Elimity, profile picture
Uploaded byElimity
4,702 views

Attribute based access control

The document discusses various access control models, emphasizing attribute-based access control (ABAC) as a flexible alternative to traditional role-based approaches. It highlights the challenges of role-based access control, such as role explosion, and presents the advantages of ABAC, including fine-grained and dynamic access control. The conclusion mentions the need for careful planning and incremental implementation when transitioning to ABAC in enterprises.

Embed presentation

Downloaded 143 times
Attribute-based access control Maarten Decat, iMinds-DistriNet maarten.decat@kuleuven.be, @maartendecat
Access control models How to express who can do what 2
Access control models How to express who can do what Access control lists Mandatory access control (MAC) Discretionary access control (DAC) Role-based access control (RBAC) Information flow control Attribute- based access control Relationship- based access control Access control matrix Entity-based access control The Bibamodel The Bell-LaPadulamodel 3
Role-based access control AssetsRoles read write read write read write read write Manager Helpdesk operator Users 4
The problem with role-based access control 5Role explosion
The problem with role-based access control Manager Helpdesk operator Developer Secretary Accountant 6
The problem with role-based access control Manager Helpdesk operator Developer Secretary Accountant Manager of R&D dept Manager of finance deptManager of sales dept Secretary with color print Secretary with- out color print 7
The problem with role-based access control Manager Helpdesk operator Developer Secretary Accountant Manager of R&D dept Manager of finance deptManager of sales dept Secretary with color print Secretary with- out color print owns_docA owns_docB owns_docC owns_docD owns_docE owns_docF owns_docG owns_doc... 8
The problem with role-based access control Manager Helpdesk operator Developer Secretary Accountant Manager of R&D dept Manager of finance deptManager of sales dept Secretary with color print Secretary with- out color print owns_docA owns_docB owns_docC owns_docD owns_docE owns_docF owns_docG owns_doc... Secretary of finance dept with color print owns docE Secretary of sales dept with color print owns docE Helpdesk operator assigned to Customer A Helpdesk operator assigned to Customer B Helpdesk operator assigned to Customer C Helpdesk operator assigned to Customer D Secretary of finance dept with color print owns docD Secretary of sales dept with color print owns docD Secretary of sales dept without color print owns docD Secretary of sales dept without color print owns docE Secretary of finance dept without color print owns docE Secretary of sales dept without color print owns docB Secretary of finance dept without color print owns docD Secretary of sales dept with color print owns docB Secretary of finance dept without color print owns docB Secretary of sales dept with color print owns docA Secretary of sales dept without color print owns docA Secretary of finance dept without color print owns docA Secretary of sales dept without color print owns docC Secretary of finance dept with color print owns docA Secretary of sales dept with color print owns docC Secretary of finance dept without color print owns docC Secretary of finance dept with color print owns docC Secretary of finance dept with color print owns docB ... 9
Manager Helpdesk operator Developer Secretary Accountant Manager of R&D dept Manager of finance deptManager of sales dept Secretary with color print Secretary with- out color print owns_docA owns_docB owns_docC owns_docD owns_docE owns_docF owns_docG owns_doc... Secretary of finance dept with color print owns docE Secretary of sales dept with color print owns docE Helpdesk operator assigned to Customer A Helpdesk operator assigned to Customer B Helpdesk operator assigned to Customer C Helpdesk operator assigned to Customer D Secretary of finance dept with color print owns docD Secretary of sales dept with color print owns docD Secretary of sales dept without color print owns docD Secretary of sales dept without color print owns docE Secretary of finance dept without color print owns docE Secretary of sales dept without color print owns docB Secretary of finance dept without color print owns docD Secretary of sales dept with color print owns docB Secretary of finance dept without color print owns docB Secretary of sales dept with color print owns docA Secretary of sales dept without color print owns docA Secretary of finance dept without color print owns docA Secretary of sales dept without color print owns docC Secretary of finance dept with color print owns docA Secretary of sales dept with color print owns docC Secretary of finance dept without color print owns docC Secretary of finance dept with color print owns docC Secretary of finance dept with color print owns docB ... The problem with role-based access control 10 read write read write read write Manager
Attribute-based access control Identity Location Department Type Date Conf. label Action Action Type Environment Device Type Timestamp System state Managers of the auditing department in Brussels can inspect the financial reports from the current financial year within office hours Subject Resource Amount 11
