HP Labs has published a joint paper - From ABAC to ZBAC: Evolution of Access Control Models
Controlling access to resources and services is fundamental to security. A variety of access
control models have been developed over the years, each designed to address different aspects of
the problem. This report will examine the strengths and weaknesses of the various approaches as
applied in a cross domain services and as implemented in common SOA frameworks. Please
note, the access control mechanisms are discussed in this context and the comments are not
general critiques of the advantages and disadvantages of the various systems. Our primary use
case comes from an example investigated by the US Navy, which is examined for illustrative
purposes since it is easy to understand (For more additional applicability please refer to the
Department of Defense and Intelligence Community Service-Oriented Architecture Security
Reference Architecture, Version 1.0 and the discussion of hierarchical policy enforcement
frameworks and the section 4.2 Advanced SOAP Interaction Patterns). That discussion also
extends the enclosed use case slightly to address issues it doesn’t cover. Recognizing those
issues led to the development of an access control model that uses authorizations presented with
the request to make an access decision, an approach we call authoriZation Based Access Control
(ZBAC). This paper is intended to stimulate a structured technical dialogue within the IA&A
community on potential alternative enterprise approaches and possible security risks with current
approaches. The KEY implementation details are in the appendices, so be sure to read them too!
Comments