职责分离SoDSeparationofduty.docx

鲁剑锋 2009年3月2日 星期一 职责分离SoD：Separation of duty 安全策略约束之 内容 SoD简介 SoD分类 SoD执行方法 研究展望 SoD简介 The concept of SoD has long existed in the physical world, sometimes under the name “the two-man rule”, for example, in the banking industry and the military. 1975： In the information security literature the notion of SoD first appeared in Saltzer and Schroeder under the name “separation-of privilege”. 1992：In one of the earliest papers on RBAC, Ferraiolo and Kuhn used the terms static and dynamic SoD to refer to static and dynamic enforcement of SoD. 1995：Ferraiolo et al. defined static SoD as: “A user is authorized as a member of a role only if that role is not mutually exclusive with any of the other roles for which the user already possesses membership.” SoD简介 ssod definition smer definition SoD简介 The dangers with equating SMER constraints with SoD policies is A danger with equating SMER constraints with SoD policies is that the SMER constraints may be specified without a clear specification of what objectives they are intended to meet; consequently, it is unclear whether the higher-level objectives are met by the constraints or not. Another danger with equating SMER constraints with SoD policies is that even though when SMER constraints are specified there exist a clear understanding of what SoD policies are desired, when the assignment of permissions to roles changes, the SMER constraints may no longer be adequate for enforcing the desired SSoD policies. Low level of access control granularity. (permission vs role) SoD分类 Static separation of duty typically constrains the assignment of users and permissions to roles. Dynamic separation of duty typically constrains the activation of roles and invocation of permissions in the run-time environment. Historical separation of duty typically constrains the invocation of permissions over the course of time SoD分类-ssod ssod分类（in RBAC） User-based separation of duty Role-based separation of duty Permission-based separation of duty O