The Axiomatics Spring newsletter arrived (did not know that it was actually spring in Stockholm this soon, but moving on..) and in it Babik Sadighi tells us that 2014 is "the year of ABAC" and here I thought it was the year of PKI? Mr. Sadighi shares with us Gartner's blessing "that by 2020, 70% of enterprises will use attribute-based access control (ABAC) as the dominant mechanism to protect critical assets, up from less than 5% today."
Well I have good news and bad news for Gartner and Axiomatics here. The good news is that 100% of enterprises already have ABAC in place. The bad news is that they do not realize it, access control is strewn hither and yon, from class to config file, and consequently do not manage or enforce the relevant authorization policies.
The NIST/NSA Survey of Access Control models showed where ABAC fits in the progression of access control models
The report summarizes some of the next level use cases where ABAC is useful:
A key advantage to the ABAC model is that there is no need for the requester to be known in advance to the system or resource to which access is sought. As long as the attributes that the requestor supplies meet the criteria for gaining entry, access will be granted. Thus, ABAC is particularly useful for situations in which organizations or resource owners want unanticipated users to be able to gain access as long as they have attributes that meet certain criteria. This ability to determine access without the need for a predefined list of individuals that are approved for access is critical in large enterprises where the people may join or leave the organization arbitrarily.
The advantage of dynamic, data driven functionality is easy to see, that is how pretty much every we use from Amazon to find your nearest In and Out Burger works. The advantage of dynamic, data driven authorization is easy to see, too, but its proven relatively way harder to get there in practice, and much less get there in a way with any level of authorization policy visibility and access monitoring.
So how to get fine grained, dynamic policy driven authorization without Big, Up Front knowledge of all the things? In other words, how do you make progress in an enterprise without paying some poor soul to spend six months doing an inventory of all the back end resources in the data center before making a policy?
By inverting the request a system that formerly relied heavily on a priori knowledge of resources is now unlocked and dynamic:
With large data sets multiple authorization queries for each single data item will lead to performance penalties. The Axiomatics Reverse Query product enhances the capabilities of XACML-based authorization to meet these requirements.
A standard XACML request can be answered with a Permit or Deny. "Can user Bob read document number 42 from the database management system?" Permit or deny.
An ARQ response, by contrast, is a logical expression. The PEP sends an open request to the PDP. "Which actions can Bob perform on documents in this repository?" The response may include criteria such as "Permit read access for documents belonging to Bob's department, Write access for documents authored by Bob or users for whom he is the manager, namely Anne, Joe or Charlie or for which Bob is the assigned reviewer or editor".
This is pretty clearly the way most users would like to work, and its also much more realistic in how the system and its policies are to be managed in a real world scenario. There are still issues, of course, posibility of emergent behavior, which is already here today. To manage that scoping queries will be important and the ability to filter adds another effective control point to the enterprise authorization toolset.
Authorization is a gnarly problem, and reverese queries solve it pretty elegantly for a number of real world scenarios. Next post will look at the policies in practice.