The National Institute of Standards and Technology (NIST) recently released Special Publication (SP) 800-192 on June 28, 2017. In NIST’s latest publication, it examines how access control policy/model testing is performed and why it is so important. Here’s a brief summary on some of the takeaways from the report.
Access control policies contain a collection of individual requirements (e.g. rules). Each individual requirement will either permit or deny a request from a subject to take a specified action on a particular resource (e.g. HR Intern --> Duplicate --> File 3 = DENY). Multiple access control policies are then managed within access control models such as Attribute Based Access Control (ABAC) Model, Role Based Access Control (RBAC) Model, Multilevel Security (MLS) Model, Separation of Duty (SOD) Model, and Workflow Model. By using one or several different access control models, organizations can easily visualize and make changes to several policies all in one place.
As organizations create large amounts of access control policies the possibility for errors and security vulnerabilities becomes very high. For this reason, testing and verifying access control policies/models becomes very important. Organizations who choose not to utilize a policy verification tool for exhaustive testing will often find out after a security incident has occurred that their access control policies were in fact designed and deployed with errors. The only way for an organization to be certain their access control system is enforcing the level of security they intend is to test and verify their access control policies/models before deployment.
An access control policy verification tool can test access control polices and models in a few different ways. Polices can be tested using individual security requirements that you can create to test for very specific vulnerabilities in your policies/models. Another way policies can be tested is by using separation of duty requirements to ensure your policies/models are avoiding conflicts of interest as intended. Most notably, a policy verification tool can perform a full coverage test by testing your policies/models against a combinatorial suite of security requirements. By using an access control policy verification tool, you can utilize any combination of the different testing methods to be certain your access control policies and models are working as intended.
Not sure if your company utilizes an access control verification tool? Check out Security Policy Tool – a commercial version of NIST’s Access Control Policy Tool (ACPT). Security Policy Tool is a comprehensive implementation of NIST SP 800-192 and includes powerful XACML functions (e.g., converting the verified policies into XACML format).