SAML, XACML & the Terrorism Information Sharing Environment

“Interoperable Trust Networks”XML Community of Practice

February 16, 2005

Martin SmithProgram Manager for IT Information SharingDHS CIO Office

2/16/2005 2

The Information-Sharing Environment: Vision of EO 13356

• EO 13356, Aug 27, 2004, called for “establishment of an interoperable terrorism information sharing environment to facilitate automated sharing of terrorism information”

• Interagency group in homeland-security mission space (OMB Chair, DHS, IC, DOD, DOJ, others) delivered recommendations to President 12/24/2004

• Vision was a National shared information-sharing “environment”, based on SOA

• “Environment”, not “network”: boundary defined by flexible access control

2/16/2005 3

Access-Control Requirements

• “Federated” to support common pool of credentials, roles, permissions with distributed maintenance– “harvest” existing trust relationships at Federal,

regional and local levels

• Fine-grained: for this application, need accountability to individual person and individual transaction– sharing requires control– comprehensive audit capability

• Beyond RBAC, to ABAC and PBAC

Implication: look to converging Liberty Alliance/SAML architecture

Source: Liberty Identity System Role in securing Web ServicesSlava Kavsan, Chief Technologist RSA Security Inc.

2/16/2005 5

Key XML Standard: Security Assertion Markup Language (SAML)

• Basis for exchanging detailed info (credentials, attributes, preferences) to support access decisions

• Architecture includes federation capability

• Standardization status - -– 02-Sept-2003: SAML V1.1 approved as an OASIS Standard.

– 16-Feb-2005: Voting begins on approval of SAML V2.0 specifications and schemas as OASIS Standard. Ballot closes 28-Feb-2005

– SAML V1.1 not backwardly compatible with V1.0

Policy-based Access ControlMetadata

on theContent

Environment(Threat Level = Orange)

Metadataon the User

PolicyAuthority

(Rules Engine)Directory

Policy Authority Business Rules:If Data:classification <= User:clearanceAnd User:duty = “Intelligence Analyst”And ( Data:us_citizen = “No” OR User:employer NOT= “CIA” OR Env:Threat_Level = “Red”)Then Grant Access

classification = “Secret”us_citizen = “Yes” Access Decision

More on PBAC

• Framework to determine appropriate distribution (mandatory access control and need-to-know), required to automate access decisions– Three sources of data (about the content; about the requestor; about the

environment or situation) plus policy rule-set– Key assertion: the distribution decision is not made by the data custodian– “Separation of concerns”: originator is expert on the content; directory

holds user credentials and roles; policy is created by management

• Benefits of implementing the model for the sharing environment– Order-of-magnitude gain in speed, cost & consistency of decisions– Instant, consistent response to changes in environment or in policy– Can be implemented gradually, via “refer to human decision” option– Superior alternative to originator control, can be enforced via digital rights

management technologies– Automated process can provide full audit, data for process improvement

Key XML Standard: Extensible Access-Control Markup Language (XACML)

• Supports greatly increased complexity of access-control decisions: capable of applying “business rules” and not just roles– “provide a method for basing an authorization decision on attributes of

the subject and resource.”

– designed to be used by “policy decision points” in Liberty/SAML architecture

• Not the only policy language, but leading contender for access-control application– access control ~= digital rights management

• Standardization status - - – XACML 2.0 and all the associated profiles approved as OASIS Standards on

1 February 2005

– eXtensible Access Control Markup Language (XACML) Version 1.0 OASIS Standard, 18 February 2003