$30 off During Our Annual Pro Sale. View Details »

Next Generation Access Control (NGAC) for the Multi-Cloud World

Next Generation Access Control (NGAC) for the Multi-Cloud World

This is a talk presented at Service Mesh Day 2019 in San Francisco, where we introduced the Next Generation Access Control (NGAC) standard and showed how it can be applied to the multi-cloud world.

Ignasi Barrera

March 29, 2019
Tweet

More Decks by Ignasi Barrera

Other Decks in Technology

Transcript

  1. Next Generation Access
    Control (NGAC)* for the
    Multi-Cloud World
    David Ferraiolo and Josh Roberts
    National Institute of Standards and Technology
    *An ANSI/INCITS Family of Standards

    View Slide

  2. NGAC Overview
    • Specifies the architecture, security model, and interfaces to
    ensure its realization in different types of implementation
    environments
    • Can provide centralized policy specification over distributed
    resources of varying types with local enforcement in support of
    different types of applications, services, and users
    • Enabling diverse access control policies to be simultaneously
    defined and enforced independently or in combinations

    View Slide

  3. NGAC Framework
    A reusable set of relations and functions, following an attribute-based
    access control model
    • Types of objects: (1) resource objects, and (2) data elements and
    relations used to express access control policies
    • Types of operations: (1) resource operations (e.g., read, write), and (2)
    administrative operations for configuring data elements and relations.
    • Functions for: trapping and enforcing policy on access requests,
    computing decisions to accommodate or reject those requests based on
    the current state of the data elements and relations, and automatically
    altering access state when specified events occur

    View Slide

  4. NGAC Architecture
    Based on ANSI/
    INCITS 499 –
    NGAC-FA
    Policy Enforcement Point
    Resource Access Point
    Policy Decision Point
    Event Process Point
    Policy Administration
    Point
    Policy Information Point
    Note:
    • Resource methods
    implemented in RAP
    • Administrative
    methods implemented
    in PAP
    RAP
    Application
    for resource
    ops
    rsrc ops + admn ops

    View Slide

  5. GC
    RAP
    AWS
    RAP
    Google
    Cloud
    Rept2
    AWS
    Cloud
    Rept1
    Rept3
    PEP
    • Cloud interprets RAP as a user with liberal permissions to NGAC
    created data
    • User centrally “see” cloud resources as logical entities via
    • EPP centrally log access events
    EPP
    App
    Audit Log
    commands
    commands
    requests
    requests
    POS
    Home
    Proposals
    Reports
    Rept1
    Rept2
    Rept3
    Resumes
    Personal Object System (POS):
    Events • A user’s current access
    capabilities for objects in
    object attributes
    Example: Multi-Cloud Deployment
    data/status
    data/status
    data/status
    data/status

    View Slide

  6. Data Elements & Relations
    • Basic elements
    • Users, access rights (resource and admin), and resource
    objects
    • Containers
    • User attributes, object attributes, and policy classes
    • Relations
    • Assignments (define membership in containers)
    • Associations (with assignments, used for deriving privileges)
    • Prohibitions (denies for users access capabilities)
    • Event-pattern/admin-response (for dynamically alter the
    access state)
    Current
    access
    state Policy

    View Slide

  7. Assoc: ua---ars---at, where ua is a user attribute, ars is a set of access
    rights, and at is an attribute (either a user attribute or an object
    attribute)
    Assignment
    Assignments and Associations
    Policy Class: an affiliation of certain users, user attributes, objects, and object
    attributes to an access control policy

    View Slide

  8. 8
    Derived Privileges
    (u, ar, pe) is a privilege, if and only if, for each policy class pc in which policy
    element pe is contained, there exists an association ua---{ar…}---at, such that:
    • The user u is contained by user attribute ua;
    • pe is contained by attribute at, and at is contained by pc;
    • The access right ar is a member of access right set {ar...}.
    Note:
    • at may be a user
    attribute or object
    attribute
    • pe may be an object,
    object attribute, user,
    user attribute or policy
    class

