What is Abac, Rbac, Etc
Transcript of What is Abac, Rbac, Etc
-
8/8/2019 What is Abac, Rbac, Etc
1/12
What is Entitlement
Management?
Entitlement Management is a term used to define important aspects of Access Controlprocedures and technologies in modern IT infrastructures. The term is fairly new and not
always used consistently.
Entitlement Management a new access control
paradigm
Axiomatics defines Entitlement Management as a policy-based approach to enterprise-
wide access control. Our products support the following aspects of policy-based
authorization:
1. Access Policy Management - designing and maintaining accesscontrol policies
2. Access Policy Enforcement - controlling access requests andenforcing access decisions in real-time
3. Access Policy Auditing - reviewing and verifying the effectivenessand efficiency of access controls and policy compliance
Moreover, an entitlement management solution needs to meet the following
requirements:
Standards-based - ensuring interoperability between platforms,
applications and organizations, i.e. no more proprietary solutions andvendor dependencies.
External to applications - providing access control to other servicesand applications, lowering the cost of application development andenabling consistent and enterprise-wide access policies.
Fine-grained - defining access policies in terms of attributes ofsubjects (users), resources and the environment in which access isrequested. This approach goes beyond all the previous access controlmodels including Role Based Access Control (RBAC).
Context-aware - defining access policies not only to answer the
question "who can do what on which resource?", but also "Why?","When?", "Where?" and "How?". Rules and policies combining variousattributes define the context for a permitted access.
What is ABAC?
Attribute-Based Access Control (ABAC) uses attributes to describe access control rules
and access requests in a structured language. Attributes are sets of labelled propertieswhich can be used to describe any entity (not only the subject) that needs to be
-
8/8/2019 What is Abac, Rbac, Etc
2/12
considered for authorization purposes. ABAC thus offers fine-grained and context-aware
access control that adapts to dynamically changing needs.
An abstract view of access control requests can be summarized as follows:
A subject wants to
do something
with a
resource .
in a given
environment or undergiven circumstances
Examples:
Medical
doctor on
duty
wants to
edit
patient A.
Smith's health
record
in the hospital's
emergency reception
office.
Mr. Brown,
father,
wants to
access
an online
absence report
from his daughters
school
from his home
computer via the
Internet at 11 pm.
Bankaccount
holder
wants towithdraw 200
from bankaccount xyz
via ATM machineA located in city B.
Thus, any syntactically correct and semantically meaningful sentence describing an
access request in one way or the other will include building blocks which can be
described with attributes:
What is XACML?
eXtensible Access Control Mark-up Language (XACML) is a structured language for
expressing access policies and a query-response protocol for access requests and
decisions. XACML develops as standard within the Organization for the Advancement
of Structured Information Standards (OASIS).
The XACML language is constructed by a number of building blocks.
A Rule defines an effect (permit or deny) for a target that is described in terms of
attributes ofsubject, resource, action and environment and the conditions for these
attributes.
-
8/8/2019 What is Abac, Rbac, Etc
3/12
A Policy consists of rules and a rule-combining algorithm that defines how effects of
rules override each other.
A Policy Set consists of policies and a policy-combining algorithm that defines how
effects of policies override each other.
Besides the structured language and the query-response protocol, XACML has a higher
level architecture consisting of a number of functions (components) as follows.
Policy Decision Point (PDP) - the heart of an XACML solution that makes the
access decisions.
Policy Enforcement Point (PEP) - the most security-critical component in the
solution, which protects the resources and enforces the PDP's decision.
Policy Information Point (PIP) - the external information store providing the
attribute data needed for access decisions.
Policy Repository (PR) - the XACML policy storage. Policy Administration Point (PAP) - the XACML-policy editor.
The relations and the interactions between these components are described in the figure
below.
-
8/8/2019 What is Abac, Rbac, Etc
4/12
How does ABAC (Attribute-Based Access Control)
compare to RBAC (Role-Based Access Control)?
Role Based Access Control (RBAC) was originally introduced to simplify theadministration of access permissions, by avoiding direct assignment of them to
individual users, and increasing the level of security by facilitating a mechanism to
enforce Least Privilege and Separation of Duty principles.
Although RBAC is a well-defined model, most large RBAC projects turn out to be very
costly and almost impossible to finalise. The main issues with these projects are:
Interoperability - difficulties to agree on a set of roles with a common meaning
that can be shared between applications, platforms, domains and enterprises.
