Presentation is loading. Please wait.

Presentation is loading. Please wait.

11 Restricting key use with XACML* for access control * Zack’-a-mul.

Published byJob Garrett Modified over 9 years ago

Similar presentations

Presentation on theme: "11 Restricting key use with XACML* for access control * Zack’-a-mul."— Presentation transcript:

1 11 Restricting key use with XACML* for access control * Zack’-a-mul

2 22 Introduction  Hardware based encryption protects mostly against physical theft or HW repurposing.  I don’t think XACML is natural for storage hardware, as most context attributes are not available.  Insider protection may require access control at O/S and/or application layers.  There is a trend to externalize access rules from the application image to allow central change without requiring repackaging/reinstalling the app.  Reduce cost of changes  Consistent application  Combining these with encryption keys is a natural association  Enable audit

3 33 Example Use case - EKM client on host acts as a local key services provider  Manages EKM server communication  Manages Key caching, discovery and use of any onboard capabilities (HSM, crypto accelerator, etc.)  Manages Logs and events for uploading  May assume responsibility for other key policies  XACML might be used to express restrictions which start beyond the EKM client.  May provide keys or crypto services to apps  Could shim in, or expose simple API for local apps  While it is the authorized recipient of keys from EKM, subsequent distribution or use of them is restricted by local context only available at request time.

4 44 Sample access control  Patient medical care application has PII encrypted by a key from the EKM  “The primary physician can have any of her patients' medical records sent to a specialist in the same practice.”  “Anyone can view their own encrypted 401K information, but nobody else’s”  Only oracle.exe with DataVault can read.dbs files  Only abc.exe can access particular band on particular encrypting device.

5 55 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language  http://docs.oasis-open.org/xacml/2.0/access_control- xacml-2.0-core-spec-os.pdf 103 pgs. http://docs.oasis-open.org/xacml/2.0/access_control- xacml-2.0-core-spec-os.pdf  Example: Provide this key if the running exe is backup.exe and its signature is in this set of signatures and the user id is Sysadmin and attribute “dept” [obtained from backup.exe] = “HRbackup”

6 66 Common terms  PAP – Policy Administration Point. This would be the EKM  PDP - Policy Decision Point. An entity that evaluates an access request against one or more policies to produce an access decision. This is essentially a rules engine.  PEP – Policy Enforcement Point. An entity that enforces access control for one or more resources. When a resource access is attempted, a PEP sends an access request describing the attempted access to a PDP. The PDP returns an access decision that the PEP then enforces.  Policy – A set of rules indicating which subjects are permitted to access which resources using which actions under which conditions. XACML has two different schema elements used for policies: and. A contains actual access control rules.

7 77 Typical XACML components

8 88 Factors in rules  Common notion of SUBJECT, RESOURCE, ACTION Attributes used in rules  Must be able to define factors applicable to end points  Rules have different combination algorithms, such as first applicable [IMHO, Sufficient], or deny-overrides.  When a rule fires, the PEP must execute the rule’s “Obligations”. From our focus, may be things such as  Decrypt  Audit  If you can’t execute an obligation, service denied

9 99 Basic role of a PEP (Policy Enforcement Point)  An application functions in the role of the PEP if it guards access to a set of resources and asks the PDP for an authorization decision.  Recommend “Deny-biased” PEP approach  If the decision is "Permit", then the PEP SHALL permit access. If obligations accompany the decision, then the PEP SHALL permit access only if it understands and it can and will discharge those obligations.  All other decisions SHALL result in the denial of access.  Note: other actions, e.g. consultation of additional PDPs, reformulation/resubmission of the decision request, etc., are not prohibited..  PEP might be a consuming application or the EKM client

10 10 Implementation issues  Five open source implementations available  – Two announced in the last month  Numerous Product Statements  We may want to define a subset more easily implemented without full blown PDP  Federated Policy Administration may be overkill  – Multiple policies applicable to same situation  – Combining rules to resolve conflicts  Evaluating complex rules against raw XML is slow  Many optimization opportunities  – Policy encoding  – Request context  – Partial evaluation  – Decision Caching

Download ppt "11 Restricting key use with XACML* for access control * Zack’-a-mul."

Similar presentations

Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.

Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.
News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics
Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,

Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,
1 Authorization XACML – a language for expressing policies and rules.

1 Authorization XACML – a language for expressing policies and rules.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Access Control Methodologies

Access Control Methodologies
Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.

Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.
Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses.

Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
OASIS Reference Model for Service Oriented Architecture 1.0

OASIS Reference Model for Service Oriented Architecture 1.0
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,

Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
1 Introduction Introduction to database systems Database Management Systems (DBMS) Type of Databases Database Design Database Design Considerations.

1 Introduction Introduction to database systems Database Management Systems (DBMS) Type of Databases Database Design Database Design Considerations.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
Lecture 7 Access Control

Lecture 7 Access Control
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Similar presentations

Ads by Google