Next Generation Access Control (NGAC) for the Multi-Cloud World
This is a talk presented at Service Mesh Day 2019 in San Francisco, where we introduced the Next Generation Access Control (NGAC) standard and showed how it can be applied to the multi-cloud world.
Next Generation Access Control (NGAC)* for the Multi-Cloud World David Ferraiolo and Josh Roberts National Institute of Standards and Technology *An ANSI/INCITS Family of Standards
NGAC Overview • Specifies the architecture, security model, and interfaces to ensure its realization in different types of implementation environments • Can provide centralized policy specification over distributed resources of varying types with local enforcement in support of different types of applications, services, and users • Enabling diverse access control policies to be simultaneously defined and enforced independently or in combinations
NGAC Framework A reusable set of relations and functions, following an attribute-based access control model • Types of objects: (1) resource objects, and (2) data elements and relations used to express access control policies • Types of operations: (1) resource operations (e.g., read, write), and (2) administrative operations for configuring data elements and relations. • Functions for: trapping and enforcing policy on access requests, computing decisions to accommodate or reject those requests based on the current state of the data elements and relations, and automatically altering access state when specified events occur
NGAC Architecture Based on ANSI/ INCITS 499 – NGAC-FA Policy Enforcement Point Resource Access Point Policy Decision Point Event Process Point Policy Administration Point Policy Information Point Note: • Resource methods implemented in RAP • Administrative methods implemented in PAP RAP Application for resource ops rsrc ops + admn ops
GC RAP AWS RAP Google Cloud Rept2 AWS Cloud Rept1 Rept3 PEP • Cloud interprets RAP as a user with liberal permissions to NGAC created data • User centrally “see” cloud resources as logical entities via • EPP centrally log access events EPP App Audit Log commands commands requests requests POS Home Proposals Reports Rept1 Rept2 Rept3 Resumes Personal Object System (POS): Events • A user’s current access capabilities for objects in object attributes Example: Multi-Cloud Deployment data/status data/status data/status data/status
Data Elements & Relations • Basic elements • Users, access rights (resource and admin), and resource objects • Containers • User attributes, object attributes, and policy classes • Relations • Assignments (define membership in containers) • Associations (with assignments, used for deriving privileges) • Prohibitions (denies for users access capabilities) • Event-pattern/admin-response (for dynamically alter the access state) Current access state Policy
Assoc: ua---ars---at, where ua is a user attribute, ars is a set of access rights, and at is an attribute (either a user attribute or an object attribute) Assignment Assignments and Associations Policy Class: an affiliation of certain users, user attributes, objects, and object attributes to an access control policy
8 Derived Privileges (u, ar, pe) is a privilege, if and only if, for each policy class pc in which policy element pe is contained, there exists an association ua---{ar…}---at, such that: • The user u is contained by user attribute ua; • pe is contained by attribute at, and at is contained by pc; • The access right ar is a member of access right set {ar...}. Note: • at may be a user attribute or object attribute • pe may be an object, object attribute, user, user attribute or policy class
• Tellers can read and write accounts (in all Branches). • Tellers can create and delete accounts in the Branches for which they are assigned. (u1, r, acnt21), (u1, w, acnt21), (u1, r, acnt11), (u1, w, acnt11), (u1, c/d o, Branch1), (u2, r, acnt21), (u2, w, acnt21), (u2, r, acnt11), (u2, w, acnt11), (u2, c/d o, Branch2) Policy: Derived Privileges: Multiple Sub-policies Benefits: • Combats role explosion • Policy combinations • Finer granularity of control RBAC
11 Prohibitions (Denies) • User denies • u-deny(u, opset, oset). User u cannot perform any operation in opset on any object in oset. • Attribute denies • ua-deny(ua, opset, oset). Any user contained in ua cannot perform any operation in opset on any object in oset. Example: u-deny(u1, w, acnt21)
12 Obligations (Event-Response) • Format: when event-pattern do response • Event: successful execution of an operation (e.g., reading an object, or creating a user) or environmental condition. • Event pattern: the context in which an event occurs (e.g., operation, object, user, attributes, time, date etc.) • Response: sequence of administrative operations that may dynamically change the policy configuration.
Delegation • Admin. Capabilities: created through associations with admin access rights (aars). • One admin can delegate to another though their admin. rights to create associations • Parameterized admin routines used to execute a sequence of admin actions (E.g., Create File Management User (user, user name, user home)*) *created relations, results of u2’s delegated capabilities {r, w, aars}
Example Policy Configurations (Combinations of:) • Discretionary Access Control (DAC) • RBAC • Communities of Interest (OUs, Regions, Branches, Wards) • Separation of Duty • Time, location • Workflow • Read once, read one at a time • Non-repudiation • Tracking access - I know who can currently access to my data
Implementation and Scale • Centralized policy specification over distributed resources with local enforcement • Policy configuration resides in PDP memory as a graph • Accommodates billions of nodes • Linear time algorithms for computing decisions and conducting policy review (over a small portion of graph that pertains to the user)
Policy Review and Resource Discovery • What are the objects a user can access? • Who can access an object? • Why can’s a user access an object? • Personal Object System (POS) for displaying authorized objects and object attributes
Summary: Virtual multi-cloud enterprise • Specify and enforce combinations of dynamic and static access control policies (e.g., DAC and RBAC) across virtual enterprise (VE) • Policy analytics • E.g., who has access to what objects across VE • Expression, enforcement, and delegation of administrative privileges over VE policy configuration • Centralized audit of access events across VE • Types of applications (Web Services) • Existing applications (e.g., .doc) • NGAC enabled applications (designed with NGAC in mind) • Data base applications
nacx
utam0k
peisuke
aki_iinuma
tsukubachallenge
koheiawa
mtx2s
ttccddtoki
mosa_siru
palark
coe
sansantech
hygradme
scottboms
skipperchong
akosma
panda_program
shpigford
michaelherold
nonsquared
mongodb
dotmariusz
lara
zakiwarfel