Attribute-based access control Managers of the auditing department in Brussels can inspect the financial reports from the current financial year within office hours 12 1. fine-grained access control 2. context-aware access control 3. dynamic access control
ABAC in an enterprise 13 CISO Business policy Employees GovernanceOperational x x ? ? Application policy Access requests x Systematic access reviews x
Attributes for access management User Guard Asset Action Security manager Manage employee infoManage security info HR administrator Roles & entitlements Manage roles and entitlements 14
Attributes as access management User Asset Guard Action Security manager Manage employee info HR administrator Security rules Attributes 15
1. Attributes can be fetched remotely = good for federated applications 2. You do not need the identity of the subject = good for privacy 3. As a researcher, it looks future-proof a. ABAC supports many advanced policies, e.g., history-based policies, dynamic separation of duty and breaking-the-glass procedures, … b. Many of the newest access control models can be mapped on attributes, e.g., ReBAC, EBAC [Bogaerts2015], obligations [Park2004], ... c. A lot is still happening in this field, e.g., formal definition of this model and its properties (e.g., [Jin2012a]), languages for expressing attribute-based rules (e.g., [XACML, Crampton2012]), mutable attributes (e.g., [Park2004]), attribute aggregation in federated identity management (e.g., [Chadwick2009]), encryption of attributes (e.g., [Asghar2011]), policy engineering for ABAC (e.g.., [Krau2013]), performance (e.g., [Brucker2010]), … Attributes as an enabler for the future 16
Migrating from RBAC to ABAC 17
Migrating from RBAC to ABAC Conceptually, three approaches: 18 [Kuhn2010] 2. Dynamic roles1. Roles as an attribute 3. Constrain roles Manager Helpdesk operator Accountant Secretary subject.roles owns_doc... Identity Location Department Manager Helpdes k operator Accountant Secretar y owns_doc... Identity Location Department Manager A.read B.read B.write ...
Not all rainbows and unicorns 19
20 Source: [NIST2014]
“Enterprise ABAC carries with it significant development, implementation, and operations costs as well as a paradigm shift in the way enterprise objects are shared and protected.” -- NIST 21
22 Establish a business case for ABAC Understand your operational requirements Technical implementation Deploy or adjust business processes Source: [NIST2014] Initiation Implementation Maintenance Disposal Ensure quality Migrating from RBAC to ABAC, revised
23 Establish a business case for ABAC Understand your operational requirements Technical implementation Deploy or adjust business processes Source: [NIST2014] Initiation Implementation Maintenance Disposal Ensure quality Migrating from RBAC to ABAC, revised Work incrementally You probably already have many of the required processes
Conclusion 24
Conclusion ABAC brings many interesting improvements compared to previous models: ● Support more fine-grained access rules ● Separation of concerns between user management and security ● Enables many advanced features As a result, ABAC is seen by many as the next step in access control. However, introducing ABAC in an enterprise is not an easy step to take. ● Plan ahead, get everyone involved, start small and work incrementally 25
Future reading NIST, Guide to Attribute Based Access Control (ABAC) Definition and Considerations http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf 26
References [Asghar2011] Asghar, Muhammad Rizwan, et al. "Espoon: Enforcing encrypted security policies in outsourced environments." 2011 [Bogaerts2015] Bogaerts, Jasper, et al. "Entity-Based Access Control: supporting more expressive access control policies." 2015. [Brucker2010] Brucker, Achim D., and Helmut Petritsch. "Idea: efficient evaluation of access control constraints." 2010 [Chadwick2009] Chadwick, David W., and George Inman. "Attribute aggregation in federated identity management." 2009 [Crampton2012] Crampton, Jason, and Charles Morisset. "PTaCL: A language for attribute-based access control in open systems." 2012 [Fong2011] Fong, Philip WL. "Relationship-based access control: protection model and policy language." ACM, 2011. 27
References (continued) [Fong2011] Fong, Philip WL. "Relationship-based access control: protection model and policy language." ACM, 2011. [Jin2012a] Jin, Xin, Ram Krishnan, and Ravi S. Sandhu. "A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC." 2012 [Jin2012b] Jin, Xin, Ravi Sandhu, and Ram Krishnan. "RABAC: role-centric attribute-based access control." 2012 [Krau2013] Krautsevich, Leanid, et al. "Towards policy engineering for attribute-based access control." 2013 [Kuhn2010] Kuhn, D. Richard, Edward J. Coyne, and Timothy R. Weil. "Adding attributes to role-based access control." 2010 [Park2004] Park, Jaehong, and Ravi Sandhu. "The UCON ABC usage control model." 2004 [XACML] eXtensible Access Control Markup Language (XACML) Version 3.0. 2013. OASIS Standard 28
Attribute-based access control Any further questions? Contact us at maarten.decat@kuleuven.be or @maartendecat Interested in our events? Subscribe here http://bit.ly/DistrinetAccessControl

