Next Generation Access Control (NGAC)* for the Multi-Cloud World David Ferraiolo and Josh Roberts National Institute of Standards and Technology *An ANSI/INCITS Family of Standards 

NGAC Overview • Specifies the architecture, security model, and interfaces to ensure its realization in different types of implementation environments • Can provide centralized policy specification over distributed resources of varying types with local enforcement in support of different types of applications, services, and users • Enabling diverse access control policies to be simultaneously defined and enforced independently or in combinations 

NGAC Framework A reusable set of relations and functions, following an attribute-based access control model • Types of objects: (1) resource objects, and (2) data elements and relations used to express access control policies • Types of operations: (1) resource operations (e.g., read, write), and (2) administrative operations for configuring data elements and relations. • Functions for: trapping and enforcing policy on access requests, computing decisions to accommodate or reject those requests based on the current state of the data elements and relations, and automatically altering access state when specified events occur 

NGAC Architecture Based on ANSI/ INCITS 499 – NGAC-FA Policy Enforcement Point Resource Access Point Policy Decision Point Event Process Point Policy Administration Point Policy Information Point Note: • Resource methods implemented in RAP • Administrative methods implemented in PAP RAP Application for resource ops rsrc ops + admn ops 

GC RAP AWS RAP Google Cloud Rept2 AWS Cloud Rept1 Rept3 PEP • Cloud interprets RAP as a user with liberal permissions to NGAC created data • User centrally “see” cloud resources as logical entities via • EPP centrally log access events EPP App Audit Log commands commands requests requests POS Home Proposals Reports Rept1 Rept2 Rept3 Resumes Personal Object System (POS): Events • A user’s current access capabilities for objects in object attributes Example: Multi-Cloud Deployment data/status data/status data/status data/status 

Data Elements & Relations • Basic elements • Users, access rights (resource and admin), and resource objects • Containers • User attributes, object attributes, and policy classes • Relations • Assignments (define membership in containers) • Associations (with assignments, used for deriving privileges) • Prohibitions (denies for users access capabilities) • Event-pattern/admin-response (for dynamically alter the access state) Current access state Policy 

Assoc: ua---ars---at, where ua is a user attribute, ars is a set of access rights, and at is an attribute (either a user attribute or an object attribute) Assignment Assignments and Associations Policy Class: an affiliation of certain users, user attributes, objects, and object attributes to an access control policy 

8 Derived Privileges (u, ar, pe) is a privilege, if and only if, for each policy class pc in which policy element pe is contained, there exists an association ua---{ar…}---at, such that: • The user u is contained by user attribute ua; • pe is contained by attribute at, and at is contained by pc; • The access right ar is a member of access right set {ar...}. Note: • at may be a user attribute or object attribute • pe may be an object, object attribute, user, user attribute or policy class 

Policy and Derived Privileges (u1, r, acnt11), (u1, w, acnt11), (u1, r, acnt21), (u1, w, acnt21), (u1, r, loan21), (u2, r, acnt11), (u2, w, acnt11), (u2, r, acnt21), (u2, w, acnt21), (u2, r, loan21), (u3, r, acnt11), (u3, r, acnt21), (u3, r, loan21), (u3, w, loan21), (u4, r, acnt11), (u4, r, acnt21), (u4, r, loan21) • Tellers can read and write Accounts and read Loans. • Loan Officers can read and write Loans and read Accounts. • An Auditor can read all bank Products. Policy: Possible Derived Privileges: 

• Tellers can read and write accounts (in all Branches). • Tellers can create and delete accounts in the Branches for which they are assigned. (u1, r, acnt21), (u1, w, acnt21), (u1, r, acnt11), (u1, w, acnt11), (u1, c/d o, Branch1), (u2, r, acnt21), (u2, w, acnt21), (u2, r, acnt11), (u2, w, acnt11), (u2, c/d o, Branch2) Policy: Derived Privileges: Multiple Sub-policies Benefits: • Combats role explosion • Policy combinations • Finer granularity of control RBAC 

11 Prohibitions (Denies) • User denies • u-deny(u, opset, oset). User u cannot perform any operation in opset on any object in oset. • Attribute denies • ua-deny(ua, opset, oset). Any user contained in ua cannot perform any operation in opset on any object in oset. Example: u-deny(u1, w, acnt21) 

12 Obligations (Event-Response) • Format: when event-pattern do response • Event: successful execution of an operation (e.g., reading an object, or creating a user) or environmental condition. • Event pattern: the context in which an event occurs (e.g., operation, object, user, attributes, time, date etc.) • Response: sequence of administrative operations that may dynamically change the policy configuration. 

Obligations: when: 5:00PM, do: create ua-deny(Teller, {r, w}, Accounts) when: 9:00AM, do: delete ua-deny(Teller, {r, w}, Accounts) Example: Teller can only access accounts between (9 AM and 5 PM) 

Delegation • Admin. Capabilities: created through associations with admin access rights (aars). • One admin can delegate to another though their admin. rights to create associations • Parameterized admin routines used to execute a sequence of admin actions (E.g., Create File Management User (user, user name, user home)*) *created relations, results of u2’s delegated capabilities {r, w, aars} 

Example Policy Configurations
 (Combinations of:) • Discretionary Access Control (DAC) • RBAC • Communities of Interest (OUs, Regions, Branches, Wards) • Separation of Duty • Time, location • Workflow • Read once, read one at a time • Non-repudiation • Tracking access - I know who can currently access to my data 

Implementation and Scale • Centralized policy specification over distributed resources with local enforcement • Policy configuration resides in PDP memory as a graph • Accommodates billions of nodes • Linear time algorithms for computing decisions and conducting policy review (over a small portion of graph that pertains to the user) 

Policy Review and Resource Discovery • What are the objects a user can access? • Who can access an object? • Why can’s a user access an object? • Personal Object System (POS) for displaying authorized objects and object attributes 

Summary: Virtual multi-cloud enterprise • Specify and enforce combinations of dynamic and static access control policies (e.g., DAC and RBAC) across virtual enterprise (VE) • Policy analytics • E.g., who has access to what objects across VE • Expression, enforcement, and delegation of administrative privileges over VE policy configuration • Centralized audit of access events across VE • Types of applications (Web Services) • Existing applications (e.g., .doc) • NGAC enabled applications (designed with NGAC in mind) • Data base applications 

Demo NGAC in Service Mesh 

http://bit.ly/TetrateQ