by VC Hu · 2014 · Cited by 855 — This document provides Federal agencies with a definition of attribute based content/uploads/sites/1171/uploads/FICAM_Roadmap_and_Implem_Guid..
47 pages
54 KB – 47 Pages
PAGE – 1 ============
NIST Special Publication 800 -162 Guide to Attribute Based Access Control (ABAC) Definition and Considerations Vincent C. Hu David Ferraiolo Rick Kuhn Adam Schnitzer Kenneth Sandlin Robert Miller Karen Scarfone This publication is available free of charge from: https://doi.org/10.6028/ NIST.SP.800 -162 C O M P U T E R S E C U R I T Y
PAGE – 2 ============
NIST Special Publication 800 -162 Guide to Attribute Based Access Control (ABAC) Definition and Considerations Vincent C. Hu David Ferraiolo Rick Kuhn Computer Security Division Information Technology Laboratory Adam Schnitzer Booz Allen Hamilton Kenneth Sandlin Robert Miller The MITRE Corporation Karen Scarfone Scarfone Cybersecurity Clifton, VA This publication is available free of charge from: https://doi.org/10.6028/ NIST.SP.800 -162 January 2014 INCLUDES UPDATES AS O F 08-02-2019 ; SEE PAGE IX U.S. Department of Commerce Penny Pritzker , Secretary National Institute of Standards and Technology Patrick D. Gallagher , Under Secretary of Commerce for Standards and Technology and Director
PAGE – 3 ============
Authority Thi s publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Management Act (FISMA), Public Law (P.L.) 107 -347. NIST is responsible for developing information security standards and guidelines, incl uding minimum requirements for F ederal information systems, but such stan dards and guidelines shall not apply to national security systems without the express approval of appropriate Federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A -130, Section 8b(3), Securing Agency Inf ormation Systems , as analyzed in Circular A -130, Appendix IV: Analysis of Key Sections . Supplemental information is provided in Circular A -130, Appendix III , Security of Federal Automated Information Resources . Nothing in this publication should be taken t o contradict the standards and guidelines made mandatory and binding on F ederal agencies by the Secretary of Commerce under statu tory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Dir ector of the OMB, or any other F ederal official. This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, however, be appreciated by NIST. National Institute of Standards and Technology Special Publication 800 -162 Natl. Inst. Stand. Technol. Spec. Publ. 800 -162 , 47 pages ( January 2014) CODEN: NSPUE2 This publication is available free of charge from: http s://doi.org/10.6028/ NIST.SP.800 -162 Comments on this publication may be submitted to: National Institute of Standards and Technology Attn: Computer Security Division, Information Technology Laboratory 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899 -8930 Email: sp800 -162-comments@nist.gov Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such iden tification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. There may be references in this publication to other publ ications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by Federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current requirements, guideline s, a nd procedures, where they exist, remain operative. For planning and transition purposes, Federal agencies may wish to closely follow the development of these new p ublications by NIST. Organizations are encouraged to review all draft publications during public comment periods and provide feedback to NIST. All NIST Computer Security Division publications , ot her than the ones noted above, are available at https://csrc.nist.gov/publications .
PAGE – 4 ============
NIST SP 800-162 GUIDE TO ABAC DEFINITION AND CONSIDERATIONS iii This publication is available free of charge from: https:// doi.org/10.6028/ NIST.SP.800 -162 Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation™s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL™s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost -effective security and privacy of other than national security -related information in Federal information systems. The Special Publication 800 -series reports on ITL™s research, guidelines, and outreach eff orts in information system security, and its collaborative activities with industry, government, and academic organizations. Abstract This document provides Federal agencies with a definition of attribute based access control (ABAC). ABAC is a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the s ubject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes. This document also provides considerations for using ABAC to impr ove information sharing within organizations and between organizations while maintaining control of that information. Keywords access control; access control mechanism; access control model; access control policy; attribute based access control (ABAC); authorization; privilege .
