OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: DLP-NAC: authorized applications


Proposal in draft.  Suggestions welcome.

 

Use case:

1.1.1.1 Prevent sensitive data from being read/modified by unauthorized applications

Policies may stipulate which applications can read or modify resources to prevent insecure applications or malware-compromised applications from contaminating or exfiltrating sensitive data. This use case assumes that the Policy Decision Point (PDP) can call an external configuration management database to determine if the application is on the approved list.

 

Attribute:

1.1.2 Authorized-Application

This identifier indicates whether or not the requesting application is approved for the actions requested.

urn:oasis:names:tc:xacml:3.0:subject:authorized-application

The DataType of this attribute is http://www.w3.org/2001/XMLSchema#boolean

 

 

Example:

1.1.3 Prevent sensitive data from being read/modified by unauthorized applications

Acme security policy prohibits unapproved applications from reading and modifying sensitive data.  Alice attempts to open a sensitive document with an unauthorized application. The request fails.  Sample attributes and values are listed below.

 

Resource Attributes

Values

Resource-ID

http://confidential.acme.com/eyes-only.xml

Resource-location

webserver1.acme.com

Subject Attributes

Values

Subject-ID

Alice

Subject-ID-qualifier

acme.com

Authorized-application

False

Action Attributes

Values

Action-ID

HTTP

1.1.3.1 Description

This sample policy can be summarized as follows:

 

Target: This policy is only applicable to Resource-location = “webserver1.acme.com

AND Resource-ID contains “confidential\.acme\.com

 

Rule:  This rule is only applicable if Action-ID contains “HTTP”

Then if

Subject-ID-qualifier = “acme.com” AND Authorized-application = false

DENY

 

Obligation: 

On DENY log attempt to use an authorized application

 

Sample Policy….

 

To be added



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]