More Related Content

PPTX
Cyber Security roadmap.pptx
bySandeepK707540
 
PPTX
Key management
bySujata Regoti
 
PPTX
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
byDavid Brossard
 
PPT
Attribute Based Access Control
byChandra Sharma
 
PPT
Role based access control
byPeter Edwards
 
PPTX
Rbac
byأحلام انصارى
 
PPTX
Privileged Access Management (PAM)
bydanb02
 
PDF
Enterprise Security Architecture for Cyber Security
byThe Open Group SA
 
Cyber Security roadmap.pptx
bySandeepK707540
 
Key management
bySujata Regoti
 
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
byDavid Brossard
 
Attribute Based Access Control
byChandra Sharma
 
Role based access control
byPeter Edwards
 
Rbac
byأحلام انصارى
 
Privileged Access Management (PAM)
bydanb02
 
Enterprise Security Architecture for Cyber Security
byThe Open Group SA
 

What's hot

PDF
Database Security Threats - MariaDB Security Best Practices
byMariaDB plc
 
PPTX
cyber-security-reference-architecture
byBirendra Negi ☁️
 
PPTX
AAA Implementation
byAhmad El Tawil
 
PPTX
Conceptual security architecture
byMubashirAslam5
 
PDF
Breach and attack simulation tools
byBangladesh Network Operators Group
 
PPTX
Network Attacks and Countermeasures
bykaranwayne
 
PPTX
Access Controls
byprimeteacher32
 
PPTX
INFORMATION SECURITY
byAhmed Moussa
 
PPTX
Authentication vs authorization
byFrank Victory
 
PPTX
SABSA overview
bySABSAcourses
 
PPT
Transport layer security.ppt
byImXaib
 
PPTX
Secure coding practices
byScott Hurrey
 
PPTX
Identity and Access Management Introduction
byAidy Tificate
 
PDF
Carlos García - Pentesting Active Directory [rooted2018]
byRootedCON
 
PPTX
Oracle GoldenGate 18c - REST API Examples
byBobby Curtis
 
PPT
2. access control
by7wounders
 
PDF
Security architecture
byDuncan Unwin
 
PPT
Information Security Principles - Access Control
byidingolay
 
PDF
Oracle Security Presentation
byFrancisco Alvarez
 
PDF
Oracle Active Data Guard: Best Practices and New Features Deep Dive
byGlen Hawkins
 
Database Security Threats - MariaDB Security Best Practices
byMariaDB plc
 
cyber-security-reference-architecture
byBirendra Negi ☁️
 
AAA Implementation
byAhmad El Tawil
 
Conceptual security architecture
byMubashirAslam5
 
Breach and attack simulation tools
byBangladesh Network Operators Group
 
Network Attacks and Countermeasures
bykaranwayne
 
Access Controls
byprimeteacher32
 
INFORMATION SECURITY
byAhmed Moussa
 
Authentication vs authorization
byFrank Victory
 
SABSA overview
bySABSAcourses
 
Transport layer security.ppt
byImXaib
 
Secure coding practices
byScott Hurrey
 
Identity and Access Management Introduction
byAidy Tificate
 
Carlos García - Pentesting Active Directory [rooted2018]
byRootedCON
 
Oracle GoldenGate 18c - REST API Examples
byBobby Curtis
 
2. access control
by7wounders
 
Security architecture
byDuncan Unwin
 
Information Security Principles - Access Control
byidingolay
 
Oracle Security Presentation
byFrancisco Alvarez
 
Oracle Active Data Guard: Best Practices and New Features Deep Dive
byGlen Hawkins
 

Similar to Attribute based access control

PPTX
Boost privacy protections with attribute-based access control
byRaoul Miller
 
PPTX
Abac and the evolution of access control
byAkbar Azwir, MM, PMP, PMI-SP, PSM I, CISSP
 
PPTX
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
byNextLabs, Inc.
 
