ABAC

NIST Guide Aims To Ease Access Control

Advice on how to encourage information sharing while preserving control over access to data is provided in a new special publication from the National Institute of Standards and Technology. NIST Special Publication 800-162 is titled Guide to Attribute-Based Access Control Definition and Consideration . Attribute-based access control, or ABAC, is a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, such as a user or employee; an object, such as specific computerized resource; and requested operations. The flexibility of the ABAC model allows the greatest breadth of subjects to access the greatest breadth of objects without specifying individual relationships between each subject and each object, according to the NIST guidance. "Access decisions can change between requests by simply changing attribute values, without the need to change the subject/object relationships defining underlying rule sets," says NIST Computer Scientist Vincent Hu, who co-wrote the guidance. "This provides a more dynamic access control management capability and limits long-term maintenance requirements of object protections." Example on How ABAC Works NIST offers the following scenario to describe the workings of ABAC: Nancy Smith, a nurse practitioner in a hospital’s cardiology department, is the subject, and when hired at the medical center, she is assigned a set of attributes: her name, title and department, for instance. She’s assigned access to an object, in this case, medical records of heart patients. Resources may receive their attributes either directly from their creator or as a […]

NIST Report Reflects Increasing Need for ABAC Then Over-Engineers Its Deployment

by Andy Han The National Institute of Technology and Standards (NIST) held a conference a few months back on Attribute Based Access Control (ABAC).  The primary objective of the conference was to promote a special publication on ABAC and the event brought together leaders from various government programs, technology vendors, industry analysts and subject matter experts on authorization and access control.  The event and paper are recognition that the adoption of ABAC is accelerating and that we needed to put in writing a shared understanding of when and how to deploy ABAC.  There was agreement on the central of the drivers for the adoption of ABAC: Organizations, including the federal government, need to govern how information is shared across systems, applications, and organizations.  The document’s purpose is thus to (1) establish a standard definition of ABAC and a description of its functional components and (2) provide “planning, design, implementation, and operational considerations for employing ABAC within a large enterprise with the goal of improving information sharing while maintaining control of that information” (vii). ABAC is endorsed by NIST as the best approach for this particular challenge because of the fundamentals of its design. ABAC allows organizations to pass attributes back and forth as information is shared across application, infrastructure, and organizational boundaries. Access control policies use those attributes to evaluate the relationships between subjects and objects and determine whether to allow an action. One of the core technical benefits of ABAC, according to the report, is “ABAC avoids the […]