Study notes -15

Attribute-Based Access Control

（attribute-based access control，ABAC）

In simple terms, ABAC for us to judge whether a user can access a resource, it is a lot of computing different attributes obtained.

Access control

Access control is an essential component of secure data section, which specifies who can access and use corporate information and resources. Through authentication and authorization, access control policy can ensure the real identity of the user, and have the appropriate permissions to access corporate data. Access control also applies to restrict physical access to the parks, buildings, rooms and data centers. Works
access control by verifying multiple login credentials to identify the user, these credentials, including usernames and passwords, PIN, biometric scanning and security tokens. Many access control system also includes a multi-factor authentication, multi-factor authentication is a need to use multiple authentication methods to authenticate users approach.

After verifying user identity, access control will be granted the appropriate level of access, and allow operation associated with the user credentials and IP addresses.

There are four main types of access control . Organizations often based on their unique security and compliance requirements, selecting effective method. These four access control model are:

1. ** Discretionary Access Control (DAC) **
   When using this method, the owner or administrator of the protection system, data or resources can set relevant policies, regulations who can access.
2. ** Mandatory Access Control (MAC) **
   This model will be based on involuntary release of information to grant access. Central agency to manage access rights depending on the security level, which is very common in government and military environments.
3. * Role-based access control (RBAC) **
   RBAC business function rather than the identity of the individual user-defined to grant access. The goal of this approach is to provide appropriate access for users to only be able to access their role in the organization in terms of data necessary. This method is based on a complex combination of role assignments, authorizations and permissions, use very extensive.
4. Attribute-based access control (ABAC)
   With this dynamic approach, access is based on a list of attributes assigned to the user and the environmental conditions and resources, such as time and location.

Related Terms

1. The Attribute : attribute is used to represent the characteristics of subject, object or environment conditions of, attribute to use in the form of key-value to store information, such as my company is the developer of the role, role is key, developer is value, and my team nickname wombats, key is the team, value is the wombat.
2. The Subject : system is often used to refer to a user or other people (non-person entity, NPE) , for example, the client program, the client API access or mobile equipment. Of course, a subject can have more attributes, such as user attributes we've used the same term.
3. Object : The ACM refers to the resources we need to manage, such as file, such as a particular record, such as a machine or a Web site, you need to access any resource control can be called object, the same object can have a number of property, such as a table wombat group, or a group of online examples of Locke, we often use the resource to describe these resources, but in ABAC environment, we called object.
4. Operation : With the object with the subject, there is a natural subject matter needs to be done, such as viewing a record, log on a server, use a SaaS service for reimbursement or to view job candidates. We often say that often include read, write, modify, copy, etc., the general operation will be expressed in the request, such as HTTP method.
5. Policy : By subject, object and environment conditions of attribute together to determine whether the request can be allowed subject of relations says, for example: policy can be expressed in human language so that only people wombat group to access these servers, or only access to these resources in the office, but for machines, nothing more than a judge sentences Bale. Of course, policy may be a bunch of boolean logic of such a combination of judgment, such as the company's only full-time staff, and the sixth floor area of the company's network in order to access a service. You can use the Specification Pattern to implement policy, in fact, it is not so complicated.
6. Conditions Environment : indicates a request for access to the current occurs, the operating context or context. Environment conditions are often used to describe the environmental characteristics, it is independent of the subject and the object, the system used to describe the case: such time, the current security level, and so the production environment or test environment.

ABAC authorization procedure

The user results in carrying its own attribute values ​​relating to attributes, resource attribute, environmental attributes, and send the request to the resource, the authorization may be determined according to the engine subject attribute carried, and gives consent to or reject the user, can then access to resources.

1. User access to resources, sent the original request.
2. Request to the Policy Enforcement Point (PEP), PEP construct xacml requested format.
3. PEP will xacml request to the Policy Decision Point (PDP).
4. PDP according to xacml request for a policy file policy administration point (PAP) in.
5. PDP Find attribute value (subject, resource, environmental attributes) policy file you want from the Policy Information Point (PIP).
6. The PDP decision results (permit, deny, uncertain, NA) returned to the PEP.
7. PEP sends a request to the resource, and returns the resources to the user.

Technical advantages

1. No modification of client and server

   Lianshi CipherGateway without modifying the original client and server applications, by deploying a short time to "transparent" ABAC ability to achieve and supplementary services application system, no additional user training, even if the problem occurs, but also time in minutes Level within recovery applications use will not affect the normal operation of the existing business, the on-line switch to minimize the risk.

2. Able to adapt to changes in real-time dynamic data

   The face of frequently changing data, Lianshi CipherGateway from the overall point of view, the ABAC functions can configure access control policy in the properties of the different stages of the data, real-time access by the requester, the environment and property information is accessed three elements of data, trigger appropriate access control policy in order to achieve the dynamic management of access control, and reduce administrative and operational costs.

3. Able to adapt to cross-application data access control

   In the large enterprise application integration, data will flow between heterogeneous systems, and access to data is still managed by their respective application. Lianshi CipherGateway of ABAC functions can be combined with the full life cycle of data, the data in various states transfer and use of applications where environmental factors such as property management, and further as the basis for access control policies.

4. Able to adapt to the requirements of data confidentiality

   To ensure data security server, in addition to the need to strengthen data security, access control, the need to consider encryption. Lianshi CipherGateway of ABAC function based on the attribute feature value enterprise sensitive data, using patented encryption technology, the data selective encryption, rather than "one size fits all" encryption, without affecting the performance and the working efficiency, enhance data security.