Date Published: September 2015
Comments Due:
Email Questions to:
Author(s)
William Fisher (NIST), Norm Brickman (MITRE), Santos Jha (MITRE), Sarah Weeks (MITRE), Ted Kolovos (MITRE), Prescott Burden (MITRE)
Editor(s)
Leah Kauffman (NIST)
Announcement
NIST requests public comments on Draft NIST Cybersecurity Practice Guide 1800-3, Attribute Based Access Control.
Most businesses today use Role Based Access Control (RBAC) to assign access to networks and systems based on job title or defined role. But if an employee changes roles or leaves the company, an administrator must manually change access rights accordingly-perhaps within several systems. As organizations expand and contract, partner with external vendors or systems, and modernize systems, this method of managing user access becomes increasingly difficult and inefficient.
To help address this growing cybersecurity challenge and support the next generation of identity management, security engineers at the National Cybersecurity Center of Excellence (NCCoE) developed a reference design for an Attribute Based Access Control (ABAC) system. ABAC is an advanced method for managing access rights for people and systems connecting to networks and assets, offering greater efficiency, flexibility, scalability, and security. In fact, Gartner recently predicted that "by 2020, 70% of enterprises will use attribute-based access control...as the dominant mechanism to protect critical assets, up from less than 5% today."
This newly available practice guide provides IT and security engineers with critical information they can use to recreate the example solution with the same or similar technologies. Our solution is guided by NIST standards and industry best practices.
Enterprises rely upon strong access control mechanisms to ensure that corporate resources (e.g. applications, networks, systems and data) are not exposed to anyone other than an authorized user. As business requirements change, enterprises need highly flexible access control mechanisms that can adapt. The application of attribute based policy definitions enables enterprises to accommodate a diverse set of business cases. This NCCoE practice guide details a collaborative effort between the NCCoE and technology providers to demonstrate a standards-based approach to attribute based access control (ABAC). This guide discusses potential security risks facing organizations, benefits that may result from the implementation of an ABAC system and the approach that the NCCoE took in developing a reference architecture and build. Included is a discussion of major architecture design considerations, explanation of security characteristic achieved by the reference design and a mapping of security characteristics to applicable standards and security control families. For parties interested in adopting all or part of the NCCoE reference architecture, this guide includes a detailed description of the installation, configuration and integration of all components.
Enterprises rely upon strong access control mechanisms to ensure that corporate resources (e.g. applications, networks, systems and data) are not exposed to anyone other than an authorized user. As business requirements change, enterprises need highly flexible access control mechanisms that can...
See full abstract
Enterprises rely upon strong access control mechanisms to ensure that corporate resources (e.g. applications, networks, systems and data) are not exposed to anyone other than an authorized user. As business requirements change, enterprises need highly flexible access control mechanisms that can adapt. The application of attribute based policy definitions enables enterprises to accommodate a diverse set of business cases. This NCCoE practice guide details a collaborative effort between the NCCoE and technology providers to demonstrate a standards-based approach to attribute based access control (ABAC). This guide discusses potential security risks facing organizations, benefits that may result from the implementation of an ABAC system and the approach that the NCCoE took in developing a reference architecture and build. Included is a discussion of major architecture design considerations, explanation of security characteristic achieved by the reference design and a mapping of security characteristics to applicable standards and security control families. For parties interested in adopting all or part of the NCCoE reference architecture, this guide includes a detailed description of the installation, configuration and integration of all components.
Hide full abstract
Keywords
authorization; identity federation; identity management; identity provider; relying party ; access management; access control; authentication; attribute provider
Control Families
Access Control; Identification and Authentication