Many years ago I was hosting a series of workshops on a variety of security topics. One of those topics dealt with role-based, attribute-based, and policy-based access control approaches and I was lucky to get Mr. Dave Ferraiolo as one of my presenters for the workshop. Dave has been a long-time evangelist for NIST on workable approaches to access control challenges. He and Dr. Chandramouli (Mouli to his friends) have been busy working since 2015 and earlier on the next generation access control approach or NGAC. According to both, NGAC is a fundamental reworking of traditional access control to meet the needs of the modern, distributed, interconnected enterprise – like IoT. According to Dave, NGAC provides a unifying framework capable of supporting current access control approaches as well as novel types of policy that have been conceived yet never implemented due to the lack of a suitable means of expression and enforcement. So this interview by ActiveCyber.net is an attempt to bring NGAC’s significant benefits to the forefront and into your browser for consumption. Learn more about NGAC from its inventors in the interview below.
Spotlight on Mr. Dave Ferraiolo and Dr. Ramaswamy Chandramouli
» Title: Manager of the Secure Systems and Applications group of the Computer Security Division, at the National Institute of Standards and Technology (NIST); and Senior Computer Scientist at the Computer Security Division at NIST, respectively.
Read their bios below.
Chris Daly, Active Cyber™: Can you describe NGAC in a few sentences?
Mr. Dave Ferraiolo and Dr. Ramaswamy Chandramouli, Computer Security Division, NIST: Next Generation Access Control (NGAC) is an ANSI/INCITS standard that defines access control in terms of the attributes or properties of entities that participate in the authorization process, such as users, objects, and environment— just like the ABAC model constructs. However, unlike other implementations of ABAC, NGAC represents access control data in terms of a fundamental and reusable set of relations and functions. NGAC can express a wide variety of policies and enforce combinations of those policies simultaneously, as the representation enables the identification of objects accessible under each individual policy. NGAC is amenable to deployment in a wide variety of operational environments.
Active Cyber™: In December 2012, the National Strategy for Information Sharing and Safeguarding included a Priority Objective that the Federal Government should extend and implement the FICAM Roadmap across Federal networks in all security domains, a roadmap which was stated to recommend ABAC as the path. How did the NGAC Framework originate, what place does it have in the FICAM Roadmap, and what steps are you taking to position NGAC for adoption by the federal government?
Mr. Ferraiolo and Dr. Chandramouli, NIST: The origin of NGAC began in the mid-2000s as a research project called the Policy Machine. While researchers, practitioners, and policymakers have specified a large variety of access control policies to address real-world security issues, only a relatively small subset of these policies could be enforced through off-the-shelf technology and an even smaller subset through any one mechanism. Policy Machine was devised to offer a new perspective on access control in terms of a fundamental and reusable set of data abstractions and functions that supports commonly known and implemented access control policies, as well as combinations of common policies and policies for which no access control mechanism had previously existed.
From the onset, administration of access control data (including delegation) was considered an integral part of the framework. A proof-of-concept system that embodied these principles was developed, and subsequent iterations improved the policy diversity and expressiveness of authorizations. Based on the need to standardize the access control model used in Policy Machine with the goal of encouraging large-scale adoption, NGAC was developed.
All policies that can be expressed in ABAC through XACML can be captured through relations and functions of NGAC, thus removing the tight coupling between policies and models. By providing a model that is policy-agnostic, NGAC has become a natural candidate for adoption by the Federal Government where multi-policy support is a critical requirement.
As an access control framework that can support all ABAC policies, NGAC is well-positioned to meet the FICAM roadmap. The primary enabler for this is the availability of off-the-shelf NGAC products, which is currently lacking but as we discuss later, the scenario is changing. When implemented in a service mesh architecture, security infrastructure support for cloud-native applications is repeatedly and uniformly provided through policy definitions and configuration values at the control plane with policy enforcement at the data plane residing in service proxies. This has the potential to streamline the onerous FEDRAMP certification process for those applications. Similarly, a streamlined certification process can potentially be applied to NGAC when deployed as an infrastructure application, making it broadly available for government use. In addition to the expression and enforcement of a wide variety of access control policies, the NGAC facilities framework can be used to effectuate security-critical portions of the program logic of arbitrary applications and enforce mission-tailored access control policies over applications. This capability is supportive of DoD and civilian agency DevSecOps objectives and provides a basis in support of the Government’s Zero Trust Architecture goals.
