To fully understand access control flaws, let’s first describe access control systems – the space where these flaws are created. Access control systems are utilized by organizations to restrict or authorize access to network resources. These systems are most notably utilized to ensure that unintended users are unable to gain access to sensitive information (e.g. WikiLeaks). Within the access control systems, policies are created that contain rule defining criteria (Subject, Action, Resource, Condition etc.) to grant or restrict access to resources. An example of an access control policy titled Accounting Managers may contain the following rule: Accounting Managers are never able to edit financial records that are marked “Finalized”. In this example once the policy has been deployed, the system will make a decision to Deny access if an Accounting Manager were to attempt to edit a financial record marked Finalized. As you can imagine, large companies may have hundreds of thousands of complex policies all containing several interconnecting rules. In such a way, as organizations’ policies become more complex the risk for accidental access control flaws increases subsequently.
Access control flaws can be defined as unintended access decisions caused by misconfigured rules, policies, or algorithms within an access control system. Often these flaws are hidden from detection due to access decisions being connected to more than one rule or policy. See the table below to see examples of the access control flaws that commonly occur:
Access Control Flaw | Description |
---|---|
Block Privilege | User should have access but does not have access |
Leak Privilege | User should not have access but does have access |
Not Protected Resource | Defined resource is not protected under any rules |
Rule Conflict | Two or more rules, defining opposite authorization |
Inconsistent Assignment | Error in attribute labeling during policy creation |
Inheritance Loop | User granted recursive and subsequent inheritance |
Undecided Rules | Rule is not properly defined or missing a step |
Separation of Duty | Access rule creates unintended conflict of interest |
Up until recently, there has been no simple way to test access control policies for potential access control flaws. However, InfoBeyond’s team of engineers and scientists along with their partnership with NIST has developed the first ever commercialized software tool for testing access control policies during the policy design phase. Now organizations can have the peace-of-mind that their access control policies are operating as intended before deployment. Their product, Security Policy Tool, allows you to import your current policies (e.g. XACML) into the software tool to begin testing, analyzing, and editing your policies to eliminate any access control flaws. Security Policy Tool is especially useful for Financial, Government, Healthcare, Military, and Security industries although it can be used for any organization that utilizes an access control system. Check out our website to learn more and download our FREE demo to see for yourself the value Security Policy Tool can deliver to you!
Acknowledgement:
Security Policy Tool is a commercial version of NIST(National Institute of Standards and Technology)’s ACPT (Access Control Policy Tool) . ACPT is developed by NIST for Proof of Concept with some capability restrictions. With tremendous consultant to NIST experts, Security Policy Tool substantially enhances and expands the NIST’s ACPT design with advanced features for achieving high security confidence access control levels such that it can be commercialized. The development of Security Policy Tool is financially sponsored by NIST via a SBIR (Small Business Innovation Research) Phase I and II program. It specifically improves the NIST’s ACPT design to provide a robust, unified, professional, and functionally powerful access control policy tool. Company (www.infobeyondtech.com) Security Policy Tool Page (www.securitypolicytool.com)