OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml] For Thursday: ABAC and big data


Agree with Hal that, generally speaking, Cloud and Big Data use cases are addressable within the existing ABAC/XACML approach. Also agree that some techniques need to be worked out to bind resource attribute data to Hadoop style data sources, but this is not fundamental. Also agree that cases like the sensor-array  inputs can be modeled as "environmental attributes" (and glad Hal clarified that the policy doesn't change, but just which rules get invoked, as with the oft-discussed "break the glass" case.) 

One thing I don't see so far is how to incorporate UMA into the XACML/ABAC model.  The issue for me with UMA is that individuals are their own "policy authorities" and XACML sort of assumes there is some policy authority coordination resulting in a consistent set of policies. But I expect there is a way to model this, too, within XACML--I just haven't seen it. 

Martin






On Tue, Mar 29, 2016 at 3:25 PM, Hal Lockhart <hal.lockhart@oracle.com> wrote:

It seems to me that when considering ABAC and big data there are two potential scenarios. The first is that access to a large non-SQL database should be protected by policy just as done today with existing databases. The second is the possibility of using the big data itself as input to an access control decision.

 

Concerning the first, I believe Hadoop, for example has an access control callout which could easily be mated with an XACML PEP. In fact I hope this project will actually be done at Apache once OpenAz gets better organized. It is one of the reasons we moved the project there. The PEP would use subject information combined with information from the Hapooq query as the source of attributes.

 

Concerning using the big data itself for access control decisions, I can’t think of an obvious usecase. XACML normally deals with attributes like group or department which have a single value or a small number of values. I can imagine something like a sensor network (IoT) where you would want to sample the environment and periodically adjust some metric which in turn is used as a policy input. For example, if the number of transactions per second or the number of attacks or the amount of snowfall reaches some threshold, you might want to adjust the access control rules. This would not be done by modifying policy, but including in the policy some reference to the attribute which reflects the changing state.

 

Hal




--
Martin F Smith, Principal
BFC Consulting, LLC
McLean, Va 22102
703 506-0159
703 389-3224 mobile


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]