NIST Special Publication 800-53 (Rev. 4), “Security and Privacy Controls for Federal Information Systems and Organizations,” provides a catalog of security controls for U.S. federal information systems. Its 18 families of controls are used as best practice guidance worldwide. The “Access Control” (AC-1) control family includes 25 controls. Some of these controls require significant technical implementations. ObjectSecurity® OpenPMF™ is an advanced access control product that is ideally suited for implementing those controls. While this document specifically focuses on the AC family, it is also important for implementing many controls from other control families, such as for example SC-10, MP-3, SI-4 etc.
OpenPMF implements Attribute Based Access Control (ABAC)
OpenPMF™ implements Attribute Based Access Control (ABAC), which is defined in NIST 800-162, “Guide to Attribute Based Access Control (ABAC) Definition and Considerations”. OpenPMF’s unique “model-driven security” feature differentiates it from other ABAC solutions by providing a traceable, automated mechanism to translate human-manageable policies into machine-enforceable technical policies (in the document’s terminology, “Natural Language Policy translation to Digital Policy”). It also distributes technical policies across the IT landscape, makes runtime access decisions (Policy Decision Point, PDP), and enforces those decisions reliably using Policy Enforcement Points, PEPs. Furthermore, it monitors incidents and produces supporting evidence for compliance.
NIST 800-53 ‘AC’ Control Family
What it really tells you to do
OpenPMF™ helps you do it
AC-3: ACCESS ENFORCEMENT
“The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.”
Implement adequate technical access policy enforcement that controls information flows between users/processes (subjects) and resources (objects). It is important to implement those not only at a per-system granularity, but also at a finer granularity (per-application/service, per data item etc.). Most importantly, technical access policy enforcement needs to reflect the applicable access control policies (note: these are almost always organization-specific policies!)
OpenPMF allows the management of human-intuitive, generic organization-specific security policies (in “models”); it automatically translates those into fine-grained, dynamic/contextual technical access policy enforcement (esp. ABAC rules); it then enforces the policy at runtime across the IT landscape, monitors incidents, and generates compliance evidence.
AC-4: INFORMATION FLOW ENFORCEMENT
“The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on organization-defined information flow control policies”
Implement technical enforcement of specific information flow control policies to (1) control the flow of information between sources and destinations (2) within information systems and between interconnected systems, (3) within a security domain and cross-domain. Implement “designated policy enforcement points between interconnected systems” that enforce policy in a way that reflects the applicable access control policies The control enhancements recommend more advanced features, e.g. using organization-defined security attributes and policies, implementing dynamic information flow control based on organization-defined policies, such as filtering-based policies that are configurable and based on organization defined data identifiers (AC4-(12)).
Using PDPs/PEPs, OpenPMF enforces information flow control policies between designated sources and destinations within information systems and between interconnected systems, within a security domain and cross-domain. It supports fine-grained, dynamic, contextual access policies that can include filtering/redaction.
AC-5: SEPARATION OF DUTIES
“Separate organization-defined duties of individuals; … define information system access authorizations to support separation of duties.”
Note: Separation of duties frequently change dynamically, therefore authorization policies need to be contextual and dynamic. For example, mutually exclusive groups of staff can access information as long as there is no conflict of interest with any other information they have previously accessed (this sort of policy is very common e.g. for law firms).
OpenPMF can implement static and dynamic separation of duties policies as part of information flow access control. Access will only be granted if the separation of duties is preserved.
AC-6: LEAST PRIVILEGE
“allow only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions”
This least privilege control clearly states that every user/process should only have access to the resources that are necessary for its legitimate purpose (“no higher than necessary”). While this looks simple, it is actually a very complex requirement that is hard to implement using traditional security technologies. As a result, the control’s supplemental guidance and control enhancements is rather weak. Note that this does not “excuse” organizations from implementing least privilege in accordance with the main control description. In particular, least privilege will by definition almost always require a dynamic, contextual access control policy solution (such as OpenPMF).