Active Cyber™: The NGAC Architecture looks like the XACML architecture. Please compare and contrast the two and explain where NGAC will succeed where XACML has stumbled.
Mr. Ferraiolo and Dr. Chandramouli, NIST: On the surface, XACML and NGAC seem similar because their architectures have some commonly named components that, in some cases, exhibit similar behavior while other components do not. Common to XACML and NGAC are Policy Enforcement Points (PEPs) for trapping access requests and enforcing policy over those requests as well as Policy Decision Points (PDPs) for computing decisions to accommodate or reject those requests based on access control data. Under the hood, XACML and NGAC provide dramatically different means for representing, storing, and applying access control data. XACML creates and manages its policies (a portion of its access control data) via Policy Administrative Point (PAP) using the XACML policy language, which is stored as rule in a Policy Retrieval Point (PRP). XACML also stores attributes (a different portion of its access control data) in a separate store called a Policy Information Point (PIP). NGAC represents both policies and attributes collectively as a standard set of relations that is stored in the NGAC data repository called PIP. NGAC also includes an Event Processing Point (EPP) and a Resource Access Point (RAP) that are not recognized by XACML.
So how might NGAC succeed where XACML has stumbled?
It is important to note that our research and technology transfer objectives are not to compete with XACML but rather to provide an alternative approach to ABAC where both frameworks coexist and allow the consumer to choose. However, NGAC seems to compare favorably to XACML in terms of performance, manageability, ease of integration, policy support, and policy visualization.
The NGAC framework can be implemented as a set of service modules with well-defined interfaces that provide the plug-and-play feature needed for integration into existing systems. These service modules can also be implemented in heterogenous platforms, enabling them to be integrated with infrastructure frameworks such as the Service Mesh. XACML specification only includes a workflow architecture and does not specify implementation strategies.
The flexibility and expressiveness of XACML, while powerful, make the specification of policy complex and verbose. Unlike XACML, NGAC is a relations-based standard, which avoids the syntactic and semantic complexity of defining an abstract language for expressing policies. NGAC policies are expressed in terms of relations that can be visualized and manipulated graphically. For example, to describe hierarchical relations and inheritance properties of attributes, NGAC requires only the addition of links representing assignment relations between them; in XACML, relations need to be inserted in a precise syntactic order. NGAC access control policy relations can reside in PDP memory as a graph. On the other hand, XACML’s policies are represented in an XML document and reside in secondary storage where selected portions are identified and imported into PDP memory and converted to a tree structure prior to adjudicating an access control request. Thus, the policy instantiation problem is simplified to a graph partitioning problem in NGAC thanks to efficient algorithms and memory-resident data, giving NGAC tremendous performance advantages.
Furthermore, conducting policy reviews (e.g., which resources can be accessed by a user, who can access a resource, or why a user cannot access a resource) in XACML is equivalent in complexity to the satisfiability problem in propositional logic, which is NP-complete. In comparison, NGAC model representations (e.g., directed acyclic graphs) enable linear time algorithms for computing access decisions and conducting reviews (over only a small portion of its graph that pertains to the user). From a scalability perspective, NGAC can support graphs with several billion nodes (representing users, resources, attributes, and permissions) that can comfortably fit it into PDP memory, far exceeding what is possible in XACML. NGAC also provides policy enforcement over administrative operations. The XACML standard does not specify how attributes or policy data is managed. NGAC manages its relations through a standard set of administrative operations, applying the same PEP interface and decision-making function it uses for controlling access to application resources. Thus, NGAC does not formally distinguish between end-users and administrators but rather treats users as entities with varying administrative and resource access capabilities. This perspective naturally allows for such policies as discretionary access control, history-based separation of duty, and permissible workflows that pertain to select policy-preserving changes to access control data.