Role explosion - too many roles without clear organisational definitions need to
be administered. In some cases the number of roles has become larger than thenumber of users in the enterprise.
The interoperability issue is due to the fact that "role" is used in many different ways
and there is no real consensus regarding the terminology. A role can refer to a job
function within an organisational structure, a group and or a name for a collection of
access permissions. However, a job function may have more than one name in different
applications and domains, which of course, leads to confusion and a large number of
non-interoperability issues.
The role explosion issues is due to the fact that RBAC, similar to traditional access
control models Access Control List (ACL) and Mandatory Access Control (MAC),
defines access permissions statically in the form of a snap-shot without considering the
context of the access. Capturing the context, including the dynamics of the environment
in which access permissions can be defined, would mean defining a large set of roles
including permissions for each possible context. Moreover, defining fine grained access
permissions would also create many sets of permissions causing role explosion.
RBAC only focuses onsubjects and the permissions granted to them. A user can be
assigned multiple roles and thereby indirectly acquire permissions to related resources.
However, ABAC is quite the opposite, all aspects of an access request are considered
and identified byattributes: thesubjectwho is demanding access, the action which thesubject wants to perform, the resource being accessed and the environmentor context in
which access is requested.
This all-inclusive approach makes ABAC an ideal choice when finer granularity and
context-aware authorizations are required. ABAC can be used to create portable and
reusable policies which need to be enforced consistently across multiple platforms and
applications.
In ABAC permissions are defined in terms ofprivilege-giving attributes. Instead of
defining new roles to represent sets of access permissions ABAC defines the permission
sets by combining the privilege-giving attributes. For example, the three attributes beingan employee, having a driving license and being a Swedish citizen may in different
http://www.axiomatics.com/what-is-abac.htmlhttp://www.axiomatics.com/what-is-abac.html#attributeshttp://www.axiomatics.com/what-is-abac.html#attributeshttp://www.axiomatics.com/what-is-abac.html#attributeshttp://www.axiomatics.com/what-is-abac.html -
8/8/2019 What is Abac, Rbac, Etc
5/12
combinations give different sets of access permissions. Potentially there would be 8 (23)
different sets of access permissions, hence in RBAC 8 different roles that can be named
and need to be managed. But in ABAC we only need to manage the 3 well understood
privilege-giving attributes, which is of course a much simpler task than managing 8
different roles that in most cases do not have any meaning in the organisation.
Governance, Risk and Compliance Management Simplified
Modern IT infrastructures empower their users and thereby introduce new risks. With a
few clicks a single user can subvert a business-critical process and cause considerable
financial loss.
Governance, Risk and Compliance Management (GRC) programs used to implement
efficient and effective control frameworks are therefore becoming an increasinglyimportant focus area for IT and business managers alike.
However, GRC initiatives tend to be reactive, striving to optimize the existing
monitoring, surveillance and auditing capabilities of an organization. Streamlining and
merging control frameworks from different compliance regimes is one common
approach. Nonetheless, even if the GRC overhead becomes more efficiently managed, it
keeps growing.
To achieve a sustainable solution to this problem we need to attack the root cause.
Risk-intelligence must be built into our IT-infrastructures.
This is where Attribute-Based Access Control (ABAC) and Entitlement Management
play an important role by providing:
A standardized way to translate regulatory requirements into access control
policies
Automated and distributed real-time enforcement of policies at every entry point
Enterprise-wide and consistent policy modelling from a central point
Context-aware policy interpretation to adapt to dynamically changing conditions
Centralized auditing capabilities to answer questions such as "who can do what?"
and "who has done what?"
Entitlement Management with ABAC thereby offers real-time enforcement of access
control policies which implement regulatory compliance and risk mitigation plans as a
component of normal day-to-day processing. It enables a shift from reactive surveillance
to proactive enforcement which in turn reduces the GRC overhead and improves control
efficiency.
Why Axiomatics?
All right, I'm convinced. Entitlement Management, Attribute Based Access Control
(ABAC) and XACML all make sense. But why Axiomatics rather than one of the full
-
8/8/2019 What is Abac, Rbac, Etc
6/12
suite Identity & Access Management vendors?
