attribute based access control
TRANSCRIPT
Attribute-based access controlMaarten Decat, iMinds-DistriNet
[email protected], @maartendecat
Access control models
How
to
express
who can do what
Access
control lis
ts
Mandatory
access control
(MAC)
Discretionary
access control
(DAC)
Role-based
access control
(RBAC)
Information
flow control
Attribute-
based access
control
Relationship-
based access
control
Access control
matrix
Entity-based
access control
The Biba model
The Bell-LaPadula model
3
Role-based access control
AssetsRoles
read
write
read
write
read
write
read
write
Manager
Helpdesk operator
Users
4
The problem with role-based access control
Manager
Helpdesk operator
Developer
Secretary
Accountant
6
The problem with role-based access control
Manager
Helpdesk operator
Developer
Secretary
Accountant
Manager of R&D dept
Manager of finance deptManager of
sales dept
Secretary with color print
Secretary with- out color print
7
The problem with role-based access control
Manager
Helpdesk operator
Developer
Secretary
Accountant
Manager of R&D dept
Manager of finance deptManager of
sales dept
Secretary with color print
Secretary with- out color print
owns_docA
owns_docB
owns_docC
owns_docD
owns_docE
owns_docF
owns_docG
owns_doc...
8
The problem with role-based access control
Manager
Helpdesk operator
Developer
Secretary
Accountant
Manager of R&D dept
Manager of finance deptManager of
sales dept
Secretary with color print
Secretary with- out color print
owns_docA
owns_docB
owns_docC
owns_docD
owns_docE
owns_docF
owns_docG
owns_doc...
Secretary of finance dept with color print
owns docE
Secretary of sales dept with color print
owns docE
Helpdesk operator assigned to Customer A
Helpdesk operator assigned to Customer B
Helpdesk operator assigned to Customer C
Helpdesk operator assigned to Customer D
Secretary of finance dept with color print
owns docD
Secretary of sales dept with color print
owns docD
Secretary of sales dept without color print owns docD
Secretary of sales dept without color
print owns docE Secretary of finance dept without color
print owns docE
Secretary of sales dept without color print owns docB
Secretary of finance dept without color print owns docD
Secretary of sales dept with color print
owns docB
Secretary of finance dept without color print owns docB
Secretary of sales dept with color print
owns docASecretary of sales dept without color print owns docA
Secretary of finance dept without color print owns docA
Secretary of sales dept without color print owns docC
Secretary of finance dept with color print
owns docA
Secretary of sales dept with color print
owns docC
Secretary of finance dept without color print owns docC
Secretary of finance dept with color print
owns docC
Secretary of finance dept with color print
owns docB
...
9
Manager
Helpdesk operator
Developer
Secretary
Accountant
Manager of R&D dept
Manager of finance deptManager of
sales dept
Secretary with color print
Secretary with- out color print
owns_docA
owns_docB
owns_docC
owns_docD
owns_docE
owns_docF
owns_docG
owns_doc...
Secretary of finance dept with color print
owns docE
Secretary of sales dept with color print
owns docE
Helpdesk operator assigned to Customer A
Helpdesk operator assigned to Customer B
Helpdesk operator assigned to Customer C
Helpdesk operator assigned to Customer D
Secretary of finance dept with color print
owns docD
Secretary of sales dept with color print
owns docD
Secretary of sales dept without color print owns docD
Secretary of sales dept without color
print owns docE Secretary of finance dept without color
print owns docE
Secretary of sales dept without color print owns docB
Secretary of finance dept without color print owns docD
Secretary of sales dept with color print
owns docB
Secretary of finance dept without color print owns docB
Secretary of sales dept with color print
owns docASecretary of sales dept without color print owns docA
Secretary of finance dept without color print owns docA
Secretary of sales dept without color print owns docC
Secretary of finance dept with color print
owns docA
Secretary of sales dept with color print
owns docC
Secretary of finance dept without color print owns docC
Secretary of finance dept with color print
owns docC
Secretary of finance dept with color print
owns docB
...
The problem with role-based access control
10
read
write
read
write
read
write
Manager
Attribute-based access controlIdentity
Location
Department
Type
Date
Conf. label
ActionAction Type
Environment
Device Type
Timestamp
System state
Managers of the auditing department in Brussels can inspect the financial reports from the current financial year within office hours
Subject
Resource
Amount
11
Attribute-based access control
Managers of the auditing department in Brussels can inspect the financial reports from the current financial year within office hours
12
1. fine-grained access control2. context-aware access control
3. dynamic access control
ABAC in an enterprise
13
CISO
Businesspolicy
Employees
Go
vern
ance
Op
era
tion
al
xx
?