PAGE – 5 ============
NIST SP 800-162 GUIDE TO ABAC DEFINITION AND CONSIDERATIONS iv This publication is available free of charge from: https:// doi.org/10.6028/ NIST.SP.800 -162 Acknowledgements The authors, Vincent C. Hu, David Ferraiolo, and Rick Kuhn of the National Institute of Standards and Technology (NIST); Adam Schnitzer of Booz Allen Hamilton; Kenneth Sandlin and Robe rt Miller of The MITRE Corporation; and Karen Scarfone of Scarfone Cybersecurity, wish to thank their colleagues who reviewed drafts of this document, including the following: Arthur R. Friedman, Alan J. Lang, Margaret M. Cogdell, and Kevin Miller from the National Security Agency (NSA), Jeffery L. Coleman (SOTERA Defense Solutions), Anne P. Townsend (The MITRE Corporation), Jennifer Newcomb (Booz Allen Hamilton), Tim Weil (Coalfire), Ed Coyne (DRC), John W. Tolbert (Boeing), Jeremy Wyant (General Dynamics) , Ian Glazer (Gartner), Scott C. Fitch (Lockheed Martin), Tim Schmoyer (Jericho Systems), Luigi Logrippo (Université du Québec en Outaouais), Dave Coxe (Criterion Systems), Don Graham (Radiant Logic), and Ronald Ross , and Ramaswamy Chandramouli (NIST). Add itionally, the NIST Computer Security Division would like to thank Mr. Friedman for initiating this effort and having the foresight to anticipate the growing importance of Attribute Based Access Control in government and industry. The authors also grateful ly acknowledge and appreciate the comments and contributions made by government agencies, private organizations, and individuals in providing direction and assistance in the development of this document. Trademark Information All registered trademarks or trademarks belong to their respective organizations.
PAGE – 6 ============
NIST SP 800-162 GUIDE TO ABAC DEFINITION AND CONSIDERATIONS v This publication is available free of charge from: https:// doi.org/10.6028/ NIST.SP.800 -162 Table of Contents Executive Summary . vii 1. Introduction . 1 1.1 Purpose and Scope . 1 1.2 Audi ence . 1 1.3 Document Structure 1 1.4 Notes on Terminology 2 2. Understanding ABAC . 4 2.1 The Benefit of ABAC .. 5 2.2 A Working Definition of ABAC . 6 2.3 Basic ABAC Concepts .. 8 2.4 Enterprise ABAC Concepts . 11 2.4.1 Enterprise ABAC Policy .. 12 2.4.2 Attribute Management in Enterprise ABAC 13 2.4.3 Access Control Mechanism Distribution in Enterprise ABAC .. 14 3. ABAC Enterprise Considerations 17 3.1 Initiation Phase Considerations 18 3.1.1 Building the Business Case for Deploying ABAC Capabilities 18 3.1.2 Scalability, Feasibility, and Performance Requirements .. 19 3.1.3 Developing Operational Requirements and Architecture 22 3.2 Considerations during the Acquisition/Development Phase 25 3.2.1 Business Process Generation and Deployment Preparation 25 3.2.2 System Development and Solution Acquisition Considerations . 27 3.2.3 Considerations for Other Enterprise ABAC Capabilities .. 30 3.3 Considerations during the Implementation/Assessment Phase .. 31 3.3.1 Attribute Caching .. 31 3.3.2 Attribute Source Minimization . 31 3.3.3 Interface Specifications 32 3.4 Considerations during the Operations/Maintenance Phase 32 3.4.1 Availability of Quality Data . 32 4. Conclusion 33 Appendix A Š Acronyms and Abbreviations . 34 Appendix B Š References . 36
PAGE – 8 ============
NIST SP 800-162 GUIDE TO ABAC DEFINITION AND CONSIDERATIONS vii This publication is available free of charge from: https:// doi.org/10.6028/ NIST.SP.800 -162 Executive Summary The concept of Attribute Based Access Control (ABAC) has existed for many years. It represents a point in the space of logical access control that includes access control lists , role -based access control , and the ABAC method for providing access based on t he evaluation of attributes. Traditionally, access control has been based on the identity of a user requesting execution of a capability to perform an operation (e.g., read) on an object (e.g., a file), either directly, or through predefined attribute type s such as roles or groups assigned to that user. Practitioners have noted that this approach to access control is often cumbersome to manage given the need to associate capabilities directly to users or their roles or groups. It has also been noted that th e requester qualifiers of identity, groups, and roles are often insufficient in the expression of real -world access control policies. An alternative is to grant or deny user requests based on arbitrary attributes of the user and arbitrary attributes of the object, and environment condition s that may be globally recognized and more relevant to the policies at hand. This approach is often referred to as ABAC. In November 2009, the Federal Chief Information Officers Council (Federal CIO Council) published t he Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Plan v1.0 [FEDCIO1], which provided guidance to federal organizations to evolve their logical access control architectures to include the evaluation of attributes as a way to enable access within and between organizations across the Federal enterprise. In December 2011, the FICAM Roadmap and Implementation Plan v2.0 [FEDCIO2] took the next step of calling out ABAC as a recommended access control model for promoting inf ormation sharing between diverse and disparate organizations. In December 2012, the National Strategy for Information Sharing and Safeguarding include d a Priority Objective that the Federal Government should extend and implement the FICAM Roadmap across Fe deral networks in all security domains. The U.S. General Services