Entitlement Management solutions provide essential infrastructure base components and
the fundamental building blocks for future information security strategies. The integrity,
confidentiality and availability of your most sensitive information is at stake. Hence,
trust is key. Procurement procedures need to establish strict requirements to ensureselected vendors are trustworthy.
These are some of the conclusions that existing Axiomatics customers have drawn:
Commitment. XACML simplifies authorization, yet the technology solution is
complex. Vendors need to be fully committed. Simply adding XACML request-
response capabilities to existing access control engines is insufficient. You need
truly vendor-independent, portable and native XACML policy management in
addition to the capabilities of version 3.0 to handle delegation of administrative
privileges. Axiomatics is the only vendor committed to supporting the full scope
of the XACML standard and thus the only vendor capable of meeting theserequirements.
Know-How. In most organizations the introduction of Attribute Based Access
Control (ABAC) means switching paradigms. This can be a daunting task
without the expertise and support from people who truly understand the profound
effects of transition towards a more sustainable infrastructure. The Axiomatics
team has successfully delivered technology for some of the largest XACML
deployments worldwide. Furthermore, Axiomatics products have developed out
of research projects and several members of the company have Ph.Ds in areas
relating to XACML and Attribute Based Access Control (ABAC).
Vendor-independence for sustainability. One major advantage with a move in
the direction of XACML and ABAC is that what formerly required proprietary
code implemented in each single application, becomes standards-compliant and
open in future infrastructures. Axiomatics is a dedicated vendor without a legacy
of former proprietary solutions and vested interests, an ideal partner when future-
proof access control solution are needed.
Axiomatics is the choice of organisations that require a dedicated vendor capable of
offering a long-term partnership.
SOA developers standardizing their
authorization services
Service Oriented Architectures (SOA) have rapidly evolved and matured in recent years.
Many organizations have standardized all new development within their infrastructures
on SOA concepts. Hence, SOA governance is becoming increasingly important to avoid
the chaos that emerges out of uncoordinated initiatives. SOA developers need to
externalize authorization management, while ensuring local enforcement of access
policies to meet new security and governance requirements.
-
8/8/2019 What is Abac, Rbac, Etc
7/12
XACML addresses essential SOA security requirements by introducing authorization as
a service. In fact, effective SOA governance can hardly be achieved without some kind
of shared authorization service as suggested by XACML. The Open Group, for instance,
with its Service Integration Maturity Model (OSIMM), suggests service security policies
should be "dynamic and managed in real-time" if a maturity level of 7 is to be achieved.This is a strong business case for XACML.
In many enterprises, the SOA reality represents a patchwork of processes as illustrated
below. Layers of overlapping services are added as needs evolve. These are usually
delivering data from a base of legacy information systems to users. The dangers of
separate access control mechanisms being implemented in each single service becomes
obvious, especially in scenarios where data from multiple services is combined into
mashups. The perspective of one single component is simply too narrow for a valid
access control decision.
Fortunately, thesolution lies
within the SOA
technology itself.
Authorizations
and access control
can be deployed
as yet another
service. Moreover,
the authorization
service inherently
has the benefits of
the SOA concept.
This is achieved
by consolidating and centralizing administration of authorizations and externalizing real-
time access enforcement as opposed to what is commonly provided through proprietary
solutions in siloed applications.
Let the walls come tumbling down
The benefits of breaking the wall of silos and providing authorizations as a centralizedservice to other services and applications are:
1. Simplified administration of policies.2. Enterprise-wide access policies through design and enforcement
of policies which implement dependencies across applications.3. Efficient compliance and auditing through elimination of
inconsistencies between policies in different applications.4. Faster and more cost-efficient adaptation to changing
requirements by implementing access control in terms of policies andnot as part of the application code.
One of the main drivers of SOA based IT solutions is to make the enterprises agile and
-
8/8/2019 What is Abac, Rbac, Etc
8/12
ready to adapt to organizational changes and the dynamics of their environment. This
puts a lot of pressure on selected security solutions, including authorization management
and access control. Information security should not be a bottleneck. Authorization
mechanisms need to be as agile as the SOA concept itself, yet handle access policies
which can dynamically adapt to a changing context.
In terms of OSIMM, maturity level 7 "Dynamically Re-Configurable Services",
implicitly makes an architectural solution corresponding to the XACML standard a
necessity. Even with lower maturity levels, the advantage becomes obvious if the
selected architecture offers authorization as a centralized service.
