Re: [xacml] Break the Glass policies

[Robin Cover <robin@oasis-open.org>]

On Mon, 14 Dec 2009, Ludwig Seitz wrote:

> Hi David,
>
> you might want to look at this:
> http://portal.acm.org/citation.cfm?id=1263871
>
> I think it is very similar to what you want to achieve.
>
> Regards,
>
> Ludwig

By odd coincidence, I encountered a reference to XACML and BTG
yesterday in an ACM SACMAT 2009 paper.  I provide some references
below, though I've not yet spotted an online copy of David's
ACSAC 2009 paper "How to Securely Break into RBAC: the BTG-RBAC Model"

================================================================================

"Extending Access Control Models with Break-glass"

Achim D. Brucker (achim.brucker@sap.com)
SAP Research

Helmut Petritsch (helmut.petritsch@sap.com)
SAP Research

Presented June 5, 2009 at ACM SACMAT
Proceedings of the Fourteenth ACM symposium on Access Control Models and 
Technologies
http://www.sacmat.org/2009/index.php

http://www.brucker.ch/bibliography/abstract/brucker.ea-extending-2009.en.html
http://www.brucker.ch/bibliography/download/2009/brucker.ea-extending-2009.pdf

Access control models are usually static, i.e., permissions are
granted based on a policy that only changes seldom. Especially
for scenarios in health care and disaster management, a more
flexible support of access control, i.e., the underlying policy,
is needed.

Break-glass is one approach for such a flexible support of
policies which helps to prevent system stagnation that could
harm lives or otherwise result in losses. Today, break-glass
techniques are usually added on top of standard access control
solutions in an ad-hoc manner and, therefore, lack an
integration into the underlying access control paradigm and
the systems' access control enforcement architecture. We
present an approach for integrating, in a fine-grained manner,
break-glass strategies into standard access control models
and their accompanying enforcement architecture. This
integration provides means for specifying break-glass policies
precisely and supporting model-driven development techniques
based on such policies.

Our contributions are four-fold: first, we present a generic
break-glass model. Second, we present a SecureUML extension
supporting break-glass. Third, we present a security architecture
supporting break-glass and, finally, a transformation from
break-glass SecureUML policies to XACML. The rest of the paper
is structured as follows: after introducing the preliminaries
of our work in Section 2, we present a generic break-glass
model which can be integrated into a large class of access
control models in Section 3. In the same section, we also
present, as an example for such an integration, an extension
for SecureUML supporting break-glass. We present a security
architecture supporting break-glass in Section 4. This
architecture is the target of the transformation of break-glass
SecureUML policies to XACML which we present in Section 5.
Finally report on related work in Section 6 and present our
conclusions in Section 7.

==================================================================

How to Securely Break into RBAC: the BTG-RBAC Model
Ana Ferreira, David Chadwick, Pedro Farinha, Gansen Zhao, Rui Chilro

2009 Annual Computer Security Applications Conference
http://www.acsac.org/2009/
http://www.acsac.org/2009/openconf/modules/request.php?module=oc_program&action=summary.php&id=135

Access control models describe frameworks that dictate how
subjects (e.g. users) access resources. In the Role-Based
Access Control (RBAC) model access to resources is based on
the role the user holds within the organization. Although
flexible and easier to manage within large-scale authorization
frameworks, RBAC is usually a static model where access
control decisions have only two output options: Grant or Deny.
Break The Glass (BTG) policies can be provided in order to
break or override the access controls within an access control
policy but in a controlled and justifiable manner. The main
objective of this paper is to integrate BTG within the
NIST/ANSI RBAC model in a transparent and secure way so that
it can be adopted generically in any domain where unanticipated
or emergency situations may occur. The new proposed model,
called BTG-RBAC, provides a third decision option BTG. This
allows break the glass policies to be implemented in any
application without any major changes to either the application
or the RBAC authorization infrastructure, apart from the
decision engine. Finally, in order to validate the model,
we discuss how the BTG-RBAC model is being introduced within
a Portuguese healthcare institution where the legislation
requires that genetic information must be accessed by a
restricted group of healthcare professionals. These
professionals, advised by the ethical committee, have required
and asked for the implementation of the BTG concept in order
to comply with the said legislation.

Related:

How to break access control in a controlled manner
http://kar.kent.ac.uk/14476/1/How_to_break_access_control_in_a_controlled_manner.pdf

Modular Authorisation Infrastructures
http://www.sti.uniurb.it/events/fosad08/slides/Chadwick_ModAuthz.pdf

===========

Robin Cover
OASIS, Director of Information Services
Editor, Cover Pages and XML Daily Newslink
Email: robin@oasis-open.org
Staff bio: http://www.oasis-open.org/who/staff.php#cover
Cover Pages: http://xml.coverpages.org/
Newsletter: http://xml.coverpages.org/newsletterArchive.html
Tel: +1 972-296-1783


On Mon, 14 Dec 2009, Ludwig Seitz wrote:

> Hi David,
>
> you might want to look at this:
> http://portal.acm.org/citation.cfm?id=1263871
>
> I think it is very similar to what you want to achieve.
>
> Regards,
>
> Ludwig
>
> -- 
> Ludwig Seitz, PhD             |   Axiomatics AB
> Training & Development        |   Electrum 223
> Phone: +46 (0)760 44 22 91    |   S-164 40 Kista, Sweden
> Mail: ludwig@axiomatics.com   |
>