[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: access control vs audit - xacml applicable?
I wanted to know your opinion on applicability of XACML to solve a problem, which is not exactly in XACML's domain. It's access control auditing of the enterprise. Suppose, the company has a heterogeneous IT infrastructure, i.e. a variety of systems with proprietary access control mechanisms, such as Unix, Windows, Mainframes, mini-computers, physical access control (RFID badges) and so on. In the dream world, there'd be a company wide PEP with all required policies in XACML. All these systems would communicate with PEP, and setup their proprietary access control mechanisms according to these policies. In reality, we have a bunch of different authorization technologies. They are so different that in order to review user rights on these platforms I had to learn much more about their access control technologies than I ever wanted. Everyone who has to audit access control in the large company will have the same problem. Clearly, there's an issue. ========= I've been thinking to use XACML for this task. Here's what I was thinking about. All platforms/OSs/systems have their own access control tools, but there's something common in (almost) all of them - they can be mapped to ACL, i.e. resource-subject-action triad. At least in those systems which I worked with, ACL concept can be used. Although it's not always straightforward. The way I approach auditing is to express user access rights in the system in terms of ACL, then analysis becomes easier, because there's a common vocabulary and sismilar reporting. Now, the next step would be to have a standard way of reporting the access control setup in the system. One approach is to analyze proprietary authorization tool, and convert its rules into XACML policies. This would have one benefit: the auditor has to learn only one policy language - XACML. For example, if you take mainframe security, there's one tool called CA-ACF2. It has rules, similar to other ACL tools. It takes time to learn the syntax, and most business people don't know it. It's an issue because these same people have to approve rules of access to their data. Translating these rules into XACML would simplify auditors and manager's life a bit, but not much. Besides, I'm not sure if it's possible to translate these rules into XACML. The approach which I'm about to take is querying the system instead of going after rules. For example, in Unix I'd run "ls -l" in the directory, this would give me information about rights to files/dirs. Ok, this is not a complete information yet, because there could be facl (i.e. acl for files), there could be clusters etc. I'd take into account all these "complications", then return an answer "file FILE1 can be READ by users in the group WEB, can be WRITTEN by owner ARGYN only". I can run a bunch of queries and produce a report. If I have a standard language then I can produce consolidated reports acrros different platforms, then auditors/managers would learn to read it. Having only XACML at hand, I was thinking to use Request of Context schema of XACML to report access rights from the system. Normally, we use Request to query PEP, which answers us with Response. However, for audit reporting, Request schema is more appropriate, as it contains all three elements: subj, resource and action. I'd get a bunch of Requests whihc describe the actual access rights of users to system resources. Alternatively, Policy syntax can be used. In this case, the query would return resluts as a set of Rules, which describe access rights to resources. Or maybe I've to define my own schema for this purpose. I'd prefer to use some standard language though. I was wandering if anyone tried to use XACML for this sort of a problem. Thanks, Argyn