Risk
2/25/2013
02:11 PM
Gunnar Peterson
Gunnar Peterson
Commentary
50%
50%

Same As It Ever Was

Trade shows, booth babes, and hype aside -- who are you, and what can you do? That is the question. Enter XACML and ABAC

You may have heard that the RSA Conference is going on this week. Who knows how good anyone's security is, but one thing you can be sure of -- there will be hype and pyrotechnics aplenty. Still, for all the buzz (and it gets dialed up each year), the process of delivering security does not change that much from one year to the next. Who are you and what can you do? That is the question on the table. Most real-world systems cannot reliably answer that question, and no amount of trade show booths and parties can mask this deficiency.

Answering the who are you and what are you allowed to do question has plagued the security industry at least since the dawn of the Web. In the field, we are not that much closer to being ably to consistently answer these questions; however, some trends look promising.

The NIST/NSA Survey of Access Control models (PDF) identified two of the primary drivers behind work on identity systems -- a move toward finer grained access control and increasing access control decisions that are policy-based (configured as opposed to hard-coded). There are a number of interesting things at work behind the drivers -- some technical in nature, some related to software manageability, and some required to close out security gaps.

As access control models evolve, we can expect the trends on finer grained access control and policy-based access control to continue. But how can an enterprise realize these goals in a real-world architecture? A good example of where to start is found in XACML. Systems that implement XACML can deploy a fine-grained attribute-based access control (ABAC) system and manage the policy rules that govern the system.

At a structural level, XACML separates the Policy Enforcement Point (PEP), which effectively operates as a gateway or entry point to the app, from the Policy Decision Point (PDP), which resolves the attributes the rules use to define access control decisions. Making access control decisions based on fine-grained attributes is not new. Almost all applications already do this. So why is it a big deal now?

Authorization governs who has access to what. As much focus as authentication gets, for better and worse authorization is really the heart and soul of access control. (Read the OWASP Top Ten -- you will find many authorization fails.) Pulling authorization logic out of code and into configurable policy rules means that they can be reviewed and audited. Further, it's often the case that developers are not the people who know what policy and rules should govern access in the first place. Removing some access rules from code enables other people to assist in this effort.

Configuring rules rather than hard-coding them has been a recurring theme in software development for decades; it's time for security to get on the bus, and authorization rules are a good place to start. This is not a new, shiny tool or pizza box. It's not glamorous or dramatic. The rule structure for authorization is simple. Its role in security architecture is fundamental, yet often ignored by security teams. Gaps in authorization are, however, not ignored by attackers -- they are actively sought after and often easily found. Improving authorization is not a glamor detail, but it's essential to building stronger systems.

Gunnar Peterson is a Managing Principal at Arctec Group Gunnar Peterson (@oneraindrop) works on AppSec - Cloud, Mobile and Identity. He maintains a blog at http://1raindrop.typepad.com. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.