This article can also be found in the Premium Editorial Download "Information Security magazine: Nine tips to guarding your intellectual property."
Download it now to read this article plus other related content.
The Enterprise Dynamic Access Control (EDAC) model addresses many of these issues. EDAC is a metadata-based access control system that automates the complex and labor-intensive tasks of assigning users to roles. The model explains the different types of data that can be collected and how a rules engine can use these inputs to enforce dynamic access decisions. EDAC, which was developed within the U.S. Department of the Navy and is supported by NIST, offers the plumbing and algorithms to help corporations make secure and thoughtful authorization implementations.
An EDAC-compliant system makes dynamic access control decisions based on taking information typically gathered from HR databases, converting into a standardized metadata format and applying the following criteria at decision time:
User and corporate attribute changes: Group memberships, security clearance, job description.
Environmental time constraints and security threats: Time constraints (such as access only between 8 a.m. and 5 p.m.); security level (such as Homeland Security raising its security level, so users' permissions are changed accordingly).
Questionnaire: Permissions are dynamically assigned based on user responses.
Workflow: Demonstration that procedure has been followed (such as if a hospital patient's lab results have been reviewed and approved, the nurse can administer prescribed drugs).
rules: Combines all of the above to make dynamic access control decisions. (If Homeland Security is at a low security level, the user has a clearance of secret, and it is between 8 a.m. and 5 p.m.)
The model leverages existing protocols such as SOAP, XACML, SAML and Web services, and further defines the payloads they process. Therefore, in order for assets to interface with an EDAC-compliant system, certain attributes and values would have to be transported by a SAML package, for example.
EDAC furnishes a comprehensive, extensible access control framework. It aims at providing a cost-effective way to seamlessly integrate components in a modular access control environment, in which each module contains a set of salient features and communication protocols. This approach would allow software vendors to focus on building high-performance rules engines, policies establishing graphical user interfaces and user and environmental profile generators.
So what do RBAC and EDAC have in common? The RBAC standard is made up of guidelines for vendors and organizations to follow to design robust structures that meet business, regulatory and security needs. EDAC builds upon the RBAC model by extending the variables that can be used for dynamic access control decisions, implementing a modular access control approach, and allowing for interoperability based on Web services technology.
Implementing RBAC and EDAC won't solve all of our access control issues, but they will help. Addressing all types of security solutions in a more standardized and modular manner will allow vendors to provide us with more secure and effective products, because they will no longer need to worry about developing the underlining foundations.
This was first published in May 2007