Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Management?
What is ABAC?
Attribute-Based Access Control (ABAC) uses attributes to describe access control rules
and access requests in a structured language. Attributes are sets of labelled properties
which can be used to describe any entity (not only the subject) that needs to be
considered for authorization purposes. ABAC thus offers fine-grained and context-aware
access control that adapts to dynamically changing needs.
What is XACML?
eXtensible Access Control Mark-up Language (XACML) is a structured language for
expressing access policies and a query-response protocol for access requests and
decisions. XACML develops as standard within the Organization for the Advancement
of Structured Information Standards (OASIS).
A Rule defines an effect (permit or deny) for a target that is described in terms of
attributes of subject, resource, action and environment and the conditions for these
attributes.
A Policy consists of rules and a rule-combining algorithm that defines how effects of
rules override each other.
A Policy Set consists of policies and a policy-combining algorithm that defines how
effects of policies override each other.
Besides the structured language and the query-response protocol, XACML has a higher
level architecture consisting of a number of functions (components) as follows.
• Policy Decision Point (PDP) - the heart of an XACML solution that makes the
access decisions.
• Policy Enforcement Point (PEP) - the most security-critical component in the
solution, which protects the resources and enforces the PDP's decision.
• Policy Information Point (PIP) - the external information store providing the
attribute data needed for access decisions.
• Policy Repository (PR) - the XACML policy storage.
• Policy Administration Point (PAP) - the XACML-policy editor.
The relations and the interactions between these components are described in the figure
below.
How does ABAC (Attribute-Based Access Control)
compare to RBAC (Role-Based Access Control)?
Role Based Access Control (RBAC) was originally introduced to simplify the
administration of access permissions, by avoiding direct assignment of them to
individual users, and increasing the level of security by facilitating a mechanism to
enforce Least Privilege and Separation of Duty principles.
Although RBAC is a well-defined model, most large RBAC projects turn out to be very
costly and almost impossible to finalise. The main issues with these projects are:
The interoperability issue is due to the fact that "role" is used in many different ways
and there is no real consensus regarding the terminology. A role can refer to a job
function within an organisational structure, a group and or a name for a collection of
access permissions. However, a job function may have more than one name in different
applications and domains, which of course, leads to confusion and a large number of
non-interoperability issues.
The role explosion issues is due to the fact that RBAC, similar to traditional access
control models Access Control List (ACL) and Mandatory Access Control (MAC),
defines access permissions statically in the form of a snap-shot without considering the
context of the access. Capturing the context, including the dynamics of the environment
in which access permissions can be defined, would mean defining a large set of roles
including permissions for each possible context. Moreover, defining fine grained access
permissions would also create many sets of permissions causing role explosion.
RBAC only focuses on subjects and the permissions granted to them. A user can be
assigned multiple roles and thereby indirectly acquire permissions to related resources.
However, ABAC is quite the opposite, all aspects of an access request are considered
and identified by attributes: the subject who is demanding access, the action which the
subject wants to perform, the resource being accessed and the environment or context in
which access is requested.
This all-inclusive approach makes ABAC an ideal choice when finer granularity and
context-aware authorizations are required. ABAC can be used to create portable and
reusable policies which need to be enforced consistently across multiple platforms and
applications.
To achieve a sustainable solution to this problem we need to attack the root cause.
Risk-intelligence must be built into our IT-infrastructures.
Why Axiomatics?
All right, I'm convinced. Entitlement Management, Attribute Based Access Control
(ABAC) and XACML all make sense. But why Axiomatics rather than one of the full
suite Identity & Access Management vendors?
These are some of the conclusions that existing Axiomatics customers have drawn:
Service Oriented Architectures (SOA) have rapidly evolved and matured in recent years.
Many organizations have standardized all new development within their infrastructures
on SOA concepts. Hence, SOA governance is becoming increasingly important to avoid
the chaos that emerges out of uncoordinated initiatives. SOA developers need to
externalize authorization management, while ensuring local enforcement of access
policies to meet new security and governance requirements.
XACML addresses essential SOA security requirements by introducing authorization as
a service. In fact, effective SOA governance can hardly be achieved without some kind
of shared authorization service as suggested by XACML. The Open Group, for instance,
with its Service Integration Maturity Model (OSIMM), suggests service security policies
should be "dynamic and managed in real-time" if a maturity level of 7 is to be achieved.
This is a strong business case for XACML.
Fortunately, the
solution lies
within the SOA
technology itself.
Authorizations
and access control
can be deployed
as yet another
service. Moreover,
the authorization
service inherently
has the benefits of
the SOA concept.
This is achieved
by consolidating and centralizing administration of authorizations and externalizing real-
time access enforcement as opposed to what is commonly provided through proprietary
solutions in siloed applications.
The benefits of breaking the wall of silos and providing authorizations as a centralized
service to other services and applications are:
One of the main drivers of SOA based IT solutions is to make the enterprises agile and
ready to adapt to organizational changes and the dynamics of their environment. This
puts a lot of pressure on selected security solutions, including authorization management
and access control. Information security should not be a bottleneck. Authorization
mechanisms need to be as agile as the SOA concept itself, yet handle access policies
which can dynamically adapt to a changing context.
Delegating access management for data shared on the ground or in the cloud
Operating environments owned and managed by an entity other than the information
owner, be it an outsourcing partner or a service provider in the cloud, often become the
information security manager's nightmare. Data processing resources can be outsourced,
but liability of information security and privacy always remain with the information
owner. Axiomatics delivers solutions based on XACML 3.0, with flexible delegation of
administrative privileges ideally suited to meet the needs of modern federated
environments.
In these new environments, many organizations have tried to resolve their access
management issues by means of federation. However, federated identities only address
issues with regard to authentication. To handle access permissions within the service
provided, delegation of authorization management privileges must also be achieved.
Service providers typically do not want to manage their client users' authorizations and
moreover, even if they are willing, the service provider may not be trusted. At the same
time, confidentiality and integrity requirements would be severely violated if other
clients were able to impact the authorization policies controlling user access.
Using solutions based on XACML 3.0 and Attribute-Based Access Control (ABAC), a
service provider can configure the overall and general authorization schemes and then
delegate administrative privileges to the respective data owners within the realm of their
respective data processing needs.
Before diving into the security aspects of cloud computing, let us first understand the
basic concept of cloud computing. In cloud computing, cloud stands for internet and
computing means using computer technology, hardware, and software, i.e. using or
sharing the computer technology, hardware and software over the internet. Different
cloud service models are as follows:
Let us see an example of the PaaS cloud service model with the help of a diagram
(shown below). In this example, Demo Bank is a cloud user (consumer) and his vendor
(cloud service provider) is ABC. ABC is providing PaaS (Platform as a Service) to
Demo Bank and Demo Bank has deployed his application (http://public.demobank.com)
on an ABC server called CCServer. Here, Demo Bank doesn’t have to worry about the
infrastructure cost and maintenance, and has control over the deployed application and
possibly application-hosting environment configurations. Eventually, a Demo Bank
client accesses the http://public.demobank.com application as if the application is
hosted by Demo Bank itself.
Diagram: Example of PaaS - Demo Bank Using PaaS cloud service provided
by ABC
Now we know what cloud computing is, but why do we need cloud computing? Well,
the answer is simple - it facilitates deployment of applications without the cost and
complexity of buying and managing the underlying hardware and software layers.
However, due to security issues, the benefits of cloud computing are not being reaped to
their fullest. Some of the important security issues are: