There are several specifications published by notable organizations promoting the need for rigorous access control testing and verification to prevent access control leaks (e.g. data breach). These specifications can very generally be summarized as such:
Access control policies govern the authorization of an attempted request to access online resources in a software system. The resources in a system vary such as networking devices, infrastructure, data, services, or other security-critical components accessible in a network. Access control has been broadly used for financial, security, privacy, safety, defense, and many other applications to protect the resources from being accessed by unauthorized users.
Access control policies for cybersecurity are enforced by an access control model, such as Attribute-based Access Control (ABAC), Multilevel Security, and Workflows. The legacy DAC (Discretionary Access Control), RBAC (Role-Based Access Control), OrBAC (Organization-Based Access control), MAC (Mandatory Access Control), IBAC (Identity-Based Access Control), HBAC (History-Based Access Control), RsBAC (Responsibility Based Access control) can be evolved into an ABAC model.
XACML (eXtensible Access Control Makeup Language) 2.0/3.0 defines a framework for access control policy enforcement. The framework includes PEP (Policy Enforcement Point), PDP (Policy Decision Point), PIP (Policy Information Point), PAP (Policy Administration Point), and PRP (Policy Retrieval Point). XACML defines a standard language to describe the access control policies such that they can be deployed in the access control system. A user-end request to access a resource is routed to PEP which transfers the request to a PDP for evaluation and authorization decision. PDP then refers to PIP and PRP for a necessary verification through a PAP.
InfoBeyond Technology LLC has developed Security Policy Tool to provide key enhancements to the way organizations prevent access control security leaks due to misconfigured policies. Security Policy Tool is not directly located within the typical access control security framework. Security Policy Tool is a standalone access control tool for creating, editing, modeling, testing, and verifying your access control policies to help prevent organizations from unintentionally deploying flawed policies. After verifying your policies are free of errors you can export (via XACML) your newly secured and verified policies for deployment into the access control system your business or organization uses.
“Access control systems are among the most critical of computer security components. Faulty policies, misconfigurations, or flaws in software implementations can result in serious vulnerabilities. To formally and precisely capture the security properties that access control should adhere to, access control models are usually written, bridging the gap in abstraction between policies and mechanisms. Identifying discrepancies between policy specifications and their intended function is crucial because correct implementation and enforcement of policies by applications is based on the premise that the policy specifications are correct. As a result, policy specifications represented by models must undergo rigorous verification and validation through systematic verification and testing to ensure that the policy specifications truly encapsulate the desires of the policy authors. Verifying the conformance of access control policies and models is a non-trivial and critical task, and one important aspect of such verification is to formally check the inconsistency and incompleteness of the model and safety requirements of the policy, because an access control model and its implementation do not necessarily explicitly express the policy, which can also be implicitly embedded by mixing with direct access constraints or other access control models.” - Abstract (NIST SP 800-192)
“This document provides Federal agencies with a definition of attribute based access control (ABAC). ABAC is a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes. This document also provides considerations for using ABAC to improve information sharing within organizations and between organizations while maintaining control of that information.” – Abstract (NIST SP 800-162)
“Access control is perhaps the most basic aspect of computer security. Nearly all applications that deal with financial, privacy, safety, or defense include some form of access control. In many systems access control takes the form of a simple password mechanism, but many require more sophisticated and complex control. In addition to the authentication mechanism (such as a password), access control is concerned with how authorizations are structured. In some cases, authorization may mirror the structure of the organization, while in others it may be based on the sensitivity level of various documents and the security level of the user accessing those documents. This publication explains some of the most commonly used access control services available in information technology systems, their structure, where they are likely to be used, and advantages and disadvantages of each.” – Abstract (NISTIR 7316)
“Nearly all applications include some form of access control (AC). AC is concerned with determining the allowed activities of legitimate users, mediating every attempt by a user to access a resource in the system. AC systems come with a wide variety of features and administrative capabilities, and their operational impact can be significant. In particular, this impact can pertain to administrative and user productivity, as well as to the organization’s ability to perform its mission. Therefore, it is reasonable to use quality metrics to verify the mechanical properties of AC systems. This document discusses the administration, enforcement, performance, and support properties of AC mechanisms that are embedded in each AC system. Because of the rigorous nature of the metrics and the knowledge needed to gather them, these metrics are intended to be used by AC experts who are evaluating the highest security AC systems.” – Abstract (NISTIR 7874)
This publication provides guidelines for applying the Risk Management Framework (RMF) to federal information systems. The six-step RMF includes security categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. The RMF promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes, provides senior leaders the necessary information to make cost-effective, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions, and integrates information security into the enterprise architecture and system development life cycle. Applying the RMF within enterprises links risk management processes at the information system level to risk management processes at the organization level through a risk executive (function) and establishes lines of responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems (i.e., common controls) – Abstract (NIST 800-37)
This publication provides a set of procedures for conducting assessments of security controls and privacy controls employed within federal information systems and organizations. The assessment procedures, executed at various phases of the system development life cycle, are consistent with the security and privacy controls in NIST Special Publication 800-53, Revision 4. The procedures are customizable and can be easily tailored to provide organizations with the needed flexibility to conduct security control assessments and privacy control assessments that support organizational risk management processes and that are aligned with the stated risk tolerance of the organization. Information on building effective security assessment plans and privacy assessment plans is also provided along with guidance on analyzing assessment results. – Abstract (NIST SP 800-53A)
“ABAC is a logical access control model that is distinguishable because it controls access to objects by evaluating rules against the attributes of the entities (subject and object) actions and the environment relevant to a request. Attributes may be considered characteristics of anything that may be defined and to which a value may be assigned. In its most basic form, ABAC relies upon the evaluation of attributes of the subject, attributes of the object, environment conditions, and a formal relationship or access control rule defining the allowable operations for subject-object attribute and environment condition combinations. All ABAC solutions contain these basic core capabilities to evaluate attributes and environment conditions, and enforce rules or relationships between those attributes and environment conditions. ABAC systems are capable of enforcing both Discretionary Access Control (DAC) and Mandatory Access Control (MAC) models. Moreover, ABAC systems can enable Risk-Adaptable Access Control (RAdAC) solutions, with risk values expressed as variable attributes.” - NIST – CSRC
“Financial institutions engaging in any form of Internet banking should have effective and reliable methods to authenticate customers. An effective authentication system is necessary for compliance with requirements to safeguard customer information,3 to prevent money laundering and terrorist financing,4 to reduce fraud, to inhibit identity theft, and to promote the legal enforceability of their electronic agreements and transactions. The risks of doing business with unauthorized or incorrectly identified persons in an Internet banking environment can result in financial loss and reputation damage through fraud, disclosure of customer information, corruption of data, or unenforceable agreements.” – Background (Federal Financial Institute Examination Council)
“This Glossary provides definitions, abbreviations, and explanations of terminology for information system security. The 334 pages of entries offer recommendations to improve the comprehensibility of written material that is generated in the Internet Standards Process (RFC 2026). The recommendations follow the principles that such writing should (a) use the same term or definition whenever the same concept is mentioned; (b) use terms in their plainest, dictionary sense; (c) use terms that are already well-established in open publications; and (d) avoid terms that either favor a particular vendor or favor a particular technology or mechanism over other, competing techniques that already exist or could be developed.” – Abstract (RFC 4949)