Attribute-Based Access Control
Published on 1. January 2017
280 pages
978-1-63081-496-0 (ISBN)
Description
This comprehensive new resource provides an introduction to fundamental Attribute Based Access Control (ABAC) models. This book provides valuable information for developing ABAC to improve information sharing within organizations while taking into consideration the planning, design, implementation, and operation. It explains the history and model of ABAC, related standards, verification and assurance, applications, as well as deployment challenges. Readers find authoritative insight into specialized topics including formal ABAC history, ABAC's relationship with other access control models, ABAC model validation and analysis, verification and testing, and deployment frameworks such as XACML. Next Generation Access Model (NGAC) is explained, along with attribute considerations in implementation. The book explores ABAC applications in SOA/workflow domains, ABAC architectures, and includes details on feature sets in commercial and open source products. This insightful resource presents a combination of technical and administrative information for models, standards, and products that will benefit researchers as well as implementers of ABAC systems in the field.
More details
Other editions
Additional editions
Vincent C. Hu | David F. Ferraiolo | Ramaswamy Chandramouli
Attribute-Based Access Control
Book
10/2017
Artech House Publishers
€141.13
Shipment within 10-20 days
Content
- Attribute-Based Access Control
- Contents
- Preface
- Acknowledgements
- Intended Audience
- 1 Introduction
- 1.1 Overview
- 1.2 Evolution and Brief History of Access Control
- 1.2.1 Academic Contributions
- 1.2.2 Military Concerns
- 1.2.3 Bell and LaPadula Security Model
- 1.2.5 Discontent
- 1.2.6 Role-based Access Control
- 1.2.7 Emergence of ABAC
- References
- 2 Access Control Models and Approaches
- 2.1 Introduction
- 2.2 Terminology
- 2.3 Access Control Models and Policies
- 2.4 Policy Enforcement
- 2.5 Discretionary Access Control
- 2.6 Mandatory Access Control Models
- 2.6.1 Multilevel Security
- 2.6.2 Chinese Wall Policy and Model
- 2.6.3 Role-Based Access Control
- References
- 3 Attribute Based Access Control
- 3.1 Introduction
- 3.2 ABAC Architectures and Functional Components
- 3.3 Logical-Formula and Enumerated ABAC Policy Models
- 3.4 ABAC Model-Applications Primatives
- 3.5 Hierarchical Group and Attribute-Based Access Control
- 3.6 Label-Based ABAC Model with Enumerated Authorization Policy
- 3.7 Hybrid Designs Combining Attributes with Roles
- 3.8 ABAC and RBAC Hybrid Models
- 3.9 Complexities of RBAC Role Structures
- 3.10 Complexities of ABAC Rule Sets
- 3.11 Dynamic Roles
- 3.12 Role Centric Structure
- 3.13 Attribute Centric Structure
- 3.14 Conclusion
- References
- 4 ABAC Deployment Using XACML
- 4.1 Introduction
- 4.2 Business and Technical Drivers for XACML
- 4.3 XACML Standard-Components and Their Interactions
- 4.3.1 XACML Policy Language Model
- 4.3.2 XACML Context (Request and Response)
- 4.3.3 XACML Framework (Data Flow Model)
- 4.4 ABAC Deployment Using XACML
- 4.4.1 Access Policy Formulation and Encoding
- 4.4.2 Request/Response Formulation
- 4.4.3 Policy Evaluation and Access Decision
- 4.5 Implementation of XACML Framework
- 4.5.1 Attribute Support and Management
- 4.5.2 Delegation
- 4.6 Review and Analysis
- References
- Appendix A
- 5 Next Generation Access Control
- 5.1 Introduction
- 5.2 Policy and Attribute Elements
- 5.3 Relations
- 5.3.1 Assignments and Associations
- 5.3.2 Prohibitions Denials
- 5.3.3 Obligations
- 5.4 NGAC Decision Function
- 5.5 Delegation of Access Rights
- 5.6 NGAC Administrative Commands and Routines
- 5.7 Arbitrary Data Service Operations
