Security Policy Tool: 5 Ways to Close The Door to Access Control Leaks

Thursday, May 31, 2018

Access control systems are essential tools used by organizations to protect their online assets from cyber-threats. Whether it’s an insider who has grown frustrated with their organization or a hacker attempting to gain entry to a company’s network infrastructure; the strength of these systems is key to preventing inadvertent security events.

Access control policies are in a sense the “administrator” of access control systems. These policies written in XACML give the information and direction needed for the system to deliver an access decision (e.g., Deny, Permit) when a request is made. Policies containing unknown errors or logical flaws can enable malicious individuals/groups to exploit these unsecured organizations. Learn the five ways Security Policy Tool helps protect your organization’s network resources from cyber-attacks.



1.)    Compliance with NIST SP 800-192

In June 2017, NIST released their Special Publication (800-192) titled Verification and Test Methods for Access Control Policies/Models. In this publication, the authors (Vincent C. Hu; Rick Kuhn; Dylan Yaga) urge organizations to certify their access control policies “undergo rigorous verification and validation through systematic verification and testing to ensure that the policy specifications truly encapsulate the desires of the policy authors.” Hu, Kuhn, and Yaga go on to mention that it is more likely that a system’s security is jeopardized as a result of misconfigured access control policies “rather than the failure of cryptographic primitives or protocols.” NIST’s work to research and promote the necessity of policy verification has been the leading contributor to InfoBeyond Technology’s development of Security Policy Tool. Organizations who implement Security Policy Tool within their access control maintenance processes will be in full concurrence with NIST’s access control security research. You can read the full publication here: NIST SP 800-192

2.)    Policy Visualization Through GUI/Text Modeling

Access control policies while as XACML documents are not always easy to visualize in their entirety. Modeling access control policies gives the IT Specialist a user-friendly medium to view an abstraction of their access control policies and rules. This, in turn, gives them more control over their policies resulting in a much lower risk for misconfiguration following testing and verification.  Security Policy Tool supports Attribute-based Access Control (ABAC), Multilevel Security (MLS), and Workflow policy modeling. If your organization has implemented Role-based Access Control (RBAC), you can still model your policy with Security Policy Tool. You will define attributes and attribute values in such a way that are consistent with your Role-based implementation. IT Specialists can also build and view Inheritance/Beneficiary relationships for both Subject and Resource attributes in an interactive GUI flowchart.

3.)    Specific and Comprehensive Testing

With Security Policy Tool’s policy verification features organizations can test their modeled policies against security requirements in a systematic environment. In a situation the Specialist had a policy or rule they wanted to investigate for a verification result specifically, they can choose to create specific or individual requirements to use for testing. Alternatively, the Specialist can create an extensive amount of test cases (>99% coverage) using the Combinatorial Test Suite feature. This feature is a direct implementation of NIST’s access control testing algorithm and the core result of their research on policy verification. The Combinatorial Test Suite feature can automatically generate a substantial amount of test cases enabling rigorous policy model verification efficiently. Manual, human testing does not feasibly allow full-coverage testing; however, with Security Policy Tool full-coverage can be achieved with just a few clicks of your mouse.

4.)    Identifying Rule/Policy Logic Errors

As stated in NIST SP 800-192, “Identifying discrepancies between AC policy, model, and implementation is crucial because correct enforcement of policies is based on the premise that the policy specifications and implementations are correct.” Security Policy Tool enables Specialists to verify the security of their policy and rule logic before deployment into their enforcement system. Common errors in access control policies include Privilege Leakage, Privilege Block, Cyclical Inheritance, Privilege Conflict and several others. These types of errors are most likely to compromise the security of access control systems if they are deployed unknowingly. With Security Policy Tool, Specialists can analyze their verification results for these types of errors in a user-friendly environment saving them time and cost in the process.       

5.)    Secured Policy – XACML Conversion

After successful modeling, testing, and verification Specialists can convert their newly secured policies into XACML for easy portability. Security Policy Tool’s XACML Editor can then be used in conjunction with these converted XACML policies for any additional editing required to meet organizational needs. The XACML Editor is based on complete XACML 2.0/3.0 standards and includes an intelligent syntax error checker to ensure policies stay secured while making changes. Learn more about how the XACML Editor included in Security Policy Tool helps save time and prevent errors in our previous news piece here.


InfoBeyond Technology LLC is changing the game in access control security by providing the first robust solution for modeling, testing, and verifying access control policies. Try Security Policy for free today and see for yourself how policy verification helps you close the door to access control leaks. Click here to begin creating your free Security Policy Tool account, right now!