Entitlement Management and Attribute Based Access Control (ABAC) based on
XACML provides an ideal policy based solution for SOA environments. It provides
efficient policy enforcement within each service while enabling a transfer of access
policy management from IT to the business. Partners of Axiomatics have successfully
incorporated XACML based authorization in their models, enabling a high level ofmaturity in their solutions and providing cost savings through efficient reuse of
components.
Delegating access management for data shared on the ground or in the cloud
Operating environments owned and managed by an entity other than the information
owner, be it an outsourcing partner or a service provider in the cloud, often become the
information security manager's nightmare. Data processing resources can be outsourced,
but liability of information security and privacy always remain with the informationowner. Axiomatics delivers solutions based on XACML 3.0, with flexible delegation of
administrative privileges ideally suited to meet the needs of modern federated
environments.
Cloud computing is a new term for an established phenomenon. Services hosted by
external partners have been used for quite some time. Yet, cloud computing does imply
an escalation in terms of service distribution via virtualization of data processing and
storage, and access management certainly has not become any less complex.
In these new environments, many organizations have tried to resolve their access
management issues by means of federation. However, federated identities only address
issues with regard to authentication. To handle access permissions within the service
provided, delegation ofauthorization management privileges must also be achieved.
Service providers typically do not want to manage their client users' authorizations and
moreover, even if they are willing, the service provider may not be trusted. At the same
time, confidentiality and integrity requirements would be severely violated if other
clients were able to impact the authorization policies controlling user access.
A hierarchy of authorization management can help resolve difficult management tasks
by delegating management authority to the proper information owner entity. Hence, withdelegation of administrative access control privileges, Axiomatics XACML 3.0 based
-
8/8/2019 What is Abac, Rbac, Etc
9/12
solutions offer robust authorization services well suited to meet the needs in operating
environments where multiple information owners share services for data processing and
storage, or possibly even for mutual data exchange.
Using solutions based on XACML 3.0 and Attribute-Based Access Control (ABAC), aservice provider can configure the overall and general authorization schemes and then
delegate administrative privileges to the respective data owners within the realm of their
respective data processing needs.
Cloud Computing Security
by Sanjeev Verma | Discuss this article
Before diving into the security aspects of cloud computing, let us first understand thebasic concept of cloud computing. In cloud computing, cloud stands for internet and
computing means using computer technology, hardware, and software, i.e. using or
sharing the computer technology, hardware and software over the internet. Different
cloud service models are as follows:
1. Cloud Software as a Service (SaaS): In this service model, theconsumer uses the providers applications on a cloud infrastructure.
The consumer does not manage or control the underlying cloudinfrastructure including network, servers, operating systems, storage,or even individual application capabilities. However, the consumermight have access to limited user-specific application configurationsettings.
2. Cloud Platform as a Service (PaaS): This service model allows theconsumer to deploy consumer-created or acquired applications ontothe cloud infrastructure, using programming languages and toolssupported by the provider. The consumer does not manage or controlthe underlying cloud infrastructure including network, servers,operating systems, or storage, but controls deployed applications andpossibly application-hosting environment configurations.
3. Cloud Infrastructure as a Service (IaaS): This service modelallows the consumer to provision processing, storage, networks, andother fundamental computing resources. The consumer is hence able
to deploy and run arbitrary software, which an include operatingsystems and applications. The consumer does not manage or control
http://palisade.plynt.com/authors/#sanjeev-vermahttp://palisade.plynt.com/discuss/407/http://palisade.plynt.com/authors/#sanjeev-vermahttp://palisade.plynt.com/discuss/407/ -
8/8/2019 What is Abac, Rbac, Etc
10/12
the underlying cloud infrastructure, but controls operating systems,storage and deployed applications.
Let us see an example of the PaaS cloud service model with the help of a diagram
(shown below). In this example, Demo Bank is a cloud user (consumer) and his vendor
(cloud service provider) is ABC. ABC is providing PaaS (Platform as a Service) toDemo Bank and Demo Bank has deployed his application (http://public.demobank.com)
on an ABC server called CCServer. Here, Demo Bank doesnt have to worry about the
infrastructure cost and maintenance, and has control over the deployed application and
possibly application-hosting environment configurations. Eventually, a Demo Bank
client accesses the http://public.demobank.comapplication as if the application is
hosted by Demo Bank itself.
