Ramaswamy Chandramouli

Proposed NIST standard for role-based access control

In this article we propose a standard for role-based access control (RBAC). Although RBAC models have received broad support as a generalized approach to access control, and are well recognized for their many advantages in performing large-scale authorization management, no single authoritative definition of RBAC exists today. This lack of a widely accepted model results in uncertainty and confusion about RBACs utility and meaning. The standard proposed here seeks to resolve this situation by unifying ideas from a base of frequently referenced RBAC models, commercial products, and research prototypes. It is intended to serve as a foundation for product development, evaluation, and procurement specification. Although RBAC continues to evolve as users, researchers, and vendors gain experience with its application, we feel the features and components proposed in this standard represent a fundamental and stable set of mechanisms that may be enhanced by developers in further meeting the needs of their customers. As such, this document does not attempt to standardize RBAC features beyond those that have achieved acceptance in the commercial marketplace and research community, but instead focuses on defining a fundamental and stable set of RBAC components. This standard is organized into the RBAC Reference Model and the RBAC System and Administrative Functional Specification. The reference model defines the scope of features that comprise the standard and provides a consistent vocabulary in support of the specification. The RBAC System and Administrative Functional Specification defines functional requirements for administrative operations and queries for the creation, maintenance, and review of RBAC sets and relations, as well as for specifying system level functionality in support of session attribute management and an access control decision process.

Application of XML tools for enterprise-wide RBAC implementation tasks

The use of Extensible Markup Language (XML) and its associated APIs, for information modeling and information interchange applications is being actively explored by the reseach community. In this paper we develop an XML Document Type Definition (DTD) for representing the schema of a Role-based Access Control (RBAC) Model and a conforming XML document containing the actual RBAC-based access control data for a commercial banking application. Based on this DTD, the XML document and the methods in the Document Object Model (DOM) API Level 1.0 standards, we describe three application tasks related to enterprise-wide implementation of RBAC. They are: (a)implementing an RBAC model for a database application (b)implementing RBAC models with identical data on two different database servers and (c)transforming data under an RBAC model to a different, but structurally similar model like Group-based Access Control model. Other potential Access Control Service applications exploiting the capabilities of some commercial XML processors are also outlined.

A framework for multiple authorization types in a healthcare application system

In most of the current authorization frameworks in applications systems, the authorization for a user operation is determined using a static database like ACL entries or system tables. These frameworks cannot provide the foundation for supporting multiple types of authorizations like emergency authorizations, context-based authorizations etc., which are required in many vertical market systems like healthcare application systems. We describe a dynamic authorization framework which supports multiple authorization types. We use the acronym DAFMAT (Dynamic Authorization Framework for Multiple Authorization Types) to refer to this framework. The DAFMAT framework uses a combination of role-based access control (RBAC) and dynamic type enforcement (DTE) augmented with a logic-driven authorization engine. The application of DAFMAT for evaluating and determining various types of authorization requests for the Admissions Discharge and Transfer System (ADT) in a healthcare enterprise is described.

Cryptographic Key Management Issues and Challenges in Cloud Services

To interact with various services in the cloud and to store the data generated/processed by those services, several security capabilities are required. Based on a core set of features in the three common cloud services Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), we identify a set of security capabilities needed to exercise those features and the cryptographic operations they entail. An analysis of the common state of practice of the cryptographic operations that provide those security capabilities reveals that the management of cryptographic keys takes on an additional complexity in cloud environments compared to enterprise IT environments due to: (a) difference in ownership (between cloud Consumers and cloud Providers) and (b) control of infrastructures on which both the Key Management System (KMS) and protected resources are located. This document identifies the cryptographic key management challenges in the context of architectural solutions that are commonly deployed to perform those cryptographic operations.

Challenges in securing the domain name system

Two main security threats exist for DNS in the context of query/response transactions. Attackers can spoof authoritative name servers responding to DNS queries and alter DNS responses in transit through man-in-the-middle attacks, and alter the DNS responses stored in caching name servers. The IETF has defined the digital signature-based DNSSEC for protecting DNS query/response transactions through a series of requests for comments.

Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC)

Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC) are very different attribute based access control standards with similar goals and objectives. An objective of both is to provide a standardized way for expressing and enforcing vastly diverse access control policies in support of various types of data services. The two standards differ with respect to the manner in which access control policies and attributes are specified and managed, and decisions are computed and enforced. This paper is presented as a consolidation and refinement of public draft NIST SP 800-178 [21], describing, and comparing these two standards.

An integrity verification scheme for DNS zone file based on security impact analysis

The domain name system (DNS) is the worlds largest distributed computing system that performs the key function of translating user-friendly domain names to IP addresses through a process called name resolution. After looking at the protection measures for securing the DNS transactions, we discover that the trust in the name resolution process ultimately depends upon the integrity of the data repository that authoritative name servers of DNS use. This data repository is called a zone file. Hence we analyze in detail the data content relationships in a zone file that have security impacts. We then develop a taxonomy and associated population of constraints. We also have developed a platform-independent framework using XML, XML schema and XSLT for encoding those constraints and verifying them against the XML encoded zone file data to detect integrity violations

Automated testing of security functions using a combined model and interface-driven approach

Independent security functional testing (testing of security functions of a product or system for conformance to published behavior) is often given a low priority in traditional security evaluations, due to combination of cost and technical considerations, except in the case of high assurance products. However we argue that the overall security of an Enterprise IT environment depends upon the weakest link and these weakest links are often commercial off the shelf software products involved in number crunching, data storage, transaction processing etc. In this paper we present an approach for improving the economics of security functional testing for many classes of commercial products by automating the process of test code generation through the use of formal models and interface information. The underlying framework is called TAF (test automation framework) and the toolkit we have developed based on TAF is the TAF-SFT toolkit. The TAF approach uses the text-based specifications of security functions provided by the product vendor to develop a machine-readable specification of security functions using the SCR (Software Cost Reduction) formal language. The resultant behavioral specification model is then processed through the TAF-SFT Toolkit to generate test vectors. The behavioral model and the test vectors are then combined with product interface specifications to automatically generate test drivers (test execution code). The test code is executed against the product to be tested. The actual test results are compared with expected test results and a test report is generated. We illustrate the application of TAF-SFT toolkit for security functional testing of a commercial DBMS product.

Cryptographic Key Management Issues & Challenges in Cloud Services

To interact with various services in the cloud and to store the data generated/processed by those services, several security capabilities are required. Based on a core set of features in the three common cloud services – Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), we identify a set of security capabilities needed to exercise those features and the cryptographic operations they entail. An analysis of the common state of practice of the cryptographic operations that provide those security capabilities reveals that the management of cryptographic keys takes on an additional complexity in cloud environments compared to enterprise IT environments due to: (a) difference in ownership (between cloud Consumers and cloud Providers) and (b) control of infrastructures on which both the Key Management System (KMS) and protected resources are located. This document identifies the cryptographic key management challenges in the context of architectural solutions that are commonly deployed to perform those cryptographic operations.

A policy validation framework for enterprise authorization specification

The validation of enterprise authorization specification for conformance to enterprise security policies requires an out-of-band framework in many situations since the enforcing access control mechanism does not provide this feature. We describe one such framework. The framework uses XML to encode the enterprise authorization specification, XML schema to specify the underlying access control model (which in our case is the role-based access control model (RBAC)) and Schematron language to encode the policy constraints. The conformance of the XML-encoded enterprise authorization specification to the structure of the RBAC model (specified through XML schema) as well as the policy constraints (specified through Schematron) are verified through a Schematron validator tool.