Vincent C. Hu - Attribute-Based Access Control (Artech House Information Security and Privacy)

Attribute-Based Access Control

For a complete listing of titles in the Artech House Information Security and Privacy Series, turn to the back of this book.

Attribute-Based Access Control

Vincent C. Hu

David F. Ferraiolo

Ramaswamy Chandramouli

D. Richard Kuhn

Library of Congress Cataloging-in-Publication Data

A catalog record for this book is available from the U.S. Library of Congress.

British Library Cataloguing in Publication Data

A catalogue record for this book is available from the British Library.

Cover design by John Gomes

ISBN 13: 978-1-63081-134-1

2018 ARTECH HOUSE

685 Canton Street

Norwood, MA 02062

All rights reserved. Printed and bound in the United States of America. No part of this book may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without permission in writing from the publisher.

All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Artech House cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark.

10 9 8 7 6 5 4 3 2 1

Contents

Preface

Attribute-based access control (ABAC) is the latest development in an evolution of access control models going back more than 40 years. As with other models, it solves problems encountered in the practical application of access control solutions in a changing information technology environment. Early computing systems used simple access control lists (ACLs) of user IDs attached to each resource. As the number of resources and users multiplied into the tens or hundreds of thousands, setting up and managing ACLs became cumbersome and time-consuming. Role-based access control (RBAC) solved many of these problems by collecting permissions into roles that usually corresponded to user positions in an organization, and permitting access only through roles. This eliminated the need to tie individual user permissions to every resource, dramatically reducing the complexity of security administration. But RBACs ease of management comes at a tradeoff with the cost of initial setup, which many organizations found to be challenging and time-consuming. RBAC also assumes that security is managed by a single organization or cooperating group of organizations, which is not always the case with todays vast Web-based applications.

An alternative is to grant or deny user requests based on attributes of the user and the object, and environment conditions that may be globally recognized and relevant to the policies at hand. For example, access to company facilities may be granted only if a subject has a company badge and the current time is within working hours. This approach is the essence of ABAC, where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes.

The access control policies that can be implemented in ABAC are limited only by the expressiveness of representational language and the integrity of the available attributes. This flexibility enables the greatest breadth of subjects to access the greatest breadth of objects without specifying individual relationships between each subject and each object. For example, a subject is assigned a set of subject attributes upon employment (e.g., Bob Smith is over 25 years of age, is licensed as a truck driver and a mechanic, and is assigned to the shipping department). An object is assigned its object attributes upon creation (e.g., a store of parts belonging to the shipping department). Objects may receive their attributes either directly from the creator or as a result of automated scanning tools. Security administrators create access control rules using attributes of subjects and objects to govern the set of allowable capabilities (e.g., only mechanics are permitted to requisition parts from company storage), making ABAC easy to set up. Access decisions can change between requests by simply changing attribute values, without the need to change the subject/ object relationships defining underlying rule sets. This provides a more dynamic access control management capability and limits long-term maintenance requirements of object protections. Further, ABAC enables object owners or administrators to apply access control policies without prior knowledge of the specific subject and for an unlimited number of subjects that might require access. A new subject assigned the attributes value mechanic automatically gets the permission to request parts from company storage. This benefit is often referred to as accommodating the external (unanticipated) user, and is one of the primary benefits of employing ABAC.

In recent years, attribute-based access control (ABAC) has evolved as the preferred logical access control methodology for many information systems. Vendors have begun implementing ABAC in a variety of products, and organizations are employing ABAC features to simplify operations. ABAC is also capable of enforcing both discretionary access control (DAC) and mandatory access control (MAC) based protections, and can coexist with RBAC. ABAC enables precise access control, which allows for a higher number of discrete inputs into an access control decision, providing a bigger set of possible combinations of those variables in order to reflect a larger and more definitive set of possible rules to express policies that satisfy access control requirements of organizations. However, when deployed across an enterprise, ABAC implementations can become complexsupported by the existence of an attribute management infrastructure, machine-enforceable policies, and an array of functions that support access decisions and policy enforcement.

Until now, research on ABAC models and applications is dispersed throughout hundreds of research papers, but not consolidated in book form. This book also contains (in addition to its new content) materials that are derived from existing documents written by the authors, such as NIST SP 800-162 and NIST 800-178 that explain ABACs history and model, related standards, verification and assurance, applications, and deployment challenges (Part 5). Specialized topicsincluding formal ABAC history, ABACs relationship with other access control models, ABAC model validation through analysis, verification and testing, deployment frameworks such as XACML, Next Generation Access Model (NGAC), attribute considerations in implementation, ABAC applications in Web services/workflow domains, and ABAC architectures and feature sets in commercial and open source products. The combination of technical and administrative information for models, standards, and products in the book is thus intended to benefit researchers as well as implementers of ABAC systems. Certain software products are identified in this book, but such identification does not imply recommendation by the U. S. National Institute for Standards and Technology, nor does it imply that the products identified are necessarily the best available for the intended purpose.

Acknowledgments

We offer special thanks to Arthur Friedman of the National Security Agency. Much of the authors involvement in ABAC can be traced to Arthurs early vision, persistence, and support. We would also like to thank Isabel Van Wyk for her extensive editing of the various drafts of this book and Gerry Gebel of Axiomatics for his careful review and comments that have improved the presentation, especially regarding emerging technologies. Tim Weil and Ed Coyne were key thinkers in the ANSI/INCITS project to add attributes to role based access control. We also thank Wayne Jansen for his many contributions pertaining to modern day ABAC concepts. Serban Gavrila, Gopi Katwala, and Joshua Roberts demonstrated the viability of NGAC standard implementations. Richard Fernandez developed an early implementation of an RBAC/ABAC hybrid model. Bill Fisher contributed feedback and advice on ABAC in commercial products. Adam Schnitzer, Kenneth Sandlin, Alan J. Lang, Paul Jacob, and Dylan Yaga contributed to the NIST ABAC definitions, models, and considerations document. Kim Schaffer and Raghu Kacker reviewed original drafts. Anne Anderson and the XACML community developed early standards that are applied to ABAC.