Fine-Grained Policies are back with NGAC

View Slide

José Carlos Chávez
Sept 25, 2023
Fine-Grained Policies RBAC
with NGAC
@jcchavezs | #IstioCon

View Slide

Fine-Grained Policies are back
with NGAC
Sept 25, 2023

View Slide

SOFTWARE ENGINEER @ TETRATE
• Open source enthusiast
• OWASP Coraza Co-leader
• Zipkin core member
• Loving father
About me

View Slide

Access control is an essential element of security that determines
who is allowed to access certain data, apps, and resources—and
in what circumstances.
What is access control? - Security 101, Microsoft
Access Control

View Slide

• Make access decision
func check(p Principal, op Operation, r Resource) bool
• Manage access policies
• Type of access policy
• Policy API
• Policy Language
BONUS:
• Explain access decisions
func explain(p Principal, op Operation, r Resource) []Reason
func whatAccess(p Principal) []ResourceAndOperations
func whoAccess(r Resource) []PrincipalAndOperations
Access Control: use cases

View Slide

• Discretionary access control (DAC): every object has an owner, and owners
grant access to users at their discretion. It provides case-by-case control over
resources hence not scalable.
• Mandatory access control (MAC): users are granted access in the form of a
clearance. A central authority regulates access rights and organizes them into
tiers, which uniformly expand in scope. Very common in government and
military contexts where structures are static and rigid.
• Role-based access control (RBAC): access rights are granted based on
defined business functions (role), rather than individuals’ identity. Easy to
understand and author policies rightly, hard to scale (e.g. role explosion).
• Attribute-based access control (ABAC): access is granted flexibly based on
a combination of attributes and environmental conditions, such as time and
location. It is hard to understand and author policies rightly (permissions
overlap) but easy to scale and model.
Access Control: models

View Slide

NGAC to the rescue
Yay

View Slide

Next Generation Access Control (NGAC)
users
user
attributes
objects
object
attributes
policy
classes
Created by NIST. NGAC
takes the approach of
modeling access
decision data as a
directed acyclic graph.
- Users/Subjects
- Objects
- User/subject
attributes
- Object attributes
- Policy classes
operations
Source: https://thenewstack.io/why-you-should-choose-ngac-as-your-access-control-model

View Slide

e.g. ext_authz,
wasmplugin, etc
NGAC architecture
PEP
Object
RAP
Subject
PDP
PAP
PIP
• PEP for enforcement
• PDP for decision
• PAP for administration
• PIP for information
• RAP is for resource access
• EPP is for event processing
EPP
operation

View Slide

Object DAG Subject DAG
How fine-grained?
RBAC
Backend
Instance
1
Instance
2
SRE
Piotr
Lance
US
Location
EU
US
EU
{r}
{r,w}
{*}
Frontend
Instance
3
Instance
4
Topology

View Slide

Can Lance access Instance 1?
RBAC
Backend
Instance
1
Instance
2
SRE
Piotr
Lance
Frontend
Instance
3
Instance
4
Topology
US
Location
EU
US
EU
{r}
{r,w}
Location Yes {r}
RBAC Yes {r,w}
Conclusion Yes {r}
{*}

View Slide

Can Instance 4 reach Instance 1?
{r}
{r,w}
{*}
RBAC
Backend
Instance
1
Instance
2
SRE
Piotr
Lance
Frontend
Instance
3
Instance
4
Topology
US
Location
EU
US
EU
Topology Yes {*}
Location No
Conclusion No

View Slide

• Overlay access policies on top of an existing representation of the
world, provided by the user.
• Scales linearly: roughly, O(|user attributes| + |object
attributes| + |associations|) or, the size of the subgraph
for the user and object in question
• It can be configured to allow or disallow access based not only on
object attributes, but also on other conditions - time, location, etc.
• It can evaluate and combine multiple policies in a single access
decision, while keeping its linear time complexity.
• Audit to see what objects are affected by a policy.
• Explain why a particular access was allowed.
Next Generation Access Control (NGAC)

View Slide

NGAC comparison
Pros Cons
ABAC Flexibility Performance and auditability can be
problematic due to the number of attributes
and its combinations
RBAC Simplicity ● Role explosion
● Fixed access rights
● Challenges meeting regulatory
requirements due to granularity and
auditability.
NGAC ● High level of granularity
● Auditability
● Flexibility
● Combined access policies
On early stages it needs more high level
APIs to help users maintain the graph.

View Slide

• ABAC is a natural fit for the class of cloud-native applications
whose design is based on microservices due to its flexibility and
also because it empowers owners to create their own policies.
• Being able to understand an access decision in a human readable
way is crucial to understand access leaks, unsecure points and
forensic research.
• Performance is a key in access decisions as making decisions in
the critical path could have huge impact in latency.
Conclusions

View Slide

• NIST 800-204B: Attribute-based Access Control for
Microservices-based Applications Using a Service Mesh -
Chandramouli, Butcher, Chetal
• Imposing Fine-grain Next Generation Access Control over
Database Queries - Ferraiolo, Gavrila, Katwala & Roberts
• Why you should use choose NGAC as your Access Control model
• Linear Time Algorithms to Restrict Insider Access using Multi-
Policy Access Control Systems - Mell, Shook, Harang & Gavrila
References

View Slide

Fine-Grained Policies are back
with NGAC
Sept 25, 2023

View Slide

Fine-Grained Policies are back with NGAC

Fine-Grained Policies are back with NGAC

José Carlos Chávez

More Decks by José Carlos Chávez

Other Decks in Technology

Featured

Transcript