Guidance Aims to Ease Access ControlNIST Outlines Attribute-Based Approach
Improving information sharing while maintaining control over access to that information is a primary goal of new guidance coming from the National Institute of Standards and Technology.
NIST has issued a draft of NIST Special Publication 800-162: Guide to Attribute Based Access Control Definition and Consideration. Attribute-based access control, or ABAC, is a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject (a user or employee, for instance), object (a specific computerized resource) and requested operations.
The policies that can be implemented in an ABAC model are limited only to the degree imposed by the computational language. This flexibility allows the greatest breadth of subjects to access the greatest breadth of objects without specifying individual relationships between each subject and each object.
NIST offers the following scenario to describe the workings of ABAC:
Nancy Smith, a nurse practitioner in a hospital's cardiology department, is the subject, and when hired at the medical center, she is assigned a set of attributes: her name, title and department, for instance. She's assigned access to an object, in this case, medical records of heart patients.
Resources may receive their attributes either directly from their creator or as a result of automated scanning tools. The object owner creates an access control rule to govern the set of allowable operations; for example, all nurse practitioners in the cardiology department can view the medical records of heart patients. By making the process more the flexible, attributes and their values may then be modified throughout the lifecycle of subjects, objects and attributes without modifying every subject-object relationship. NIST says this process provides a more dynamic access control capability because access decisions can change between requests when attribute values change.
NIST says this process allows administrators to apply access control policies without prior knowledge of the specific user and for an unlimited number of users that might require access. As new employees join the organization, rules and objects needn't be modified
The diagram below illustrates a simple ABAC access control scenario, in which a subject requests access to an object through an access control mechanism.
The next illustration shows the complexity of ABAC within an enterprise. According to the draft guidance, the enterprise must support management functions for enterprise policy development and distribution, enterprise identity and subject attributes, subject attribute sharing, enterprise object attributes, authentication and access control mechanism deployment and distribution. The development and deployment of these capabilities require the careful consideration of a number of factors that will influence the design, security and interoperability of an enterprise ABAC solution.
The draft guidance offers a set of principles for ABAC:
- Establish a business case for implementation;
- Understand the operational requirements and overall enterprise architecture;
- Create or refine business processes to support ABAC;
- Develop and acquire an interoperable set of capabilities; and
- Operate with efficiency.
Stakeholders who have comments on the draft publication should send them to Vincent.Hu.@nist.gov by May 31. NIST usually publishes a final version of the guidance several months after receiving comments.