Access Control Policy Analysis: 4 Steps To A More Secure Access Control System Before Access Control Policies are Deployed

Tuesday, October 9, 2018

Whether you are a student attending a university, an employee at a small company, or a top official at a major government agency; the strength of cybersecurity systems affects us all.

One of the first lines of defense in an online environment are access control systems. They are responsible for authorizing that the right subjects have access to the online resources they need while also preventing access to subjects who should not. These access decisions and scenarios are written as rules within access control policies. Often composed in a verbose language called XACML, these policies are responsible for outlining exactly how the access control system should govern subject privileges.

Access Control Policy Analysis - 4 StepsThe strength of an organization’s access control security is only as strong as the policies they have created. A hidden logical error or misassignment in an access control policy could be leaving your company vulnerable to a cyber-attack. As a result, you should be careful to ensure your access control policies designed are verified as their intentions. The questions how to properly design your access control policies and how they can be verified with error-free. Here are four steps to a more secure access control system: 

1.  Access Control Policy Modeling

Anyone who has implemented Attribute-based Access Control (ABAC) and worked with eXtensible Access Control Markup Language (XACML) will agree, it’s not always an easy document to work with. Add in the fact that XACML is typically written to define 100’s if not 1,000’s of rules, and you can quickly get in over your head. By modeling their policy and rule logic, IT Security Specialists can get an overview visualization of their policies. This provides a more straightforward way to view their policy in a highly organized form. 

2.  Access Control Policy Testing 

After modeling their policies, organizations should create test cases to which represent meaningful situations in which their policy would be evaluated against. This in itself can be a challenge coming up with several hundred (or even thousands) of test cases which provide enough substance to cover all of an organization’s possible access scenarios thoroughly. The more test cases that can be created based on their policy the more likely small hidden errors can be found in the next step. 

3.  Access Control Policy Verification

After test cases have been created the IT Security Specialist could now begin running policy verification tests. To do this, the organization would specifically choose which policies that they would want to verify against which test cases they have created in the previous step. After doing so, policy results will aggregate to analyze. In this step, the specialist would be able to go through their results and identify any discrepancies between what result was believed to come from the verification and what result was actually aggregated.

4.  Access Control Policy - XACML Conversion 

After verifying that their policies were free of logical errors or discrepancies the specialist would then need to convert their secure modeled policies back into XACML so that their system can once again be given instruction when access request are made. This instills confidence that their XACML is free of errors and flaws than if they had not modeled, tested, and verified originally.

Now you may be asking yourself how do you achieve all of these capabilities? Security Policy Tool, a standalone access control policy analysis tool, provides all this in one user-friendly and powerful solution. With extensive modeling, testing, and verification features, specialists can be certain that their access control policies are free of flaws and misassignments. Also included in Security Policy Tool is an intuitive GUI and text-based XACML Editor. As mentioned in the steps above, after verifying their modeled policies are fully secured specialists can easily convert them into XACML to deploy into the access control system that they utilize. Currently, users can sign up and try the Security Policy Tool - Lite Version for free today to see for themselves the value of access control policy verification. Try it free today by clicking on this link here: Lite Version.