Header Image

Attribute-Based Access Control

The Problem: RBAC Inflexibility

The US Federal & Civilian Government has long used Role Based Access Control (RBAC) as a model for access control. However, more and more government organizations are finding that RBAC is not granular or flexible enough to be effectively used as an authorization mechanism in their complex, dynamically changing, data-sharing environments.

As a result, the US government has begun adopting a model of access control in which user-knowledgeable system data (such as might be found in an HR database), is being made available within, as well as potentially outside the organization.  This new approach, called “Attribute Based Access Control” or ABAC allows systems to dynamically retrieve attributes about the subject, the resource, and the environment on demand in order to render an access control decision. This method provides administrators with far more flexibility than RBAC, where any change often triggered the need to update policy or add/remove principles from roles.

 

The Solution: Attribute Services for Access Control

Key to any successful ABAC implementation will be the Attribute Services (AS). AS makes attribute collection, dissemination, and security possible through the use of Policy Decision Points (PDPs) and Policy Enforcement Points (PEPs). For example, when a user tries to access a resource, the PEP will defer to the PDP, whose job it is to decide whether or not to authorize the user based on the description of the user's attributes. Policies stored on the PEP and PDP systems provide the rule sets around which decisions are made.

 

Layer 7 Attribute Services for ABAC

 

Typically, however, variations exist in attribute data due to a lack of process, training, typographical errors, etc. (i.e., officer rank may be encoded as “LtCol”or “Lieutenant Colonel”). This problem grows exponentially with the number of attributes and interconnected agencies, departments and systems. Additionally, making attribute data available externally can pose a significant security risk.

 

The Layer 7 Value: Secure, Mediated Attribute Services

Layer 7 provides Attribute Service capabilities within its XML Gateway products, delivering support for X.509 Attribute Sharing Profile, as well as Homeland Security Presidential Directive (HSPD) – 12 Backend Attribute Exchange (BAE).  Not only can Layer 7 provide support for building Attribute Services based on the leading standards, but it can also provide policy-based security for authentication, authorization, digital signing, and encryption to meet the highest security requirements for attribute dissemination. 

In addition to security, Layer 7 XML Gateways also provide hardware-accelerated Schema Validation (XSD) and Transformation (XSLT) capabilities that can be utilized to define and mediate attribute consistency challenges across shared systems