Ê< LÞ ÊÁØ ÊÁ ÊÁØ ë ÊÁ ÊÁØ ÊÁ ËËÌ Constraint domains must support satisfiability checking projection subsumption checking For guaranteed termination, constraint domains have to be constraint compact Cassandra: Distributed Access Control Policies with Tunable Expressiveness p. 7/12

î î ö ö ï ö ø ø ø ö ö Cassandra: Distributed Access Control Policies with Tunable Expressiveness p. 8/12 Policy Idioms in Cassandra (1/2) appointment canactivate ïzð hasactivated canactivate ï õ ð hasactivated ñòôó ïzð AppointEmployee Manager ñòó óemployee ý õ òôó û ü úö ö ï ù appointment revocation isdeactivated óemployee isdeactivated ïzõ ð ý õ òôó û ü úö ö ï ù ïzõ ð ý õ ò ûjü úö ö ïzù AppointEmployee ý õ ò û ü úö ö ïzù AppointEmployee ï õ ð ï õ ð

þ þ þ ÿ ÿ ÿ ÿ Cassandra: Distributed Access Control Policies with Tunable Expressiveness p. 9/12 Policy Idioms in Cassandra (2/2) grant-dependent vs grant-independent appointment revocation candeactivate ÿ AppointEmployee ÿ candeactivate hasactivated ÿ Manager AppointEmployee cascading appointment revocation isdeactivated isdeactivated AppointEmployee ÿ ÿ AppointManager others: role hierarchy, role delegation, separation of duties, role validity dates, cardinality/manifold constraints, trust negotiation,... ÿ

Cassandra: Distributed Access Control Policies with Tunable Expressiveness p. 10/12 National EHR in UK NHS planning ICRS with online EHR for clinicians and patients Difficulties: huge: 100m records, 400m episodes/yr, 1bn accesses/yr changing requirements distributed policies patient confidentiality requirements access control can be configured by patients/clinicians Our three layer approach: Master Patient Index (1), EHR servers (100s), health orgs (1000s) Cassandra policies for all layers: 310 rules, 58 roles, 10 actions patient consent, third-party consent, personal AC configuration, legal agents, staff appointment, clinician certification

!! -. " - $ /, +*! "! %! " ' ", +* Cassandra: Distributed Access Control Policies with Tunable Expressiveness p. 11/12 An Example from the EHR Policy Prerequisite for Treating-clinician canactivate & canactivate ( Treating-clinician Group-treating-clinician NHS-health-org-cred & hasactivated ) NHS-registration-authorities Current-time $ $ $ # $$ $$ #

0 0 0 0 0 0 Cassandra: Distributed Access Control Policies with Tunable Expressiveness p. 12/12 Conclusion Cassandra s expressiveness is tunable; very expressive with high-level enough for concise and readable policies low-level enough to express wide range of policies formal foundation substantial case study prototype implementation 132