Administration (GSA ) and the Federal CIO Council are designated leads for this Objective, and are preparing an implementation plan. Despite the clear guidance to implement the FICAM Roadmap and contextual (risk adaptive) role or attribute based access control, to date there has not been a comprehensive effort to formally define or guide the implementation of ABAC within the Federal Government. This document serves a two -fold purpose. First, it aims to provide Federal agencies with a definition of ABAC and a description of the functional components of ABAC. Second, it provides planning, design, implementation, and operational considerations for employing ABAC within a n enterprise with the goal of improving information sharing while maintaining control of that information. This document should not be interpreted as an analysis of alternatives between ABAC and other access -control capabilities, as it focuses on the challenges of implementing ABAC rather than on balancing the cost and effectiveness of other capabilities versus ABAC. ABAC is a logical access control model that is distinguishable because it controls access to objects by evaluating rules against the attributes of entities (subject an d object), operations , and the environment relevant to a request. ABAC systems are capable of enforcing both Discretionary Access Control (DAC) and Mandatory Access Control (MAC) concepts. ABAC enables precise access control, which allows for a higher number of discrete inputs into an access control decision, providing a bigger set of possible combinations of those variables to reflect a larger and more definitive set of possible rules to express policies . The access control policies that can be implemented in ABAC are limited o nly by the co mputa tional language and the richness of the available attributes. This flexibility ena bles the greatest breadth of subjects to access the grea test brea dth of objects without specifying individual relationships between each subject and each o bject. For example, a su bject is assigned a set of subject attributes upon employment
PAGE – 9 ============
NIST SP 800-162 GUIDE TO ABAC DEFINITION AND CONSIDERATIONS viii This publication is available free of charge from: https:// doi.org/10.6028/ NIST.SP.800 -162 (e. g., Nancy Smith i s a Nurse Practitioner in the Cardiology Department). An object is assigned its object attributes up on cre ation (e.g., a f older with Medical Records of Heart Patients). Object s may rece ive their attributes either directly from the creator or as a res ult of automated sc anning tools. The administrator or owner of an o bject creates an acc ess control rule using attributes of subjects and objects to govern the set of allowable capabilities (e.g., all Nurse Practitioners in the Card iology Depa rtment can View the Medical Records of Heart Patients). Under ABAC, access decisions can ch ange be tween requ ests by simply changing attribute values, without the need to change the subject/object relationships defining underlying rule sets . This provides a more d ynamic access control management capability and limits long -term maintenance requirements of object protections . Further, ABAC enab les object owners or adminis trators to ap ply access con trol policy without pr ior knowledge of the specific subject and for an unlimited nu mber of subjects that might req uire access. As new subjects join the organization, rules and objects do n ot need to be modified. As long as the subject is assigned the attributes neces sary for access to the required o bjects (e. g., all Nurse Practitioners in the Card iology Depar tment are assigned those attributes), no modifications to existing rules or object attributes are req uired. This bene fit is often referred to as accommodating the external (unanticipated) user and is one of the primary bene fits of employing ABAC. When deployed across an ente rprise for the purposes of increasing information sharing among diverse organizations, ABAC implementations can become complexŠsupported by the existence of an attribute mana gement infrastructure, mach ine-enforceable policies , and an a rray of fun ctions that support acce ss decisions and policy enforcement . In add ition to the ba sic policy, attribute, and a ccess control mechan ism requ irements, the enterprise must supp ort mana gement fun ctions for en terprise po licy develop ment and d istribution, enterprise identity and subject attributes, subject attribute sha ring, en terprise o bject attributes, authentication, a nd access control mecha nism dep loyment and d istribution. The de velopment and deployment of these capabilities requires the careful con sideration of a nu mber of factors that will influence the d esign, s ecurity, and interop erability of an en terprise ABAC so lution. These factors can be summarized arou nd a set of activities : Establish the Business Case for ABAC Implementation Understa nd the Operational Requirements a nd Overa ll Enterprise Architecture Esta blish or Refine Business Proce sses to Sup port ABAC Deve lop and Acquire an Intero pera ble Set of Capabilities Operate with Efficiency The remainder of this document pro vides a more detailed explanation of ABAC conce pts and cons iderations for employment of enterprise ABAC capab ilities. This docu ment serves as a first step to help plann ers, architects, mana gers, and implementers fu lfill the information sharing and pro tection requirements of the U.S. Federal Govern ment, through the employment of ABAC .