    View Slide

  9. Policy and Derived Privileges
    (u1, r, acnt11), (u1, w, acnt11), (u1, r, acnt21), (u1, w, acnt21), (u1, r, loan21), (u2, r, acnt11),
    (u2, w, acnt11), (u2, r, acnt21), (u2, w, acnt21), (u2, r, loan21), (u3, r, acnt11), (u3, r, acnt21),
    (u3, r, loan21), (u3, w, loan21), (u4, r, acnt11), (u4, r, acnt21), (u4, r, loan21)
    • Tellers can read and write Accounts
    and read Loans.
    • Loan Officers can read and write
    Loans and read Accounts.
    • An Auditor can read all bank
    Products.
    Policy:
    Possible Derived Privileges:

    View Slide

  10. • Tellers can read and write accounts (in all
    Branches).
    • Tellers can create and delete accounts in
    the Branches for which they are assigned.
    (u1, r, acnt21), (u1, w, acnt21), (u1, r, acnt11), (u1, w, acnt11), (u1, c/d o, Branch1), (u2, r, acnt21),
    (u2, w, acnt21), (u2, r, acnt11), (u2, w, acnt11), (u2, c/d o, Branch2)
    Policy:
    Derived Privileges:
    Multiple Sub-policies
    Benefits:
    • Combats role explosion
    • Policy combinations
    • Finer granularity of control
    RBAC

    View Slide

  11. 11
    Prohibitions (Denies)
    • User denies
    • u-deny(u, opset, oset). User u cannot perform any
    operation in opset on any object in oset.
    • Attribute denies
    • ua-deny(ua, opset, oset). Any user contained in ua
    cannot perform any operation in opset on any object
    in oset.
    Example: u-deny(u1, w, acnt21)

    View Slide

  12. 12
    Obligations (Event-Response)
    • Format: when event-pattern do response
    • Event: successful execution of an operation (e.g., reading an
    object, or creating a user) or environmental condition.
    • Event pattern: the context in which an event occurs (e.g.,
    operation, object, user, attributes, time, date etc.)
    • Response: sequence of administrative operations that may
    dynamically change the policy configuration.

    View Slide

  13. Obligations:
    when: 5:00PM, do: create ua-deny(Teller, {r, w}, Accounts)
    when: 9:00AM, do: delete ua-deny(Teller, {r, w}, Accounts)
    Example: Teller can only access accounts between (9 AM and 5
    PM)

    View Slide

  14. Delegation
    • Admin. Capabilities: created through associations with admin access rights
    (aars).
    • One admin can delegate to another though their admin. rights to create
    associations
    • Parameterized admin routines used to execute a sequence of admin actions
    (E.g., Create File Management User (user, user name, user home)*)
    *created relations, results of u2’s delegated
    capabilities
    {r, w, aars}

    View Slide

  15. Example Policy Configurations

    (Combinations of:)
    • Discretionary Access Control (DAC)
    • RBAC
    • Communities of Interest (OUs, Regions, Branches,
    Wards)
    • Separation of Duty
    • Time, location
    • Workflow
    • Read once, read one at a time
    • Non-repudiation
    • Tracking access - I know who can currently access to
    my data

    View Slide

  16. Implementation and Scale
    • Centralized policy specification over distributed resources with
    local enforcement
    • Policy configuration resides in PDP memory as a graph
    • Accommodates billions of nodes
    • Linear time algorithms for computing decisions and conducting
    policy review (over a small portion of graph that pertains to
    the user)

    View Slide

  17. Policy Review and Resource Discovery
    • What are the objects a user can access?
    • Who can access an object?
    • Why can’s a user access an object?
    • Personal Object System (POS) for displaying authorized objects
    and object attributes

    View Slide

  18. Summary: Virtual multi-cloud enterprise
    • Specify and enforce combinations of dynamic and static access control
    policies (e.g., DAC and RBAC) across virtual enterprise (VE)
    • Policy analytics
    • E.g., who has access to what objects across VE
    • Expression, enforcement, and delegation of administrative privileges
    over VE policy configuration
    • Centralized audit of access events across VE
    • Types of applications (Web Services)
    • Existing applications (e.g., .doc)
    • NGAC enabled applications (designed with NGAC in mind)
    • Data base applications

    View Slide

  19. Demo
    NGAC in Service Mesh

    View Slide

  20. http://bit.ly/TetrateQ

    View Slide