?Application
policy
Accessrequests
x
Systematicaccess reviews
x
Attributes for access management
UserGuard
Asset
Action
Securitymanager
Manageemployee infoManage
security info
HRadministrator
Roles & entitlements
Manage roles and entitlements
14
Attributes as access management
User AssetGuard
Action
Securitymanager
Manageemployee info
HRadministrator Security
rules
Attributes
15
1. Attributes can be fetched remotely = good for federated applications2. You do not need the identity of the subject = good for privacy 3. As a researcher, it looks future-proof
a. ABAC supports many advanced policies, e.g., history-based policies, dynamic separation
of duty and breaking-the-glass procedures, …
b. Many of the newest access control models can be mapped on attributes, e.g., ReBAC,
EBAC [Bogaerts2015], obligations [Park2004], ...
c. A lot is still happening in this field, e.g., formal definition of this model and its properties (e.g.,
[Jin2012a]), languages for expressing attribute-based rules (e.g., [XACML, Crampton2012]), mutable
attributes (e.g., [Park2004]), attribute aggregation in federated identity management (e.g.,
[Chadwick2009]), encryption of attributes (e.g., [Asghar2011]), policy engineering for ABAC (e.g..,
[Krau2013]), performance (e.g., [Brucker2010]), …
Attributes as an enabler for the future
16
Migrating from RBAC to ABAC
Conceptually, three approaches:
18[Kuhn2010]
2. Dynamic roles1. Roles as an attribute 3. Constrain roles
Manager
Helpdeskoperator
Accountant
Secretary
subject.roles
owns_doc...
Identity
Location
Department
ManagerHelpdes
koperator
Accountant
Secretary
owns_doc...
Identity
Location
Department
Manager
A.read B.read
B.write ...
“Enterprise ABAC carries with it significant development, implementation, and operations costs
as well as a paradigm shift in the way enterprise objects are shared and protected.” -- NIST
21
22
Establish a business case for
ABAC
Understand your operational
requirements
Technical implementation
Deploy or adjust business
processes
Source: [NIST2014]
Initiation Implementation Maintenance Disposal
Ensure quality
Migrating from RBAC to ABAC, revised
23
Establish a business case for
ABAC
Understand your operational
requirements
Technical implementation
Deploy or adjust business
processes
Source: [NIST2014]
Initiation Implementation Maintenance Disposal
Ensure quality
Migrating from RBAC to ABAC, revised
Work incrementally
You probably already have
many of the required
processes
Conclusion
ABAC brings many interesting improvements compared to previous models:
● Support more fine-grained access rules● Separation of concerns between user management and security● Enables many advanced features
As a result, ABAC is seen by many as the next step in access control.
However, introducing ABAC in an enterprise is not an easy step to take.
● Plan ahead, get everyone involved, start small and work incrementally
25
Future reading
NIST, Guide to Attribute Based Access Control (ABAC) Definition and Considerations
http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf
26
References[Asghar2011] Asghar, Muhammad Rizwan, et al. "Espoon: Enforcing encrypted security policies in outsourced environments." 2011
[Bogaerts2015] Bogaerts, Jasper, et al. "Entity-Based Access Control: supporting more expressive access control policies." 2015.
[Brucker2010] Brucker, Achim D., and Helmut Petritsch. "Idea: efficient evaluation of access control constraints." 2010
[Chadwick2009] Chadwick, David W., and George Inman. "Attribute aggregation in federated identity management." 2009
[Crampton2012] Crampton, Jason, and Charles Morisset. "PTaCL: A language for attribute-based access control in open systems." 2012
[Fong2011] Fong, Philip WL. "Relationship-based access control: protection model and policy language." ACM, 2011.
27
References (continued)
[Fong2011] Fong, Philip WL. "Relationship-based access control: protection model and policy language." ACM, 2011.
[Jin2012a] Jin, Xin, Ram Krishnan, and Ravi S. Sandhu. "A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC." 2012
[Jin2012b] Jin, Xin, Ravi Sandhu, and Ram Krishnan. "RABAC: role-centric attribute-based access control." 2012
[Krau2013] Krautsevich, Leanid, et al. "Towards policy engineering for attribute-based access control." 2013
[Kuhn2010] Kuhn, D. Richard, Edward J. Coyne, and Timothy R. Weil. "Adding attributes to role-based access control." 2010
[Park2004] Park, Jaehong, and Ravi Sandhu. "The UCON ABC usage control model." 2004
[XACML] eXtensible Access Control Markup Language (XACML) Version 3.0. 2013. OASIS Standard
28
Attribute-based access control
Any further questions?
Contact us [email protected]
or @maartendecat
Interested in our events?
Subscribe herehttp://bit.ly/DistrinetAccessControl