[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: DLP-NAC: authorized applications
Proposal in draft. Suggestions welcome.
22.214.171.124 Prevent sensitive data from being read/modified by unauthorized applications
Policies may stipulate which applications can read or modify resources to prevent insecure applications or malware-compromised applications from contaminating or exfiltrating sensitive data. This use case assumes that the Policy Decision Point (PDP) can call an external configuration management database to determine if the application is on the approved list.
This identifier indicates whether or not the requesting application is approved for the actions requested.
The DataType of this attribute is http://www.w3.org/2001/XMLSchema#boolean.
Acme security policy prohibits unapproved applications from reading and modifying sensitive data. Alice attempts to open a sensitive document with an unauthorized application. The request fails. Sample attributes and values are listed below.
This sample policy can be summarized as follows:
Target: This policy is only applicable to Resource-location = “webserver1.acme.com”
AND Resource-ID contains “confidential\.acme\.com”
Rule: This rule is only applicable if Action-ID contains “HTTP”
Subject-ID-qualifier = “acme.com” AND Authorized-application = false
On DENY log attempt to use an authorized application
To be added