Active Cyber™: How does the implementation of NGAC as microservices / service mesh enhance its usefulness as an access control framework? How does Machine learning enhance the effectiveness of NGAC? What are your thoughts on enterprises bridging the large legacy IAM technology and skills gap with this new world (Mesh, ML, NGAC)?
Mr. Ferraiolo and Dr. Chandramouli, NIST: NGAC’s PEP component, implemented in side-car proxies, enables fine-grained access control (at the granularity of each microservice). When tightly integrated with an application component (i.e., microservice) and executing in the same trust domain, side-car proxy provides a high assurance PEP. The presence of an EPP module in NGAC—which provides events related to access history as well as environmental parameters (e.g., time of day) in real time—can leverage ML techniques for the creation of dynamic access control policies that are in tune with the changing operational status of the application. Consider the possibilities for direct and derived raw data that surround an NGAC access event in formulating policy through ML. Direct data can include a process ID, user ID, user attributes, operation, objects and object attributes, time, and location of resource. Derived data can be extracted from the existing access state through policy reviews (e.g., the set of users with access to the object at the time or the set of objects that are accessible to the user or process at the time). The ML can be leveraged to dynamically update policies in response to changes in risk scenarios or security events, such as intrusion detection.
Today’s approach to access control inherently introduces several usability, administrative, and policy enforcement challenges that are taken for granted. Users are forced to authenticate to each computing environment in which data access is sought. Administrators must contend with a multitude of security domains when managing access policies, attributes, and user identities. Although access control systems may appropriately approve executions of operations under its “controlled access state,” these systems are often unaware and powerless with regard to the resulting “real access state.” This is largely due to the arbitrary ways in which many application software modules distribute data access capabilities. An email application may, for example, distribute files to users regardless of an operating system’s protection settings on those files, or data may be copied from one object to another.
NGAC’s approach can address these challenges through a global access control mechanism to formulate and control executions of operations of arbitrary types and replace many fractional access control decision-making and enforcement frameworks with a single, distributed administrative domain and scope of control.
NGAC offers important advantages over application reliance on separate operating environments. First, it significantly reduces the code base needed to implement certain application logic through NGAC configuration. Second, it makes it possible for applications to securely interoperate by enabling and enforcing access control over objects from one application that are embedded in an object of another application since all data services and operations are composed of the same elements. Third, it provides a common, policy-preserving means for managing, searching for, and controlling access to data across applications under a single authenticated session.
Active Cyber™: How is transitive trust supported with NGAC – i.e., when user accesses service A which calls service B which then calls service C, is user identity preserved and passed to C or does it need to? How does one integrate dynamically changing attribute information sources into NGAC? What NGAC mechanisms are employed to ensure that policy decisions are deterministic even in dynamic situations?
Mr. Ferraiolo and Dr. Chandramouli, NIST: NGAC can indirectly support transitive trust depending on the taxonomy of the services. For instance, the NGAC architectural components are services with well-defined interfaces. When user/process issues an access request from a client application (service A), the request is trapped by a PEP (service B) and conveyed to a PDP (service C) for adjudication. The user ID/process ID, operation, and policy element (an object or access control data) of the request is consumed by each service interface. For purposes of operational assurance, each service would need to be identified, corresponding services mutually authenticated, and methods of communication authorized.
Now, consider Tetrate’s NGAC implementation in Istio. Depending on the circumstances, Tetrate treats services as either a user with user attributes or an object with object attributes. As such, when the PEP issues a request to the PDP, the PEP is treated by the control plane as a user with access rights to communicate request data to the PDP. In reverse, the PDP is the user with access rights to communicate grant/deny decisions back to the PEP.
The conflicts between administrative and resource access requests, as well as concurrent policy changes spawned from an event context information flow, have the potential to create race conditions. Race conditions should be addressed in a manner suited to the computational environment of an implementation of the NGAC framework and, as such, are not prescribed by the NGAC standard. Possible methods for resolution include the following:
- Use the locking features of the PIP data store to prevent access to specific policy information structures that are affected by an event context information flow until the flow completes.
- Delay the return of the results from a successful resource or administration access to the client application until the event context information flow for the access completes.
