Date Published: September 2017
Comments Due:
Email Questions to:
Planning Note (07/22/2022):
NIST has ceased further development of this draft publication.
Author(s)
William Fisher (NIST), Norm Brickman (MITRE), Prescott Burden (MITRE), Santos Jha (MITRE), Brian Johnson (MITRE), Andrew Keller (MITRE), Ted Kolovos (MITRE), Sudhi Umarji (MITRE), Sarah Weeks (MITRE)
Announcement
The National Cybersecurity Center of Excellence (NCCoE) has developed an example of an advanced access control system (ABAC). This ABAC reference design can manage access to networked resources more securely and efficiently, and with greater granularity than traditional access management. It enables the appropriate permissions and limitations for the same information system for each user based on individual attributes, and allows for permissions to multiple systems to be managed by a single platform, without a heavy administrative burden.
This approach uses commercially available products that can be included alongside current products in an existing infrastructure. The full draft practice guide is also available for download in PDF or web viewing.
The NCCoE team looks forward to receiving your comments on the second draft guide—the approach, the architecture, and possible alternatives. The comment period is open through October 20, 2017. Comments will be made public after review and can be submitted anonymously.
Enterprises rely upon strong access control mechanisms to ensure that corporate resources (e.g., applications, networks, systems, and data) are not exposed to anyone other than an authorized user. As business requirements change, enterprises need highly flexible access control mechanisms that can adapt. The application of attribute based policy definitions enables enterprises to accommodate a diverse set of business cases. This NCCoE practice guide details a collaborative effort between the NCCoE and technology providers to demonstrate a standards-based approach to attribute based access control (ABAC).
This guide discusses potential security risks facing organizations, benefits that may result from the implementation of an ABAC system, and the approach the NCCoE took in developing a reference architecture and build. It includes a discussion of major architecture design considerations, an explanation of security characteristic achieved by the reference design, and a mapping of security characteristics to applicable standards and security control families.
For parties interested in adopting all or part of the NCCoE reference architecture, this guide includes a detailed description of the installation, configuration, and integration of all components.
Enterprises rely upon strong access control mechanisms to ensure that corporate resources (e.g., applications, networks, systems, and data) are not exposed to anyone other than an authorized user. As business requirements change, enterprises need highly flexible access control mechanisms that can...
See full abstract
Enterprises rely upon strong access control mechanisms to ensure that corporate resources (e.g., applications, networks, systems, and data) are not exposed to anyone other than an authorized user. As business requirements change, enterprises need highly flexible access control mechanisms that can adapt. The application of attribute based policy definitions enables enterprises to accommodate a diverse set of business cases. This NCCoE practice guide details a collaborative effort between the NCCoE and technology providers to demonstrate a standards-based approach to attribute based access control (ABAC).
This guide discusses potential security risks facing organizations, benefits that may result from the implementation of an ABAC system, and the approach the NCCoE took in developing a reference architecture and build. It includes a discussion of major architecture design considerations, an explanation of security characteristic achieved by the reference design, and a mapping of security characteristics to applicable standards and security control families.
For parties interested in adopting all or part of the NCCoE reference architecture, this guide includes a detailed description of the installation, configuration, and integration of all components.
Hide full abstract
Keywords
identity federation; identity management; identity provider; relying party; access control; access management; attribute provider; authorization; authentication
Control Families
Access Control; Identification and Authentication