Tag / access control

by Shawn McKinney

Why another open source iam product?

A question that has been lingering.  It’s fair game, but before I get around to actually answering, let’s remember how we got here.

Late 90’s

Before the first open source iam product existed we had standard policy enforcement protocols in use.  Examples include Java’s ee security & jaas. Unix had PAM, sudo and kerberos.  Windows, NTLM and SPNEGO.  There were web-based protocols like HTTP basic auth and ISAPI.

IAM Complete Solution Defined

Those policy enforcement mechanisms didn’t meet the wider requirements of a complete solution:

  • extensible and pluggable policy enforcement services
  • centralized policy decision point services
  • common policy administration services
  • common policy information services
  • audit and review capabilities

The gaps made us scramble to meet the need.

Early to Mid 2000’s

Commercial vendors ruled.  Several more policy enforcement protocols appeared including liberty, saml, ws-*, xmlsecurity and xacml.  Those in need either built or bought because open source iam solutions were barely in existence.

There were many open source projects that provided the legos to build with.

2008

The era of opportunity for open source innovation.  Most of the technical problems were solved.  All one had to do was assemble a solution using the building blocks available in the public domain.

But not another access control framework.  Needed a complete solution.

2009

As code construction commenced on fortress, many open source policy enforcement frameworks became widely used, such as spring security and opensso, but still no complete solution.

2011

Around the the time of the first fortress release the situation changed.  Sun’s merger with Oracle foretold the end of the commercial vendor stranglehold creating a void in which companies like Symas, Linagora, Evolveum, and Tirasa sprung complete solutions.

Today

Now that we have several complete open source iam solutions on the market, the industry continues to focus on policy enforcement standards, the latest being oauth, uma and open id connect.

But we continue to struggle because uniform policy enforcement is the tip of iceberg.  More benefit comes through shared policy decision and admin services.  This promotes reuse of infrastructure and data across organizational, vendor and platform boundaries.

Tomorrow

Policy enforcement protocols will continue to be volatile and ill-equipped.

Standards-based policy decision and admin services will continue to be needed.

So that Vendor A’s PEP can plug into Vendor B’s PDP, and Vendor C’s PAP can plug in Vendor D’s PIP.

Why Fortress

Based on ansi incits 359, our best hope for standardizing the complete iam solution.

by Shawn McKinney

Year of the Hack

2014 will be remembered as the Year of the hack.

Sony, Target, Home Depot, UPS, even Victoria couldn’t keep the Secret.

The list:

http://www.idtheftcenter.org/images/breach/DataBreachReports_2014.pdf

This article will tell you how to stay off.

What Has Already Been Tried

First let’s have a look at what’s already being done.

I. FirewallsIntrusion Detection

The perimeter has shattered.  Firewalls won’t stop someone who has credentials–attacks within the interior of a network.

“Myth: Firewalls make your data secure.  In fact, 40% of Internet break-ins occur in spite of a firewall being in place.

Data Security Challenges – Oracle9i Security Review

II. Stong AuthenticationMulti-factor Authentication / Single Sign-on

Often times bad things are committed by those with proper credentials.  Do not base your entire defense on the front door.

“Neither top secret clearance, sophisticated authentication nor the most advanced encrypted information systems can necessarily stop an intended breach action. These security procedures are not designed to detect real-time actions and anomalous business processes from authorized personnel. These practices are just the “moat around the castle” approach upon which most current cybersecurity technologies are based. Current national security breaches clearly show we need to do more.”

Is Cyber Security an Inside Job? – Larry Karisny – Digital Communities

III. Antivirus Software

Doesn’t stop attacks in-flight.  By the time a new virus has been identified, two more have spawned.

In the bigger picture, furthermore, the anti-virus software was irrelevant, contends Chester Wisniewski, a senior security advisor at anti-virus vendor Sophos. “A smart attacker in a targeted environment will always bypass your anti-virus,” he says, and especially if they’re trying to take down a retailer the size of Home Depot.

Analysis: Home Depot Breach Details – Mathew J Schwartz – Bank Info Security

These practices aren’t necessarily wrong, but they aren’t fixing the problem either.

The Problem

So what exactly is the problem?

A determined attack will gain access to your network – count on it.  It’s impossible for you to harden every entry point.  Find a way to minimize damage once the inevitable unauthorized entry occurs.

“Organizations should stop thinking about breach prevention, accept their going to be breached, change their mindset, and think about how they will protect and store their data.”

Stop Worrying About Data Breach Protection – Info Security Magazine

The Solution

You must boost efforts across the following:

I. Authorization

The access controls commonly used today are inadequate.  Let’s take a prime example:  How did a low-level, government contractor download terabytes of highly sensitive data from the NSA?

Organizations that lack these controls are vulnerable to attacks waged by individuals who have legitimate accounts on the network but seek to misuse their access for malicious purposes. This risk, known as the “insider threat” is one of the most insidious causes of data breaches.

