The Problem With Not Using A Policy Verification Tool

Thursday, August 24, 2017

To better understand the critical problems that Security Policy Tool solves; let’s take a look at what lead to the development of the commercial product. 


Security Policy ToolThe National Institute of Standards & Technology (NIST)’s Access Control Policy Tool (ACPT) project was created with the goal of giving organizations a simple way to exhaustively test their access control policies. Without using an Access Control Policy Verification Tool like Security Policy Tool/ACPT; hidden errors due to incomplete testing processes could be present unknowingly. Access control policies that are deployed with errors, leave their organization’s network resources (sensitive data, etc.) at risk for unintended use and access. These faulty access control policies can result in devastating consequences as what was seen most famously in the Eric Snowden Incident.


So here’s the problem. By nature access control policies, typically created via XACML, are very complex. Often the larger the organization is – the larger their policies must become to define all their required access rules/policies. The only way to ensure that there are no errors is to test the access control policies before deployment. However, there are many problems associated with the current way of manual human testing.


Some of the problems include there is no structured testing framework, it is difficult to reconcile conflicts, comprehensive testing is difficult, human testing is less effective than Combinatorial Testing, and hand crafted policies are difficult to check for correctness. Essentially, without using an Access Control Policy Verification Tool it will be very challenging to achieve 100% coverage testing - leaving open the possibility for security vulnerabilities.


Over several years of research and development, ACPT came to life, however still with some limitations. To fully deliver on the need for this technology the project would have to be transformed into a commercial product. InfoBeyond Technology LLC was awarded the task to do so with the desire to greatly enhance the features and functionality.


Now, Security Policy Tool solves all the problems associated with traditional human access control policy testing while also giving the user a much easier, user-friendly design and includes full XACML compatibility. Security Policy Tool not only enhances security – it also makes it easier for access control specialists to design/edit policies than ever before.


Check out Security Policy Tool’s website and try their Free Demo today to see why InfoBeyond is a leader in Access Control Security.