PPTX
The day when role based access control disappears
byUlf Mattsson
 
PPTX
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
byNextLabs, Inc.
 
PDF
Access Control Models: Controlling Resource Authorization
byMark Niebergall
 
PPTX
Do you have a business case for Attribute Based Access Control (ABAC)?
byFinn Frisch
 
PPTX
Do you have a business case for Attribute Based Access Control (ABAC)?
byFinn Frisch
 
PPTX
What’s Happening in Information Risk Management
byMichael S. Gurican
 
PPTX
smu_abac_150410.pptx
byHashStriker
 
PPTX
Attribute-Based Access Control: Fine-Grained Security Management
byBert Blevins
 
PPTX
009 Authentication and Access Control.pptx
byAssadLeo1
 
PDF
Considerations for Data Access in the Lakehouse
byDatabricks
 
PPT
Generalized attribute centric access control
byarj_presenter
 
PDF
Data-Centric Security for the Extended Enterprise
byNextLabs, Inc.
 
PPTX
Week No 13 Access Control Part 1.pptx
byXhamiiiCH
 
PPTX
Access Control for Database Priciples IS
byerricnocteam
 
PDF
David Doret (2019) IDM Conference, London, IAM - Getting the basics right - R...
byDavid Doret
 
PPTX
Top Ten Reasons Why Developers Don't Adopt ABAC
byForgeRock
 
PPTX
Security policy(DAS, MAS, PAS) model [in]
byErAnilKumarGupta1
 
Boost privacy protections with attribute-based access control
byRaoul Miller
 
Abac and the evolution of access control
byAkbar Azwir, MM, PMP, PMI-SP, PSM I, CISSP
 
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
byNextLabs, Inc.
 
The day when role based access control disappears
byUlf Mattsson
 
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
byNextLabs, Inc.
 
Access Control Models: Controlling Resource Authorization
byMark Niebergall
 
Do you have a business case for Attribute Based Access Control (ABAC)?
byFinn Frisch
 
Do you have a business case for Attribute Based Access Control (ABAC)?
byFinn Frisch
 
What’s Happening in Information Risk Management
byMichael S. Gurican
 
smu_abac_150410.pptx
byHashStriker
 
Attribute-Based Access Control: Fine-Grained Security Management
byBert Blevins
 
009 Authentication and Access Control.pptx
byAssadLeo1
 
Considerations for Data Access in the Lakehouse
byDatabricks
 
Generalized attribute centric access control
byarj_presenter
 
Data-Centric Security for the Extended Enterprise
byNextLabs, Inc.
 
Week No 13 Access Control Part 1.pptx
byXhamiiiCH
 
Access Control for Database Priciples IS
byerricnocteam
 
David Doret (2019) IDM Conference, London, IAM - Getting the basics right - R...
byDavid Doret
 
Top Ten Reasons Why Developers Don't Adopt ABAC
byForgeRock
 
Security policy(DAS, MAS, PAS) model [in]
byErAnilKumarGupta1
 

Recently uploaded

PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PPTX
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 