- Enforce a queue structure within a PEP for delaying access attempts initiated within a session by a client application until the previous access completes.
Active Cyber™: How does NGAC accommodate the external (unanticipated) user in a way that is preferred over other methods? What guidance does NGAC provide regarding how trust relationships are established among NGAC entities?
Mr. Ferraiolo and Dr. Chandramouli, NIST: The NGAC standard does not specify any means for accommodating an “unexpected” user, although this has been given some thought and a project has been initiated in this regard.
The project recognizes user attributes as the “currency” for establishing access to resources in a federation of relying parties (RP) where there exists a catalog of overlapping user attributes for achieving access to key resources of mutual interest. Such a catalog may, for example, include the roles and responsibilities used in the healthcare industry for allowing access to select portions of medical records. The project further makes use of a centralized block matrix for storing user assignments to any of those attributes. When a user is assigned to such a user attribute in an RP, that assignment is also reflected in the block matrix. Subsequent changes to those assignments would also be reflected.
Establishing the capabilities for RPs to read from and write to the block matrix provides the basis for trust. Trust is further bolstered, given NGAC’s capability to impose restrictions over user to attribute assignments, under a governance policy. The governance policy feature provides a uniform approach for the creation of user-to-attribute assignments.
For example, if a patient wants his/her doctor from RP1 to access his/her medical record maintained in RP2, the patient would issue a consent request. In response, RP2 would conduct a policy review to determine the minimum set of attributes necessary for reading the patient’s medical record, check the block matrix for those attributes, and onboard the doctor as a temporary user via local assignments to those attributes. This approach offers the advantage of “purpose-based access” to targeted resources across federations and avoids the need for an attribute broker.
Active Cyber™: Where is NGAC implemented in production at scale today? Since process to user mappings are always 1:1 in the NGAC model, how is scalability achieved for policy decisions or enforcements?
Mr. Ferraiolo and Dr. Chandramouli, NIST: The availability of GitHub open-source distribution and the emergence of NGAC as a national standard have enabled the development of a growing number of commercial and academic products. Open Group, for example, has created several proof-of-concept NGAC implementations at the request of its member companies, including one for the protection of collected PII sensitive automobile sensor information for the automotive industry. Perhaps the most advanced commercial player is Medidata Solutions, the leading global provider of cloud-based solutions for clinical research in life sciences. Most of their clinical trials are already managed using Policy Machine/NGAC. The remainder of Medidata’s products, which collectively manage the majority of the world’s clinical trial data, will be migrated to use the Policy Machine/NGAC as well. The developers of the Factory Automation Edge Computing Operating System Reference Implementation (FAR-EDGE)—comprised of global leaders in manufacturing such as Smart Factory, Siemens, Whirlpool, and Volvo—have established a set of services to facilitate factory automation solutions to take advantage of edge computing and IoT architectures. They apply NGAC to meet the need for a flexible, portable, powerful, scalable, and dynamic protection scheme that can operate coherently over a diverse and distributed platform. NGAC has also recently been implemented as an integral part of a service bridge called TetrateQ for the Istio service mesh that uses the Envoy side-car proxies as the data plane. In this implementation, the NGAC server in the control plane houses the NGAC access control graphical database. While processing an application service request, the associated envoy proxy’s authorization filter calls the NGAC server, which delivers the access decision. TetrateQ is the first off-the-shelf NGAC product.
On the academic side, there are at least three PHD dissertations and proof-of-concept implementations of NGAC. One dissertation from Lulea University of Technology in Sweden is based on graph theory and uses NGAC model constructs. An implementation from Boise State is currently in the final phase of developing a proposal management system, applying NGAC to meet business-logic policy, workflow, and performance requirements. Colorado State at Fort Collins has published work and developed demonstration platforms on using NGAC in the protection of electronic medical records. We are also aware that the University of Texas at San Antonio has implemented the Policy Machine in Open Stack, a popular open-source cloud implementation.
