Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/25/2013
02:11 PM
Gunnar Peterson
Gunnar Peterson
Commentary
50%
50%

Same As It Ever Was

Trade shows, booth babes, and hype aside -- who are you, and what can you do? That is the question. Enter XACML and ABAC

You may have heard that the RSA Conference is going on this week. Who knows how good anyone's security is, but one thing you can be sure of -- there will be hype and pyrotechnics aplenty. Still, for all the buzz (and it gets dialed up each year), the process of delivering security does not change that much from one year to the next. Who are you and what can you do? That is the question on the table. Most real-world systems cannot reliably answer that question, and no amount of trade show booths and parties can mask this deficiency.

Answering the who are you and what are you allowed to do question has plagued the security industry at least since the dawn of the Web. In the field, we are not that much closer to being ably to consistently answer these questions; however, some trends look promising.

The NIST/NSA Survey of Access Control models (PDF) identified two of the primary drivers behind work on identity systems -- a move toward finer grained access control and increasing access control decisions that are policy-based (configured as opposed to hard-coded). There are a number of interesting things at work behind the drivers -- some technical in nature, some related to software manageability, and some required to close out security gaps.

As access control models evolve, we can expect the trends on finer grained access control and policy-based access control to continue. But how can an enterprise realize these goals in a real-world architecture? A good example of where to start is found in XACML. Systems that implement XACML can deploy a fine-grained attribute-based access control (ABAC) system and manage the policy rules that govern the system.

At a structural level, XACML separates the Policy Enforcement Point (PEP), which effectively operates as a gateway or entry point to the app, from the Policy Decision Point (PDP), which resolves the attributes the rules use to define access control decisions. Making access control decisions based on fine-grained attributes is not new. Almost all applications already do this. So why is it a big deal now?

Authorization governs who has access to what. As much focus as authentication gets, for better and worse authorization is really the heart and soul of access control. (Read the OWASP Top Ten -- you will find many authorization fails.) Pulling authorization logic out of code and into configurable policy rules means that they can be reviewed and audited. Further, it's often the case that developers are not the people who know what policy and rules should govern access in the first place. Removing some access rules from code enables other people to assist in this effort.

Configuring rules rather than hard-coding them has been a recurring theme in software development for decades; it's time for security to get on the bus, and authorization rules are a good place to start. This is not a new, shiny tool or pizza box. It's not glamorous or dramatic. The rule structure for authorization is simple. Its role in security architecture is fundamental, yet often ignored by security teams. Gaps in authorization are, however, not ignored by attackers -- they are actively sought after and often easily found. Improving authorization is not a glamor detail, but it's essential to building stronger systems.

Gunnar Peterson is a Managing Principal at Arctec Group Gunnar Peterson (@oneraindrop) works on AppSec - Cloud, Mobile and Identity. He maintains a blog at http://1raindrop.typepad.com. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jim, stop pretending you're drowning in tickets."
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1575
PUBLISHED: 2019-07-16
Information disclosure in PAN-OS 7.1.23 and earlier, PAN-OS 8.0.18 and earlier, PAN-OS 8.1.8-h4 and earlier, and PAN-OS 9.0.2 and earlier may allow for an authenticated user with read-only privileges to extract the API key of the device and/or the username/password from the XML API (in PAN-OS) and p...
CVE-2019-1576
PUBLISHED: 2019-07-16
Command injection in PAN-0S 9.0.2 and earlier may allow an authenticated attacker to gain access to a remote shell in PAN-OS, and potentially run with the escalated user?s permissions.
CVE-2018-19629
PUBLISHED: 2019-07-16
A Denial of Service vulnerability in the ImageNow Server service in Hyland Perceptive Content Server before 7.1.5 allows an attacker to crash the service via a TCP connection.
CVE-2019-10100
PUBLISHED: 2019-07-16
Quake3e < 5ed740d is affected by: Buffer Overflow. The impact is: Possible code execution and denial of service. The component is: Argument string creation.
CVE-2019-10100
PUBLISHED: 2019-07-16
UPX 3.95 is affected by: Integer Overflow. The impact is: attacker can cause a denial of service. The component is: src/p_lx_elf.cpp PackLinuxElf32::PackLinuxElf32help1() Line 262. The attack vector is: the victim must open a specially crafted ELF file.