usage policies for end point access control
DESCRIPTION
Usage policies for end point access control. XACML is Oasis standard to express enterprise security policies with a common XML based policy language http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf 103 pgs. - PowerPoint PPT PresentationTRANSCRIPT
11
Usage policies for end point access controlUsage policies for end point access control
XACML is Oasis standard to express enterprise security policies with a common XML based policy language
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf 103 pgs.
Provides mechanism for EKM to define USEAGE rules at point of key distribution.
22
Common termsCommon terms
PAP – Policy Administration Point. This would be the EKM
PDP - Policy Decision Point. An entity that evaluates an access request against one or more policies to produce an access decision. This is essentially a rules engine.
PEP – Policy Enforcement Point. An entity that enforces access control for one or more resources. When a resource access is attempted, a PEP sends an access request describing the attempted access to a PDP. The PDP returns an access decision that the PEP then enforces.
policy – A set of rules indicating which subjects are permitted to access which resources using which actions under which conditions. XACML has two different schema elements used for policies: <Policy> and <PolicySet>. A <Policy> contains actual access control rules.
33
Typical XACML componentsTypical XACML components
PEP
contexthandler
4. requestnotification
PIP
6. attributequery
11. responsecontext
1. policy
8. attribute
environment
resource
subjects
7b. environmentattributes
PAP
obligationsservice
13. obligations
PDP
accessrequester
2. access request
9. resourcecontent
3. request 12. response
7c. resourceattributes
7a. subjectattributes
5. attributequeries
10. attributes
44
Factors in rulesFactors in rules
Common notion of SUBJECT, RESOURCE, ACTION Attributes used in rules
Must be able to define factors applicable to end points
Rules have different combination algorithms, such as first applicable [IMHO, Sufficient], or deny-overrides.
When a rule fires, the PEP must execute the rules “Obligations”. From our focus, may be things such as Encrypt Audit
If you can’t execute an obligation, service denied
55
Basic role of a Policy Enforcement PointBasic role of a Policy Enforcement Point
An application functions in the role of the PEP if it guards access to a set of resources and asks the PDP for an authorization decision.
Recommend “Deny-biased” PEP approach If the decision is "Permit", then the PEP SHALL permit access. If obligations accompany the decision, then the PEP SHALL permit access only if it understands and it can and will discharge those obligations.
All other decisions SHALL result in the denial of access. Note: other actions, e.g. consultation of additional PDPs,
reformulation/resubmission of the decision request, etc., are not prohibited..
66
More to come….More to come….
Need subset easily implemented in C