OpenPMF’s support of fine-grained, dynamic, contextual access policies makes it ideally suited for implementing least privilege access policies in information flows. This is because least privilege access decisions depend on a lot of dynamically changing data (e.g. current task, time of day etc.), which OpenPMF can abstract away from the generic, human-intuitive policies human administrators will have to manage. (see: “Implementing Least Privilege for Interconnected, Agile SOAs/ Clouds”, ISSA Journal, August 2012, email [email protected] to get a copy)
AC-16: SECURITY ATTRIBUTES
“… a form of metadata … representing the basic properties or characteristics of active and passive entities with respect to safeguarding information.” (“security labeling”, “security marking”)
This control may play an important enabling role for implementing the other controls covered in this whitepaper. Access control is by definition always based on some attribute(s), and labeling/marking can help implement more effective access control policy enforcement. For example, Attribute-Based Access Control (ABAC), provides a mechanism for using such security attributes for dynamic, contextual, fine-grained access control enforcement.
While OpenPMF does not assist with defining security attributes, it helps with managing attributes and using them for ABAC access control purposes. OpenPMF consumes security attributes via its Policy Information Points (PIPs). Some attributes are used at the time technical access rules are generated, others are used at runtime access decision-making.
AC-17: REMOTE ACCESS
AC-18: WIRELESS ACCESS
AC-19: ACCESS CONTROL FOR MOBILE DEVICES
“authorize remote/wireless/mobile access to the information system prior to allowing such connections”
In general, due to the “deperimeterization” trends in the IT industry, the concepts “remote” vs “local” are getting increasingly blurry, esp. with the use of cloud, mobile, bring-your-own-device, internet of things etc. Specific remote access policies should therefore be managed as part of the other, broader access policies such as least privilege.
OpenPMF can be implemented to support these specific access policies as part of the other, broader access policies such as information flow access control and least privilege.
AC-21: INFORMATION SHARING
“enable authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information; employs organization-defined automated mechanisms or manual processes to assist users in making information sharing/collaboration decisions.
With today’s large amounts of information processing such sharing clearly needs to be automated. The control enhancements therefore recommend that “the information system enforces information sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.” This control should therefore be managed as part of the other, broader access policies such as least privilege.
As recommended in the control enhancements, OpenPMF automatically controls information sharing based on policy.
AC-23: DATA MINING PROTECTION
“adequately detect and protect against data mining”
The supplemental guidance provides some basic information flow control policy enforcement examples, incl. filtering, throttling, and anomaly detection. Note that these policies are no different from information flow control and least privilege access control policies and should therefore be implemented as part of those.
OpenPMF supports policies that protect against data mining, such as filtering, throttling, behavior-based policies. It implements this control at the information flow access control layer, thus also protecting databases. (note: a beta version of a database specific policy enforcement point is also available)
AC-24: ACCESS CONTROL DECISIONS
“organization-defined access control decisions are applied to each access request prior to access enforcement”
Different technical entities may perform access control decisions and access enforcement. In ABAC, these are called Policy Decision Points (PDPs) and Policy Enforcement Points (PDPs).
OpenPMF can be implemented in both ways: (1) PDPs/PEPs collocated, or PDPs separate from PEPs.
AC-25: REFERENCE MONITOR
“implement a reference monitor for organization-defined access control policies that is tamperproof, always invoked, and small enough to be subject to (complete) analysis and testing”
The guidance states that reference monitors typically enforce mandatory access control (MAC) policies: subjects with certain access permissions are restricted from passing those privileges on to any other subjects, i.e. the information system strictly enforces the access control policy based on the rule set established by the policy. While MAC is defined this way, these are really two separate requirements: (1) delegation, and (2) strict enforcement. In most organizations, delegation (with strict delegation policy enforcement) should be implemented together with strict enforcement. The tamperproof and always invoked properties prevents adversaries from compromising/bypassing the mechanism and hence violating the security policy.
OpenPMF PEPs are small pieces of software that are installed in a way that is always invoked (e.g. automatically intercepts network traffic, middleware interactions etc.), and that can be tamperproof (in a high-assurance FPGA/HSM implementation). OpenPMF can be implemented to support delegation policies, esp. when AuthoriZation Based Access Control (ZBAC) is also implemented.