Attribute based access control

  • 1.
    Attribute-based access control Maarten Decat,iMinds-DistriNet maarten.decat@kuleuven.be, @maartendecat
  • 2.
  • 3.
    Access control models How to express whocan do what Access control lists Mandatory access control (MAC) Discretionary access control (DAC) Role-based access control (RBAC) Information flow control Attribute- based access control Relationship- based access control Access control matrix Entity-based access control The Bibamodel The Bell-LaPadulamodel 3
  • 4.
  • 5.
    The problem withrole-based access control 5Role explosion
  • 6.
    The problem withrole-based access control Manager Helpdesk operator Developer Secretary Accountant 6
  • 7.
    The problem withrole-based access control Manager Helpdesk operator Developer Secretary Accountant Manager of R&D dept Manager of finance deptManager of sales dept Secretary with color print Secretary with- out color print 7
  • 8.
    The problem withrole-based access control Manager Helpdesk operator Developer Secretary Accountant Manager of R&D dept Manager of finance deptManager of sales dept Secretary with color print Secretary with- out color print owns_docA owns_docB owns_docC owns_docD owns_docE owns_docF owns_docG owns_doc... 8
  • 9.
    The problem withrole-based access control Manager Helpdesk operator Developer Secretary Accountant Manager of R&D dept Manager of finance deptManager of sales dept Secretary with color print Secretary with- out color print owns_docA owns_docB owns_docC owns_docD owns_docE owns_docF owns_docG owns_doc... Secretary of finance dept with color print owns docE Secretary of sales dept with color print owns docE Helpdesk operator assigned to Customer A Helpdesk operator assigned to Customer B Helpdesk operator assigned to Customer C Helpdesk operator assigned to Customer D Secretary of finance dept with color print owns docD Secretary of sales dept with color print owns docD Secretary of sales dept without color print owns docD Secretary of sales dept without color print owns docE Secretary of finance dept without color print owns docE Secretary of sales dept without color print owns docB Secretary of finance dept without color print owns docD Secretary of sales dept with color print owns docB Secretary of finance dept without color print owns docB Secretary of sales dept with color print owns docA Secretary of sales dept without color print owns docA Secretary of finance dept without color print owns docA Secretary of sales dept without color print owns docC Secretary of finance dept with color print owns docA Secretary of sales dept with color print owns docC Secretary of finance dept without color print owns docC Secretary of finance dept with color print owns docC Secretary of finance dept with color print owns docB ... 9
  • 10.
    Manager Helpdesk operator Developer Secretary Accountant Manager of R&D dept Managerof finance deptManager of sales dept Secretary with color print Secretary with- out color print owns_docA owns_docB owns_docC owns_docD owns_docE owns_docF owns_docG owns_doc... Secretary of finance dept with color print owns docE Secretary of sales dept with color print owns docE Helpdesk operator assigned to Customer A Helpdesk operator assigned to Customer B Helpdesk operator assigned to Customer C Helpdesk operator assigned to Customer D Secretary of finance dept with color print owns docD Secretary of sales dept with color print owns docD Secretary of sales dept without color print owns docD Secretary of sales dept without color print owns docE Secretary of finance dept without color print owns docE Secretary of sales dept without color print owns docB Secretary of finance dept without color print owns docD Secretary of sales dept with color print owns docB Secretary of finance dept without color print owns docB Secretary of sales dept with color print owns docA Secretary of sales dept without color print owns docA Secretary of finance dept without color print owns docA Secretary of sales dept without color print owns docC Secretary of finance dept with color print owns docA Secretary of sales dept with color print owns docC Secretary of finance dept without color print owns docC Secretary of finance dept with color print owns docC Secretary of finance dept with color print owns docB ... The problem with role-based access control 10 read write read write read write Manager
  • 11.
    Attribute-based access control Identity Location Department Type Date Conf.label Action Action Type Environment Device Type Timestamp System state Managers of the auditing department in Brussels can inspect the financial reports from the current financial year within office hours Subject Resource Amount 11
  • 12.
    Attribute-based access control Managersof the auditing department in Brussels can inspect the financial reports from the current financial year within office hours 12 1. fine-grained access control 2. context-aware access control 3. dynamic access control
  • 13.