- 5.8 NGAC Functional Architecture
- 5.8.1 Resource Access
- 5.8.2 Administrative Access
- 5.9 Conclusion
- References
- 6 ABAC Policy Verifications and Testing
- 6.1 Introduction
- 6.2 ABAC Policy Classes
- 6.2.1 Static Policy Class
- 6.2.2 Dynamic Policy Class
- 6.2.3 Historical Policy Class
- 6.3 Access Control Safety and Faults
- 6.4 Verification Approaches
- 6.4.1 Model Verification
- 6.4.2 Coverage and Confinements Semantic Faults
- 6.4.3 Property Confinement Checking
- 6.4.4 Implementation Test
- 6.5 Implementation Considerations*
- 6.6 Verification Tools
- 6.6.1 Multiterminal Binary Decision Diagrams
- 6.6.2 ACPT
- 6.6.3 Formal Methods
- 6.7 Conclusion
- References
- 7 Attribute Consideration
- 7.1 Introduction
- 7.2 ABAC Attributes
- 7.3 Consideration Elements
- 7.4 Preparation Consideration
- 7.4.1 Subject Attribute Preparation
- 7.4.2 Object Attribute Preparation
- 7.4.3 Environment Condition Preparation
- 7.4.4 Metadata
- 7.5 Veracity Consideration
- 7.5.1 Attribute Trustworthiness
- 7.5.2 Attribute Value Accuracy
- 7.6 Security Consideration
- 7.6.1 Attribute-at-Rest
- 7.6.2 Attribute-in-Transit
- 7.7 Readiness Consideration
- 7.7.1 Refresh
- 7.7.2 Synchronization
- 7.7.3 Cache
- 7.7.4 Backup
- 7.7.5 Log
- 7.8 An Example of a General Attribute Framework
- 7.9 Attribute Evaluation Scheme
- 7.9.1 AES Examples
- 7.9.2 Attribute Practice Statement
- 7.10 Conclusion
- References
- 8 Deployments in Application Architectures
- 8.1 Introduction
- 8.2 ABAC for Distributed Systems
- 8.2.1 Access Control Challenges of Distributed Systems
- 8.2.2 BigData Access Control as a Distributed System Access Control Example
- 8.2.3 Implementation Considerations
- 8.2.4 Analysis and Conclusions
- 8.3 ABAC for Web Services
- 8.3.1 Web Services- A Brief Background
- 8.3.2 ABAC Suitability for Web Service Environments
- 8.3.3 ABAC for Web Service Environments Without Workflows
- 8.3.4 ABAC for Web Service Environments with Workflows
- 8.3.5 Combined Challenges in Using ABAC for Web Service Environments (With and Without Workflows)
- 8.3.6 Web Services Environment-Summary of Requirements
- 8.4 ABAC for Stand-Alone Workflow Processes
- 8.4.1 Challenges and Requirements for ABAC Configuration for Stand-Alone Workflow Processes
- 8.4.2 ABAC Deployment for Stand-Alone Workflow Processes: Integrated Approach
- 8.4.3 ABAC Deployment for Stand-Alone Workflow Processes: Loosely Coupled Approach
- 8.4.4 Analysis and Conclusions
- References
- 9 ABAC Life-Cycle Issues: Considerations
- 9.1 Introduction
- 9.2 Enterprise ABAC Concepts
- 9.2.1 Enterprise ABAC Policy
- 9.2.2 Attribute Management in Enterprise ABAC
- 9.2.3 Access Control Mechanism Distribution in Enterprise ABAC
- 9.3 ABAC Enterprise Considerations
- 9.3.1 Initiation Phase Considerations
- 9.3.2 Acquisition/Development Phase Considerations
- 9.3.3 Implementation/Assessment Phase Considerations
- 9.3.4 Operations/Maintenance Phase Considerations
- 9.4 Conclusion
- References
- 10 ABAC in Commercial Products
- 10.1 Introduction
- 10.2 Axiomatics Data Access Filter
- 10.2.1 Product Architecture and Modules
- 10.2.2 Canonical Features in Product Modules
- 10.3 Jericho Systems EnterSpace 9
- 10.3.1 Product Architecture and Modules
- 10.3.2 Canonical Features in Product Modules
- 10.4 NextLabs ABAC Solution
- 10.4.1 Functional Architecture and Components
- 10.4.2 Canonical Features in Product Modules
- References
- 11 Open Source ABAC Implementations: Architecture and Features
- 11.1 Introduction
- 11.2 NGAC PM: Functional Architecture
- 11.3 NGAC PM: ABAC Model Definition Capabilities
- 11.4 NGAC PM: Access Decision Process
- 11.5 NGAC PM: Design and Application Integration
- 11.6 Summary and Analysis
- References
- About the Authors
- Index
