[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: DLP-NAC: authorized applications
Proposal in draft. Suggestions welcome. Use case: 1.1.1.1 Prevent sensitive data from being read/modified by unauthorized applications
Policies may stipulate which applications can read or modify resources to prevent insecure applications or malware-compromised applications from contaminating or exfiltrating sensitive data. This use case assumes that the Policy Decision
Point (PDP) can call an external configuration management database to determine if the application is on the approved list. Attribute: 1.1.2
Authorized-Application
This identifier indicates whether or not the requesting application is approved for the actions requested. urn:oasis:names:tc:xacml:3.0:subject:authorized-application The DataType of this attribute is
http://www.w3.org/2001/XMLSchema#boolean.
Example: 1.1.3
Prevent sensitive data from being read/modified by unauthorized applications
Acme security policy prohibits unapproved applications from reading and modifying sensitive data. Alice attempts to open a sensitive document with an unauthorized application. The request fails. Sample attributes
and values are listed below.
1.1.3.1 Description
This sample policy can be summarized as follows: Target: This policy is only applicable to
Resource-location = “webserver1.acme.com”
AND Resource-ID contains “confidential\.acme\.com” Rule: This rule is only applicable if
Action-ID contains “HTTP” Then if Subject-ID-qualifier = “acme.com” AND Authorized-application = false DENY Obligation: On DENY log attempt to use an authorized application Sample Policy…. To be added |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]