When authenticated users initiate access requests, NGAC creates one or more processes on their behalf. These processes can be thought of as simple representations of operating system processes. They have an ID, memory, and descriptors for resource allocations (i.e., “handles”). Thus, the process to user mapping is N:1, allowing for granularity of controls at the process level.
Differentiating between users and processes allows for the creation of fine-grained access restrictions due to NGAC’s ability to dynamically impose deny relations on processes through obligations. Processes take on the same attributes as the invoking user and therefore impose no additional decision-processing burden.
Active Cyber™: What is the role of the Event Processing Point (EPP) within the NGAC Framework? How could it be employed in a risk adaptive access model? How is the NGAC security model applied to an automated environment – such as automated orchestration where users are not well-defined, and many conditions could trigger a process?
Mr. Ferraiolo and Dr. Chandramouli, NIST: The EPP is a functional module that uses event-response relations (called obligations), which provide the basis for the enforcement of history-based and dynamic policies. The event may be the context surrounding an access decision or a change to the environment (e.g., time of day), and the response is a corresponding execution of administrative operations that automatically alter policy state. Obligations can specify operational conditions in support of a variety of policies, including conflict of interest (i.e., if a user reads information from a sensitive data set, that user is prohibited from reading data from a second data set) and workflow (i.e., approving or writing to a field of a work item enables a second user to read and approve the work item). Also included among history-based policies are those that prevent the leakage of data to unauthorized principals. These confinement-dependent policies include some instances of role-based access control (RBAC) (e.g., only doctors can read the contents of medical records), originator control (ORCON) and privacy (e.g., knowing who can currently read one’s data or personal information), conflict of interest (e.g., a user with knowledge of information within one dataset cannot read information in another dataset), or multi-level security. Events could also pertain to threat level parameters (including those affected by changes in orchestration configurations) that can be used to alter the policy state in the NGAC policy repository and thus make it a risk-adaptive access model.
Active Cyber™: What are the advantages and disadvantages or challenges of applying the NGAC model in a distributed, low latency, real-time environment?
Mr. Ferraiolo and Dr. Chandramouli, NIST: A distributed, low latency, real-time environment requires quick computation of access decisions. One challenge is that NGAC is less efficient than native ACLs in computing decisions in environments like supercomputing or big-data processes. Another challenge is that NGAC could be viewed as risk-prone and costly to integrate directly into these existing systems.
The NGAC model and access computation engine address these challenges in the following ways:
- An efficient storage and access structure for representing the access control data; NGAC relations are often represented as a directed acyclic graph (DAG), and access decisions are computed through efficient graph traversal algorithms.
- The access control data repository can be partitioned by partitioning the associated DAG.
- Efficiency of the whole process is further enhanced by having the required graph partitions memory-resident. Additional challenges lie in keeping the NGAC graph partitions associated with each distributed node in sync with changes in workflow logic for the entire distributed system.
Active Cyber™: Can you provide one or two examples of how various access control policies can be mapped and applied within a NGAC model – e.g., RBAC, Chinese Wall, separation of duty, Privacy-based obligations, conflict of interest? How does NGAC enhance the effectiveness of managing access in a multi-cloud environment?
Mr. Ferraiolo and Dr. Chandramouli, NIST: The Chinese Wall model includes two rules for reading and writing to prevent conflict of interest. Consultants or advisors are given access to proprietary information to provide a service for their clients. When a consultant or advisor gains access to the competitive practices of two banks, for instance, in the same conflict-of-interest class (e.g., Banks) the consultant essentially obtains insider information. This situation can be avoided by rules expressed as separation of duty constraints that, when enforced, continually narrow the access rights of a subject as it performs allowed activities. These types of rules can be encoded as NGAC obligations.
The initial policy configuration would allow a user’s process to read and write any object in the data store. As the process accesses objects, obligations are triggered that adjust the policy for both the user and its processes in accordance with the read and write rules. In short, when a process performs a read access of an object in some conflict-of-interest class (COIi), its user is denied the ability to read objects in any other dataset in COIi using different processes (through an associated administrative response). Subsequent read or write attempts of objects in any other dataset in COIi by this process are denied.