How to avoid the five most common causes of data breaches – Mike Chappel – Certification Magazine

Add mandatory access control checks to all interfaces connected over Internet – including those downstream of secured.

II. Audit trail

If an action is important enough to guard with a policy enforcement point, it should be logged.

“The most important step that you can take to protect your organization against improperly configured access controls is to perform regular auditing.”

How to avoid the five most common causes of data breaches – Mike Chappel – Certification Magazine

Log the resource, operation, subject id, ip, location, time, date and result.

III. Periodic Review

Circulate daily reports.  Think about the results.  Devise heuristic algorithms to detect anomalies automatically.

IV. Confidentiality

Encryption enabled should be the default setting for ALL network connections – even test environments.  Don’t worry about the cost.  Consider it cheap insurance.

“In the aftermath of security breaches at Target, Home Depot, and JP Morgan Chase, executives are reexamining their data breach risks. Hacksurfer reports on a recent survey of IT professionals that found 53 percent of organizations were investing more in data security after these high-profile cyber attacks.”

In Data Security, Compliance Isn’t Enough – Max Schleicher – TechInsurance

Encrypt data in-flight and sensitive data at rest.  Hash passwords.

by Shawn McKinney

ABAC – Where are the Functional Specs?

As a security architect I have long-awaited the means to express authorization policies using dynamic constraints – in a standard way. Over the years there have not been many models to choose from.

First came A Resource Access Decision Service, which had promise, but departed with CORBA.

Next came eXtensible Access Control Markup Language (XACML).  Some believe it dead, and there are those who continue to promote.  The jury is out.

What do you think about XACML?

Now the buzz is Attribute-Based Access Control (ABAC).

Blurring the lines, supposedly XACML implements ABAC, because attributes combine with decisions.

There are commonalities across the three models:

  1. Grammar to express very fine-grained access control policies.
  2. Rules containing variables captured from subjects and resources.  Facts such as location, time and date included.
  3. Adjudication when rules combine or clash.
  4. Separation into multiple components, e.g. Policy Enforcement Point (PEP), Policy Decision Point (PDP), Policy Information Point (PIP).

The promise is reuse.

So where are the functional specs?  I must understand and share.

“Despite the clear guidance to implement contextual (risk adaptive) role or attribute based access control ABAC, to date there has not been a comprehensive effort to formally define or guide the implementation of ABAC”
NIST – ATTRIBUTE BASED ACCESS CONTROL (ABAC)

Ruh roh.

Until formal specifications are drafted, ABAC is useless because it’s non-standard and/or proprietary.

Back to square one – awaiting an industry standard dynamic authorization model.

by Shawn McKinney

Using Roles for Access Control is not RBAC

I hear this kind of statement all the time:  ‘We use Roles/Groups for access control in our systems and applications so we’re RBAC’.

My response is an emphatic:  ‘No – using roles for access control is not Role-Based Access Control!’

The first is an anti-pattern, the second a best practice.  Let me explain.

RBAC is not a generic term.  It refers to a specification, ANSI INCITS 359, with explicit instructions to implement.  There are many posts that offer detailed explanation – including:

https://directory.apache.org/fortress/user-guide/1-intro-rbac.html

To be considered RBAC compliant an access management system, at a minimum, supports the following entities: Users, Roles, Permissions (mapping between objects and operations) and, most important – Sessions.

Sessions are the context for which role activation occurs.  Just because a role has been assigned, does not mean it should be included into a particular access control decision.

This is in keeping with the principle of least privilege:  Only give the user the power needed to complete their job at any particular point in time – and no more.

Doing this satisfies a multitude of requirements and we’ll talk about some in future posts.

So unless your access control system supports the session contextual object – stop calling it RBAC.

But there’s much more to it than that.  RBAC specification defines the interfaces necessary for CRUD and interrogation operations.  One of the most important:

userPermissions(User)

This returns all permissions authorized for a user via their role assignments.  And another:

authorizedPermissionUsers(Permission)

Crucial during audits – which users have access to a particular system resource?  If you cannot answer this question your system lacks integrity.  Many access management systems cannot accomplish these basic operations.

RBAC also defines the interface used during runtime policy enforcement operations.  For example:

sessionPermissions(Session)

This returns all permissions authorized for a user via their role activations.  Used by apps to cache entitlements during runtime.  Without the Session entity it cannot be done.   If yours cannot do this – stop calling it RBAC.

Finally there is this:

Placing roles within the access control decision paints you into a corner.  This operation usually looks something like:

isUserInRole(RoleName)  <— this is ok for coarse-grain but not fine-grained authZ

What if the roles change?  Every change requires (some variation of) a recompile and redeployment of the application.  Worse, you will need to create too many of them which pollutes your system and complicates the administration processes.

There is a better way – use a permission semantic:

checkAccess(Session, Permission)

This allows the policy enforcement point to be decoupled from the policy decision point.  If the roles needed to access that resource change, the application doesn’t.

If your access management system does not do these things – stop calling it RBAC!

More to come….