Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/25/2013
02:11 PM
Gunnar Peterson
Gunnar Peterson
Commentary
50%
50%

Same As It Ever Was

Trade shows, booth babes, and hype aside -- who are you, and what can you do? That is the question. Enter XACML and ABAC

You may have heard that the RSA Conference is going on this week. Who knows how good anyone's security is, but one thing you can be sure of -- there will be hype and pyrotechnics aplenty. Still, for all the buzz (and it gets dialed up each year), the process of delivering security does not change that much from one year to the next. Who are you and what can you do? That is the question on the table. Most real-world systems cannot reliably answer that question, and no amount of trade show booths and parties can mask this deficiency.

Answering the who are you and what are you allowed to do question has plagued the security industry at least since the dawn of the Web. In the field, we are not that much closer to being ably to consistently answer these questions; however, some trends look promising.

The NIST/NSA Survey of Access Control models (PDF) identified two of the primary drivers behind work on identity systems -- a move toward finer grained access control and increasing access control decisions that are policy-based (configured as opposed to hard-coded). There are a number of interesting things at work behind the drivers -- some technical in nature, some related to software manageability, and some required to close out security gaps.

As access control models evolve, we can expect the trends on finer grained access control and policy-based access control to continue. But how can an enterprise realize these goals in a real-world architecture? A good example of where to start is found in XACML. Systems that implement XACML can deploy a fine-grained attribute-based access control (ABAC) system and manage the policy rules that govern the system.

At a structural level, XACML separates the Policy Enforcement Point (PEP), which effectively operates as a gateway or entry point to the app, from the Policy Decision Point (PDP), which resolves the attributes the rules use to define access control decisions. Making access control decisions based on fine-grained attributes is not new. Almost all applications already do this. So why is it a big deal now?

Authorization governs who has access to what. As much focus as authentication gets, for better and worse authorization is really the heart and soul of access control. (Read the OWASP Top Ten -- you will find many authorization fails.) Pulling authorization logic out of code and into configurable policy rules means that they can be reviewed and audited. Further, it's often the case that developers are not the people who know what policy and rules should govern access in the first place. Removing some access rules from code enables other people to assist in this effort.

Configuring rules rather than hard-coding them has been a recurring theme in software development for decades; it's time for security to get on the bus, and authorization rules are a good place to start. This is not a new, shiny tool or pizza box. It's not glamorous or dramatic. The rule structure for authorization is simple. Its role in security architecture is fundamental, yet often ignored by security teams. Gaps in authorization are, however, not ignored by attackers -- they are actively sought after and often easily found. Improving authorization is not a glamor detail, but it's essential to building stronger systems.

Gunnar Peterson is a Managing Principal at Arctec Group Gunnar Peterson (@oneraindrop) works on AppSec - Cloud, Mobile and Identity. He maintains a blog at http://1raindrop.typepad.com. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9016
PUBLISHED: 2020-02-16
Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header.
CVE-2020-9013
PUBLISHED: 2020-02-16
Arvato Skillpipe 3.0 allows attackers to bypass intended print restrictions by deleting <div id="watermark"> from the HTML source code.
CVE-2020-9007
PUBLISHED: 2020-02-16
Codoforum 4.8.8 allows self-XSS via the title of a new topic.
CVE-2020-9012
PUBLISHED: 2020-02-16
A cross-site scripting (XSS) vulnerability in the Import People functionality in Gluu Identity Configuration 4.0 allows remote attackers to inject arbitrary web script or HTML via the filename parameter.
CVE-2019-20456
PUBLISHED: 2020-02-16
Goverlan Reach Console before 9.50, Goverlan Reach Server before 3.50, and Goverlan Client Agent before 9.20.50 have an Untrusted Search Path that leads to Command Injection and Local Privilege Escalation via DLL hijacking.