    ABAC in anenterprise 13 CISO Business policy Employees GovernanceOperational x x ? ? Application policy Access requests x Systematic access reviews x
  • 14.
    Attributes for accessmanagement User Guard Asset Action Security manager Manage employee infoManage security info HR administrator Roles & entitlements Manage roles and entitlements 14
  • 15.
    Attributes as accessmanagement User Asset Guard Action Security manager Manage employee info HR administrator Security rules Attributes 15
  • 16.
    1. Attributes canbe fetched remotely = good for federated applications 2. You do not need the identity of the subject = good for privacy 3. As a researcher, it looks future-proof a. ABAC supports many advanced policies, e.g., history-based policies, dynamic separation of duty and breaking-the-glass procedures, … b. Many of the newest access control models can be mapped on attributes, e.g., ReBAC, EBAC [Bogaerts2015], obligations [Park2004], ... c. A lot is still happening in this field, e.g., formal definition of this model and its properties (e.g., [Jin2012a]), languages for expressing attribute-based rules (e.g., [XACML, Crampton2012]), mutable attributes (e.g., [Park2004]), attribute aggregation in federated identity management (e.g., [Chadwick2009]), encryption of attributes (e.g., [Asghar2011]), policy engineering for ABAC (e.g.., [Krau2013]), performance (e.g., [Brucker2010]), … Attributes as an enabler for the future 16
  • 17.
  • 18.
    Migrating from RBACto ABAC Conceptually, three approaches: 18 [Kuhn2010] 2. Dynamic roles1. Roles as an attribute 3. Constrain roles Manager Helpdesk operator Accountant Secretary subject.roles owns_doc... Identity Location Department Manager Helpdes k operator Accountant Secretar y owns_doc... Identity Location Department Manager A.read B.read B.write ...
  • 19.
    Not all rainbowsand unicorns 19
  • 20.
  • 21.
    “Enterprise ABAC carrieswith it significant development, implementation, and operations costs as well as a paradigm shift in the way enterprise objects are shared and protected.” -- NIST 21
  • 22.
    22 Establish a business casefor ABAC Understand your operational requirements Technical implementation Deploy or adjust business processes Source: [NIST2014] Initiation Implementation Maintenance Disposal Ensure quality Migrating from RBAC to ABAC, revised
  • 23.
    23 Establish a business casefor ABAC Understand your operational requirements Technical implementation Deploy or adjust business processes Source: [NIST2014] Initiation Implementation Maintenance Disposal Ensure quality Migrating from RBAC to ABAC, revised Work incrementally You probably already have many of the required processes
  • 24.
  • 25.
    Conclusion ABAC brings manyinteresting improvements compared to previous models: ● Support more fine-grained access rules ● Separation of concerns between user management and security ● Enables many advanced features As a result, ABAC is seen by many as the next step in access control. However, introducing ABAC in an enterprise is not an easy step to take. ● Plan ahead, get everyone involved, start small and work incrementally 25
  • 26.
    Future reading NIST, Guideto Attribute Based Access Control (ABAC) Definition and Considerations http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf 26
  • 27.
    References [Asghar2011] Asghar, MuhammadRizwan, et al. "Espoon: Enforcing encrypted security policies in outsourced environments." 2011 [Bogaerts2015] Bogaerts, Jasper, et al. "Entity-Based Access Control: supporting more expressive access control policies." 2015. [Brucker2010] Brucker, Achim D., and Helmut Petritsch. "Idea: efficient evaluation of access control constraints." 2010 [Chadwick2009] Chadwick, David W., and George Inman. "Attribute aggregation in federated identity management." 2009 [Crampton2012] Crampton, Jason, and Charles Morisset. "PTaCL: A language for attribute-based access control in open systems." 2012 [Fong2011] Fong, Philip WL. "Relationship-based access control: protection model and policy language." ACM, 2011. 27
  • 28.
    References (continued) [Fong2011] Fong,Philip WL. "Relationship-based access control: protection model and policy language." ACM, 2011. [Jin2012a] Jin, Xin, Ram Krishnan, and Ravi S. Sandhu. "A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC." 2012 [Jin2012b] Jin, Xin, Ravi Sandhu, and Ram Krishnan. "RABAC: role-centric attribute-based access control." 2012 [Krau2013] Krautsevich, Leanid, et al. "Towards policy engineering for attribute-based access control." 2013 [Kuhn2010] Kuhn, D. Richard, Edward J. Coyne, and Timothy R. Weil. "Adding attributes to role-based access control." 2010 [Park2004] Park, Jaehong, and Ravi Sandhu. "The UCON ABC usage control model." 2004 [XACML] eXtensible Access Control Markup Language (XACML) Version 3.0. 2013. OASIS Standard 28
  • 29.
    Attribute-based access control Any furtherquestions? Contact us at maarten.decat@kuleuven.be or @maartendecat Interested in our events? Subscribe here http://bit.ly/DistrinetAccessControl