PAGE – 10 ============
NIST SP 800-162 GUIDE TO ABAC DEFINITION AND CONSIDERATIONS ix This publication is available free of charge from: https:// doi.org/10.6028/ NIST.SP.800 -162 Errata This table contains changes that have been incorporated into Special Publication (SP) 800-162. Errata updates can include corrections, clarifications, or other minor changes in the publication that are either editorial or substantive in nature. Date Type Change Page s 02-25-2019 Editorial Updated DOI and availability statement on all pages. All 02-25-2019 Editorial Replaced references to NIST SP 800 -63-1 and 800-63-2 with references to SP 800 -63-3 and SP 800-63B. 1, 27, 37 02-25-2019 Editorial Updated several references in Appendix B to reflect the current versions of those documents. 36-37 08-02-2019 Substantive Updated Figure 8, ABAC Trust Chain , to include Environment Conditions as an input to the Access Control Decision. 22
PAGE – 11 ============
NIST SP 800-162 GUIDE TO ABAC DEFINITION AND CONSIDERATIONS 1 This publication is available free of charge from: https:// doi.org/10.6028/ NIST.SP.800 -162 1. Introduction 1.1 Purpose and Scope The purpose of this do cument is to provide Federal agenc ies with a definition of Attribute Based Access Control (ABAC) and provide consider ations for using ABAC to impro ve information sharing while maintaining con trol of that infor mation. This document describes the fun ctional componen ts of ABAC, as well as a set of issues for employing ABAC within a large enterprise without directly addressing authentication mechanisms or all aspects of Iden tity Mana gement 1, thus assuming sub jects are b ound to trusted identities or identity providers. The focus is on core ABAC concepts without addressing in detail topics such as Attribute Engineering/Management , Integration with Identity Management , Federation , Situation al Awareness (Real Time or Contextual) Mechanism , Policy Management , and Natural Language Policy translation to Digital Policy . The discussed cons iderations should not be dee med comprehen sive. Befo re selecting and de ploying an ABAC product or technology, the h osting organization sho uld augment the se cons iderations with testing and indepe ndent product reviews. This document brings together many pre viously separate bo dies of ABAC knowledge in order to bridge gaps be tween available technology and be st practice ABAC implementations, and strives to provide guidelines that can be con sistently applied throu ghout organizations. It can be used as an informational guide for or ganizations that are c onsider ing deploying , planning to dep loy, or are currently dep loying ABAC systems. This guidance extends the information in NISTIR 7316, Assessment of Access Control Systems [NIST7316]; NISTIR 7665, Proc eedings of the Privilege M anagement Workshop [NIST7665]; NISTIR 7657, A Report on the Privilege (Access) Mana gement Workshop [NIST7657 ]; and NISTIR 7874 , Guidelines for Access Control System Evaluation Metrics [NIST7874 ], which demonstrates the funda mental concepts of policy, models, a nd properties of Access Control ( AC) systems. 1.2 Audience This document is intended to ben efit and address the needs of two spe cific audiences: Perso ns who have a ba sic under standing of access control conc epts and desire a gener al understanding of ABAC concep ts Access control subject matter experts or mana gers ex perienc ed in access con trol conce pts who are seeking detailed d eployment or operational information on ABAC 1.3 Document Structure The rest of this docu ment is divided into the following sections and app endixes: Section 2 provides a basic understanding of ABAC. It gives read ers an overview of the current state of logical access con trol, a working def inition of ABAC, and an explanation of core a nd enterprise level ABAC conce pts. Reade rs can gain a general understanding of ABAC conce pts from just completing Section 2. Section 3 discus ses ABAC enterprise employment considerations during the initiation, acqu isition/development, implementation/assessment, and op erations/maintena nce pha ses. Reade rs with an interest in access control and /or project mana gement will benefit most from this section. 1 See [NIST800 -63-3] and [NIST800 -63B].
54 KB – 47 Pages