Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/25/2013
02:11 PM
Gunnar Peterson
Gunnar Peterson
Commentary
50%
50%

Same As It Ever Was

Trade shows, booth babes, and hype aside -- who are you, and what can you do? That is the question. Enter XACML and ABAC

You may have heard that the RSA Conference is going on this week. Who knows how good anyone's security is, but one thing you can be sure of -- there will be hype and pyrotechnics aplenty. Still, for all the buzz (and it gets dialed up each year), the process of delivering security does not change that much from one year to the next. Who are you and what can you do? That is the question on the table. Most real-world systems cannot reliably answer that question, and no amount of trade show booths and parties can mask this deficiency.

Answering the who are you and what are you allowed to do question has plagued the security industry at least since the dawn of the Web. In the field, we are not that much closer to being ably to consistently answer these questions; however, some trends look promising.

The NIST/NSA Survey of Access Control models (PDF) identified two of the primary drivers behind work on identity systems -- a move toward finer grained access control and increasing access control decisions that are policy-based (configured as opposed to hard-coded). There are a number of interesting things at work behind the drivers -- some technical in nature, some related to software manageability, and some required to close out security gaps.

As access control models evolve, we can expect the trends on finer grained access control and policy-based access control to continue. But how can an enterprise realize these goals in a real-world architecture? A good example of where to start is found in XACML. Systems that implement XACML can deploy a fine-grained attribute-based access control (ABAC) system and manage the policy rules that govern the system.

At a structural level, XACML separates the Policy Enforcement Point (PEP), which effectively operates as a gateway or entry point to the app, from the Policy Decision Point (PDP), which resolves the attributes the rules use to define access control decisions. Making access control decisions based on fine-grained attributes is not new. Almost all applications already do this. So why is it a big deal now?

Authorization governs who has access to what. As much focus as authentication gets, for better and worse authorization is really the heart and soul of access control. (Read the OWASP Top Ten -- you will find many authorization fails.) Pulling authorization logic out of code and into configurable policy rules means that they can be reviewed and audited. Further, it's often the case that developers are not the people who know what policy and rules should govern access in the first place. Removing some access rules from code enables other people to assist in this effort.

Configuring rules rather than hard-coding them has been a recurring theme in software development for decades; it's time for security to get on the bus, and authorization rules are a good place to start. This is not a new, shiny tool or pizza box. It's not glamorous or dramatic. The rule structure for authorization is simple. Its role in security architecture is fundamental, yet often ignored by security teams. Gaps in authorization are, however, not ignored by attackers -- they are actively sought after and often easily found. Improving authorization is not a glamor detail, but it's essential to building stronger systems.

Gunnar Peterson is a Managing Principal at Arctec Group Gunnar Peterson (@oneraindrop) works on AppSec - Cloud, Mobile and Identity. He maintains a blog at http://1raindrop.typepad.com. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5421
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...