Taking issue with NIST's definition of role-based access control

Security: Identity Management This newsletter is sponsored by Sentillion expreSSO. It's Here. From the company that created healthcare single sign-on comes expreSSO, the next generation SSO solution. Never again does an organization have to sacrifice functionality for cost, speed for scalability, or ease of use for support. expreSSO, the only low-cost, healthcare-specific, enterprise-class SSO solution able to be deployed in 5 days. Network World's Security: Identity Management Newsletter, 09/19/07 Taking issue with NIST’s definition of role-based access control By Dave Kearns Shekhar Jha, a security architect at Sena Systems, was talking with me about roles, and asked “What I am trying to understand is whether roles as we understand it today (i.e. NIST roles) is enough for the real world scenarios and if not then what are the characteristics that are missing from the roles as we know today (for example context)?” While I’d love to use that as a spring board for yet another bit of preaching on the importance of context (and I will get around to that soon), it’s the issue of “NIST roles” that I want to explore today. NIST, the National Institute of Standards and Technology, has a very important role in IT – it defines all sorts of standards for the U.S. federal government, many of which become de facto standards for businesses around the world. And NIST, through its Computer Security Resource Center, has a lot to say about roles, which it first formalized back in 1992. If you aren’t familiar with NIST on Role Based Access Control (RBAC), see the extensive Web site which, in my opinion, is best used by academics and theoreticians rather than coders and practitioners. Be prepared with lots of coffee, as the turgid prose will put even the most jaded insomniac to sleep: Comprehensive Network Access Control The new wave of sophisticated crimeware not only targets specific companies, but it also targets desktops and laptops as backdoor entryways into business operations and resources. Network access control enables proper configuration and security of user endpoints before they are allowed access on the corporate network. Click here to download this whitepaper. “In establishing the session, however, there is an implicit assumption that the users in Figures 1 and 2 are in fact authenticated users of the system who are authorized to invoke certain permissions, such as opening a session. Thus, these authenticated users have implicit or explicit permissions to initiate sessions. Functional role activation (session roles) cannot occur until the session is established, and authorization to establish the session may occur outside of the application authorization functions. To accomplish this basic connect function, the user would possess, in addition to authentication information, some set of basic (static) roles that would be prerequisites to a user’s being authorized to ‘connect’ to the task or workflow containing the session (functional) roles. An access control enforcement function would have the responsibility to grant or deny the session based on the basic role.” I also strongly disagree with the most basic assumption: “Role assignment: A subject can execute a transaction only if the subject has selected or been assigned a role. The identification and authentication process (e.g. login) is not considered a transaction. All other user activities on the system are conducted through transactions. Thus all active users are required to have some active role.” Authentication IS a transaction. And the subject DOES have a role – the role of unauthenticated user. That role has one right/privilege within the system – the right to execute the login procedure (a.k.a. the login transaction). Rather than getting bogged down in the voluminous, repetitive (and, seemingly, wrong-headed) legalistic definitions we have a perfectly good model that we should already understand – the stage. Actors fill roles, the roles are well defined and both require certain actions of the actors while also allowing other actions. If you go to enough regional theater productions, you’ll also realize that one actor can fill multiple roles during a production. Is that so hard a concept to grasp? The NIST documents spend considerable time talking about “Separation of Duty” issues with regards to roles. But, I contend, SoD is not part of the definition of roles. We’ll go into that next time. Free downloads: There are a couple of bits of code I want to draw your attention to. First, Ping ID has released PingFederate Java and .Net Integration Kits v1.2.1, which “simplify SAML & WS-Federation SSO Integration with your custom Java or .NET applications.” Also available is PHP code to build a Shibboleth 1.3 Service Provider. SimpleSAMLphp 0.3 also includes a simple LDAP authentication module.   What do you think? Post a comment on this newsletter

TODAY'S MOST-READ STORIES: 1. The Hell of Gateway's tech support 2. One less reason to adopt IPv6? 3. DST issues resurface for IT 4. Researchers flash personal aircraft, future jetpack 5. MIT launching Kerberos Consortium 6. Does 802.11n spell the end of Ethernet? 7. 10 IT management software companies to watch 8. VM management tools tested 9. What 'The Sopranos' taught me about tech 10. Meet the other Ciscos MOST E-MAILED STORY: Does 802.11n spell the end of Ethernet?

Contact the author: Dave Kearns is the editor of IdM, the Journal of Identity Management as well as a consultant to both vendors and users of IdM technologies. He's written a number of books including the (sadly) now out of print "Complete Guide to eDirectory." His other musings can be found at the Virtual Quill, an Internet publisher which provides content services to network vendors: books, manuals, white papers, lectures and seminars, marketing, technical marketing and support documents. Virtual Quill provides "words to sell by..." Find out more by e-mail. Comments to this newsletter can be e-mailed to Dave here.  This newsletter is sponsored by Sentillion expreSSO. It's Here. From the company that created healthcare single sign-on comes expreSSO, the next generation SSO solution. Never again does an organization have to sacrifice functionality for cost, speed for scalability, or ease of use for support. expreSSO, the only low-cost, healthcare-specific, enterprise-class SSO solution able to be deployed in 5 days. ARCHIVE Archive of the Security: Identity Management Newsletter. BONUS FEATURE IT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007