Implementing Proximity-Based Access Control (PBAC) using Model-Driven Security

Home|Implementing Proximity-Based Access Control (PBAC) using Model-Driven Security

A particularly advanced and highly useful access control approach we have designed and implemented using Model-Driven Security (MDS) is Proximity-Based Access Control (PBAC) . The PABC approach is a highly innovative access control method where information provided to a subject is determined need-to-know based on proximity attributes. It goes far beyond traditional devices access based on physical proximity:

Definition: Proximity-Based Access Control (PBAC) is access control using policies that are based on the relative proximity/distance (calculated by a distance calculation function) between one or more proximity attributes associated with an accessor and one or more proximity attributes associated with an accessed resource.  PBAC is not just about physical proximity, but can involve many proximity dimensions: Geo-Location/Geospatial; Organizational; Operational; Temporal; Business Process; Security; Risk; Social; Information etc.

Rich, dynamic, contextual, and generic policies can be expressed and enforced if attribute and calculation services can be made available to the PBAC system: For example, geospatial proximity may not be calculated based on the physical location of the requesting user and the requested resource, but for example based on the geospatial area the user’s assigned task pertains to, and the geospatial area the requested information resource pertains to: “Team leaders can access all resources which pertain to a geospatial area that overlaps at least 70% with the geospatial area associated with the requestor’s assigned task”. Or “crime analysts working on a task pertaining to a criminal can access all resources pertaining to criminals known to be within 2 hops proximity on the criminal social graph”.

PBAC needs Model-Driven Security (MDS) because of PBAC’s complex policy implementation details – most conventional access control mechanisms do not support the features required to implement PBAC. Or it would be too cumbersome and error-prone to manually implement/maintain generic PBAC policies using conventional access control mechanisms.

Note that PBAC is an extension of Model-Driven Security and Attribute-Based Access Control (ABAC). PBAC differs technically from non-PBAC Attribute-Based Access Control (ABAC) systems in that a relative distance calculation function exists between attributes associated with the requesting subject, the action and/or the requested resource. OpenPMF MDS generates machine-enforceable access and logging rules that are enforced by OpenPMF’s ABAC runtime infrastructure, consisting of Policy Access Points, Policy Decision Points, Policy Enforcement Points, Attribute Source Services, Calculation Services, and Mapper Services etc. OpenPMF typically deploys a PDP/PEP/PIP combination on each protected node for robustness and security reasons.

ObjectSecurity OpenPMF is by far the most advanced model-driven security product in the market. MDS generates technical security policy rules and accreditation evidence from models, using model-driven approaches.  MDS is “the tool supported process of modelling security requirements at a high level of abstraction, and using other information sources available about the system (produced by other stakeholders). These inputs, which are expressed in Domain Specific Languages (DSL), are then transformed into enforceable security rules with as little human intervention as possible. It also includes the run-time security management (e.g. entitlements / authorizations), i.e. run-time enforcement of the policy on the protected IT systems, dynamic policy updates and the monitoring of policy violations.” (source: Wikipedia, and this blog)

Please contact us here if you would like to learn more about Proximity-Based Access Control and how to implement it using MDS.

 

 

By |May 20th, 2016|