NIST Guide Aims to Ease Access ControlNew Special Publication Explains Attribute-Based Approach
Advice on how to encourage information sharing while preserving control over access to data is provided in a new special publication from the National Institute of Standards and Technology.
NIST Special Publication 800-162 is titled Guide to Attribute-Based Access Control Definition and Consideration. Attribute-based access control, or ABAC, is a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, such as a user or employee; an object, such as specific computerized resource; and requested operations.
The flexibility of the ABAC model allows the greatest breadth of subjects to access the greatest breadth of objects without specifying individual relationships between each subject and each object, according to the NIST guidance.
"Access decisions can change between requests by simply changing attribute values, without the need to change the subject/object relationships defining underlying rule sets," says NIST Computer Scientist Vincent Hu, who co-wrote the guidance. "This provides a more dynamic access control management capability and limits long-term maintenance requirements of object protections."
Example on How ABAC Works
NIST offers the following scenario to describe the workings of ABAC:
Nancy Smith, a nurse practitioner in a hospital's cardiology department, is the subject, and when hired at the medical center, she is assigned a set of attributes: her name, title and department, for instance. She's assigned access to an object, in this case, medical records of heart patients.
Resources may receive their attributes either directly from their creator or as a result of automated scanning tools. The object owner creates an access control rule to govern the set of allowable operations; for example, all nurse practitioners in the cardiology department can view the medical records of heart patients. By making the process more flexible, attributes and their values may then be modified throughout the lifecycle of subjects, objects and attributes without modifying every subject-object relationship. NIST says this process provides a more dynamic access control capability because access decisions can change between requests when attribute values change.
Hu, writing in a NIST bulletin unveiling the guidance, says ABAC enables administrators to apply access control policy without prior knowledge of a specific subject and for an unlimited number of subjects that might require access.
"As new subjects join the organization, rules and objects do not need to be modified," he says. "As long as the subject is assigned the attributes necessary for access to the required objects" - for instance, all nurse practitioners in the cardiology department - "no modifications to existing rules or object attributes are required. This benefit is often referred to as accommodating the external (and unanticipated) user and is one of the primary benefits of employing ABAC."
A simple ABAC access control scenario, as illustrated below, shows a subject requesting access to an object through an access control mechanism.
As seen in the next illustration, the enterprise must support management functions for enterprise policy development and distribution; enterprise identity and subject attributes; subject attribute sharing; enterprise object attributes; authentication; and access control mechanism deployment and distribution. The development and deployment of these capabilities require the careful consideration of a number of factors that will influence the design, security and interoperability of an enterprise ABAC solution.
The guidance offers a set of principles for attribute-based access control:
- Establish a business case for implementation;
- Understand the operational requirements and overall enterprise architecture;
- Create or refine business processes to support ABAC;
- Develop and acquire an interoperable set of capabilities; and
- Operate with efficiency.
Hu says the guidance for using ABAC serves as a first step for planners, architects and managers at federal government agencies to fulfill their information sharing and protection requirements. Though aimed at federal agencies, the guidance can be adopted by organizations outside of the U.S. government.