Discretionary access control (DAC) is an administrative policy that permits system users to allow or disallow other users’ access to objects that are placed under their control. NGAC has a flexible means of providing users with administrative capabilities, including those necessary for the establishment of DAC policies.
There are several factors that enhance the effectiveness of NGAC for managing access to resources in a multi-cloud environment. Perhaps the most important feature is that NGAC defines objects as logical entities that map to corresponding physical counterparts. As such, NGAC can comprehensively and uniformly apply policy to any object regardless of its type or the physical location in which its content is stored. It is not until after the authorization process is complete that the physical location of the corresponding resource must be revealed. Due to efficient algorithms, a user can centrally “see” cloud resources for which they are authorized as logical entities via what is referred to as a personal object system (POS). The POS enables navigation through object attributes that are also logical entities, which may be seen and perceived by the user as, for example, folders and directories in a file system or the user’s inbox in an email system.
Active Cyber™: NIST presented a working draft proposed standard of NGAC to ANSI in June 2019. What are the scope and the main goals of this standard, what unique advantages does this standard offer to adopters, and how has it progressed?
Mr. Ferraiolo and Dr. Chandramouli, NIST: NIST and other members of an Ad Hoc International Committee for Information Technology Standards (INCITS) working group developed a three-volume standard called “Next Generation Access Control” (NGAC).
This work has been completed with the 2016 publication of INCITS 526 – NGAC Generic Operations and Abstract Data Structures (NGAC-GOADS); the 2018 revised publication of INCITS 499 – NGAC Functional Architecture (NGAC–FA); and the late 2018 publication of INCITS 525 – NGAC Implementation Requirements, Protocols, and API Definitions (NGAC-IRPADS). Although all three standards have been completed, work is currently underway to consolidate them into INCITS 565 – Next Generation Access Control (NGAC), with publication expected in the spring or summer of 2020.
Active Cyber™: Thank you everyone for joining us.
Thank you Dave and Dr. Chandramouli for such a fascinating review of NGAC and explaining how it can provide signficant benefits in helping to control access in many different modern scenarios. I look forward to the publication of INCITS 565 – Next Generation Access Control (NGAC) in 2020, and I greatly appreciate and admire your significant contributions in the identity and access control space. I will also be watching closely for the uptick in NGAC adoption as IoT and service mesh deployments create the need for greater flexibility in access control policies.
And thanks to my subscribers and visitors to my site for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, autonomous security, digital forensics, securing ICS / IIoT and IoT systems, or other emerging technology topics such as augmented reality and spatial web. Also, email firstname.lastname@example.org if you’re interested in interviewing or advertising with us at Active Cyber™.
About Mr. David Ferraiolo
David F. Ferraiolo is the manager of the Secure Systems and Applications group of the Computer Security Division, at the National Institute of Standards and Technology. He has conducted extensive research in various areas of access control and authorization management, including formal model development, reference and prototype implementation, product demonstration development and evaluation. He is a co-author of a book on Role-based Access Control and a book on Attribute Based Access Control, is the author or coauthor of more than 50 papers and journal articles on topics of access control, and the principal inventor on two patents. Due to his work, RBAC has advanced from a concept to the world’s most widely used access control model, with features that show up at virtually all levels of computing. He received the 2019 ACSAC “Test of Time Paper” award, 2018 IEEE Innovation Award in Societal Infrastructure Award, a U.S. Department of Commerce gold medal, and an Excellence in Technology Transfer award from the Federal Laboratory Consortium and has served on the boards of numerous standardization efforts to include, the Common Criteria (ISO 15408), Role-Based Access Control (ANSI/INCITS 359), Next Generation Access Control (ANSI/INCITS 499 and 526).
About Dr. Ramaswamy Chandramouli
Dr. Ramaswamy Chandramouli is a Senior Computer Scientist at the Computer Security Division at National Institute of Technology (NIST) USA for over 20 years. His publications span diverse areas such as RBAC, Model-based Security Testing, Smart Card Specifications, DNS & Email Security, ABAC and Security Guidance for Hypervisor & Container deployments. He is the co-author of 3 Technical books, 28 NIST publications and 37 peer-reviewed conference and journal publications.