Attribute-Based Access Control (Artech House Information Security and Privacy)

Attribute-Based Access Control
Contents
Preface
Acknowledgements
Intended Audience
1
Introduction
1.1 Overview
1.2 Evolution and Brief History of Access Control
1.2.1 Academic Contributions
1.2.2 Military Concerns
1.2.3 Bell and LaPadula Security Model
1.2.5 Discontent
1.2.6 Role-based Access Control
1.2.7 Emergence of ABAC
References
2
Access Control Models and Approaches
2.1 Introduction
2.2 Terminology
2.3 Access Control Models and Policies
2.4 Policy Enforcement
2.5 Discretionary Access Control
2.6 Mandatory Access Control Models
2.6.1 Multilevel Security
2.6.2 Chinese Wall Policy and Model
2.6.3 Role-Based Access Control
References
3
Attribute Based Access Control
3.1 Introduction
3.2 ABAC Architectures and Functional Components
3.3 Logical-Formula and Enumerated ABAC Policy Models
3.4 ABAC Model—Applications Primatives
3.5 Hierarchical Group and Attribute-Based Access Control
3.6 Label-Based ABAC Model with Enumerated Authorization Policy
3.7 Hybrid Designs Combining Attributes with Roles
3.8 ABAC and RBAC Hybrid Models
3.9 Complexities of RBAC Role Structures
3.10 Complexities of ABAC Rule Sets
3.11 Dynamic Roles
3.12 Role Centric Structure
3.13 Attribute Centric Structure
3.14 Conclusion
References
4
ABAC Deployment Using XACML
4.1 Introduction
4.2 Business and Technical Drivers for XACML
4.3 XACML Standard—Components and Their Interactions
4.3.1 XACML Policy Language Model
4.3.2 XACML Context (Request and Response)
4.3.3 XACML Framework (Data Flow Model)
4.4 ABAC Deployment Using XACML
4.4.1 Access Policy Formulation and Encoding
4.4.2 Request/Response Formulation
4.4.3 Policy Evaluation and Access Decision
4.5 Implementation of XACML Framework
4.5.1 Attribute Support and Management
4.5.2 Delegation
4.6 Review and Analysis
References
Appendix A
5
Next Generation Access Control
5.1 Introduction
5.2 Policy and Attribute Elements
5.3 Relations
5.3.1 Assignments and Associations
5.3.2 Prohibitions Denials
5.3.3 Obligations
5.4 NGAC Decision Function
5.5 Delegation of Access Rights
5.6 NGAC Administrative Commands and Routines
5.7 Arbitrary Data Service Operations
5.8 NGAC Functional Architecture
5.8.1 Resource Access
5.8.2 Administrative Access
5.9 Conclusion
References
6
ABAC Policy Verifications and Testing
6.1 Introduction
6.2 ABAC Policy Classes
6.2.1 Static Policy Class
6.2.2 Dynamic Policy Class
6.2.3 Historical Policy Class
6.3 Access Control Safety and Faults
6.4 Verification Approaches
6.4.1 Model Verification
6.4.2 Coverage and Confinements Semantic Faults
6.4.3 Property Confinement Checking
6.4.4 Implementation Test
6.5 Implementation Considerations*
6.6 Verification Tools
6.6.1 Multiterminal Binary Decision Diagrams
6.6.2 ACPT
6.6.3 Formal Methods
6.7 Conclusion
References
7
Attribute Consideration
7.1 Introduction
7.2 ABAC Attributes
7.3 Consideration Elements
7.4 Preparation Consideration
7.4.1 Subject Attribute Preparation
7.4.2 Object Attribute Preparation
7.4.3 Environment Condition Preparation
7.4.4 Metadata
7.5 Veracity Consideration
7.5.1 Attribute Trustworthiness
7.5.2 Attribute Value Accuracy
7.6 Security Consideration
7.6.1 Attribute-at-Rest
7.6.2 Attribute-in-Transit
7.7 Readiness Consideration
7.7.1 Refresh
7.7.2 Synchronization
7.7.3 Cache
7.7.4 Backup
7.7.5 Log
7.8 An Example of a General Attribute Framework
7.9 Attribute Evaluation Scheme
7.9.1 AES Examples
7.9.2 Attribute Practice Statement
7.10 Conclusion
References
8
Deployments in Application Architectures
8.1 Introduction
8.2 ABAC for Distributed Systems
8.2.1 Access Control Challenges of Distributed Systems
8.2.2 BigData Access Control as a Distributed System Access Control Example
8.2.3 Implementation Considerations
8.2.4 Analysis and Conclusions
8.3 ABAC for Web Services
8.3.1 Web Services— A Brief Background
8.3.2 ABAC Suitability for Web Service Environments
8.3.3 ABAC for Web Service Environments Without Workflows
8.3.4  ABAC for Web Service Environments with Workflows
8.3.5 Combined Challenges in Using ABAC for Web Service Environments (With and Without Workflows)
8.3.6 Web Services Environment—Summary of Requirements
8.4 ABAC for Stand-Alone Workflow Processes
8.4.1 Challenges and Requirements for ABAC Configuration for Stand-Alone Workflow Processes
8.4.2 ABAC Deployment for Stand-Alone Workflow Processes: Integrated Approach
8.4.3 ABAC Deployment for Stand-Alone Workflow Processes: Loosely Coupled Approach
8.4.4 Analysis and Conclusions
References
9
ABAC Life-Cycle Issues: Considerations
9.1 Introduction
9.2 Enterprise ABAC Concepts
9.2.1 Enterprise ABAC Policy
9.2.2 Attribute Management in Enterprise ABAC
9.2.3 Access Control Mechanism Distribution in Enterprise ABAC
9.3 ABAC Enterprise Considerations
9.3.1 Initiation Phase Considerations
9.3.2 Acquisition/Development Phase Considerations
9.3.3 Implementation/Assessment Phase Considerations
9.3.4 Operations/Maintenance Phase Considerations
9.4 Conclusion
References
10
ABAC in Commercial Products
10.1 Introduction
10.2 Axiomatics Data Access Filter
10.2.1 Product Architecture and Modules
10.2.2 Canonical Features in Product Modules
10.3 Jericho Systems EnterSpace 9
10.3.1 Product Architecture and Modules
10.3.2 Canonical Features in Product Modules
10.4 NextLabs ABAC Solution
10.4.1 Functional Architecture and Components
10.4.2 Canonical Features in Product Modules
References
11
Open Source ABAC Implementations: Architecture and Features
11.1 Introduction
11.2 NGAC PM: Functional Architecture
11.3 NGAC PM: ABAC Model Definition Capabilities
11.4 NGAC PM: Access Decision Process
11.5 NGAC PM: Design and Application Integration
11.6 Summary and Analysis
References
About the Authors
Index