Diagram: Example of PaaS - Demo Bank Using PaaS cloud service provided
by ABC
Now we know what cloud computing is, but why do we need cloud computing? Well,the answer is simple - it facilitates deployment of applications without the cost and
complexity of buying and managing the underlying hardware and software layers.
However, due to security issues, the benefits of cloud computing are not being reaped to
their fullest. Some of the important security issues are:
1. In cloud computing, a single server hosts multiple applications ofdifferent users. Now, if any of the applications hosted on the server isvulnerable, it might lead to compromise or unavailability of otherapplications as well.
2. Since a variety of applications are hosted on a single server, it is verylikely that a large number of ports are open on the server, thuswidening the network-level attack surface. If any of the services
http://public.demobank.com/http://public.demobank.com/http://public.demobank.com/http://public.demobank.com/http://public.demobank.com/ -
8/8/2019 What is Abac, Rbac, Etc
11/12
running on these ports are vulnerable, the server can becompromised.
3. Many cloud vendors use virtual machines to run different OSinstances on a single hardware platform for serving multiple users,which opens up a new attack vector. These virtual machines havemultiple flaws that can be exploited in order to compromise theserver.
4. If an application with critical data is hosted on cloud, all sensitive andcritical information remain with the cloud service provider and thereis always a threat of theft of company proprietary information by thecloud provider itself.
5. Due to lack of transparency, auditing is very difficult and at times notpossible in cloud computing. If something goes wrong with yourapplication or there is a possibility of unauthorized access, it would bevery difficult to conduct forensic investigations in cloud environment.
6. It is difficult to ensure the integrity of computational results of anapplication in a cloud environment.
7. It is difficult to enforce the enterprise authentication andauthorization framework in cloud.
Furthermore, the accumulative effects of the above-mentioned issues result in many
legal implications and noncompliance to the industry standards for cloud consumers.
Hence, as with any security area, organizations should adopt a risk-based approach of
moving to the cloud and selecting security options. Some of the important security
options are:
Identify the asset for the cloud deployment: Identify wherever itis possible to shift only part of the application functions to the cloud
rather than the complete application and data. Evaluate the criticalityof these assets and the corresponding impact on business in case ofunavailability of these assets due to whatsoever reason.
Take Back Authentication Control: Most of the time, theauthentication mechanism used for accessing (for management,administration, or usage) cloud application is too weak. This results ina breach, in which case, taking the authentication control back fromthe cloud service provider is a good option. Obviously, it reducessome of the benefits of the cloud, but it allows you to use strongauthentication mechanisms and implement the company standardpassword policy, etc.
Data storage and segregation: Typically the data in the cloud is in
a shared environment, which is why it is important to find out what isdone to segregate data at rest. The cloud provider should provideevidence that encryption schemes were designed and tested byexperienced specialists.
Transparency: Data owners wish to audit how their data is beinghandled at the cloud, and in particular, ensure that their data is notbeing abused or leaked, or at least have an unalterable audit trailwhen it does happen. Hence, ensure that the cloud vendor providesenough transparency.
Choose Appropriate Cloud Deployment Model: Regardless of theservice model utilized (SaaS, PaaS, or IaaS), there are four
deployment models for cloud services. The appropriate clouddeployment model is selected depending on the criticality of the
-
8/8/2019 What is Abac, Rbac, Etc
12/12
asset and specific requirements. Different cloud deployment modelsare:
1. Public Cloud: The cloud infrastructure is owned by anorganization selling cloud services and is made available to thegeneral public or a large industry group.
2. Private Cloud: The cloud infrastructure is operated solely fora single organization. It may be managed by the organizationor a third party, and may exist on premises or off premises.
3. Community Cloud: The cloud infrastructure is shared byseveral organizations having similar requirements. Since thecloud infrastructure is shared among fewer organizations, itprovides a higher level of security and privacy in comparisonwith public clouds. Community cloud may be managed by theorganizations or a third party, and may exist on premises or offpremises.
4. Hybrid Cloud: The cloud infrastructure is a composition of twoor more clouds (private, community, or public). The objective of
hybrid cloud is to provide the local data benefits of the privateclouds with the economies, scalability, and on-demand accessof the public cloud.