[Owasp-leaders] NIST Approved: Special Publication (SP) 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations

Jim Manico jim.manico at owasp.org
Wed Jan 22 06:04:31 UTC 2014


Good stuff, Chris.



Most analysts were talking about RBAC as the savior to all security
problems in 2009. Props to you for talking about RBAC limits in 09. Nather
is on the same team.



Funny, the NIST docs below claim a good implementation of ABAC is XACML.
But I agree with you, XACML is largely dead. OAUTH which is radically
easier to implement than XACML is in a lot more widespread use … but it
does not address complex enterprise access control needs like XACML was
supposed to.



Interesting “XACML is dead” article here.
http://blogs.forrester.com/andras_cser/13-05-07-xacml_is_dead



So that still leaves a huge space for some kind of enterprise-grade access
control standard. Is there anything more beefy than OAUTH looking to
replace the promise of XACML?



Aloha,

Jim



*From:* Chris Schmidt [mailto:chris.schmidt at contrastsecurity.com]
*Sent:* Tuesday, January 21, 2014 4:48 PM
*To:* 'Jim Manico'
*Cc:* OWASP IDecosystem List; owasp-leaders at lists.owasp.org
*Subject:* RE: [Owasp-leaders] NIST Approved: Special Publication (SP)
800-162, Guide to Attribute Based Access Control (ABAC) Definition and
Considerations



Blog posts



November 2009 – Is Role Based Access Control Dead?

http://yet-another-dev.blogspot.com/2009/11/is-role-based-access-control-dead.html



January 2010 – More on Context Based Access Control

http://yet-another-dev.blogspot.com/2010/01/more-on-context-based-access-control.html



Oracle also implemented something called “XACML” that was somewhat kind of
maybe a little close to what I was proposing – however, it was difficult to
understand/use, had complicated XML Schemas, and didn’t solve the whole
problem (and was never really actually adopted by anyone that I’m aware of)

http://www.oasis-open.org/committees/document.php?document_id=33416





*From:* owasp-leaders-bounces at lists.owasp.org [
mailto:owasp-leaders-bounces at lists.owasp.org<owasp-leaders-bounces at lists.owasp.org>]
*On Behalf Of *Jim Manico
*Sent:* Tuesday, January 21, 2014 5:00 PM
*To:* Chris Schmidt
*Cc:* OWASP IDecosystem List; owasp-leaders at lists.owasp.org
*Subject:* Re: [Owasp-leaders] NIST Approved: Special Publication (SP)
800-162, Guide to Attribute Based Access Control (ABAC) Definition and
Considerations



Chris,



Context-Based-Access-Control is already a formal access control methodology
for firewall tech.
http://en.m.wikipedia.org/wiki/Context-based_access_control



Also, NIST's ABAC doc describes something done informally for decades.
Anyone building large multi-tenant systems has already been forced to go
down the ABAC path or similar. What makes me so happy is to see NIST
finally addressing the limitations of RBAC in such a public, formal way to
the point of helping federal agencies make a business case for ABAC.



Do you have anything published on your methodology? I would love to see it.

Cheers Chris,

--

Jim Manico

@Manicode

(808) 652-3805


On Jan 21, 2014, at 1:48 PM, Chris Schmidt <
chris.schmidt at contrastsecurity.com> wrote:

I’ll have to read up on this and see how it compares to my idea for
Context-Based-Access-Control from a few years ago.



*From:* owasp-leaders-bounces at lists.owasp.org [
mailto:owasp-leaders-bounces at lists.owasp.org<owasp-leaders-bounces at lists.owasp.org>]
*On Behalf Of *Jim Manico
*Sent:* Tuesday, January 21, 2014 4:23 PM
*To:* Bev Corwin; owasp-leaders at lists.owasp.org; OWASP IDecosystem List
*Subject:* Re: [Owasp-leaders] NIST Approved: Special Publication (SP)
800-162, Guide to Attribute Based Access Control (ABAC) Definition and
Considerations



Anything that encourages developers to stray away from modern
implementations of Role-Based-Access-Control is fine by me. This is a great
step in the right direction from what I have read so far.



Thanks for passing this along, Bev.



Aloha,

Jim



*From:* owasp-leaders-bounces at lists.owasp.org [mailto:
owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Bev Corwin
*Sent:* Tuesday, January 21, 2014 7:51 AM
*To:* owasp-leaders at lists.owasp.org; OWASP IDecosystem List
*Subject:* [Owasp-leaders] NIST Approved: Special Publication (SP) 800-162,
Guide to Attribute Based Access Control (ABAC) Definition and Considerations



FYI:



"*NIST Special Publication (SP) 800-162, Guide to Attribute Based Access
Control (ABAC) Definition and Considerations* has been approved as final
and is now available on the CSRC / NIST website.

URL to the SP 800-162 document (PDF):
http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf<http://links.govdelivery.com/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTQwMTIxLjI3ODAyMzExJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE0MDEyMS4yNzgwMjMxMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3OTM3NDg3JmVtYWlsaWQ9YmV2Y29yd2luQGdtYWlsLmNvbSZ1c2VyaWQ9YmV2Y29yd2luQGdtYWlsLmNvbSZmbD0mZXh0cmE9TXVsdGl2YXJpYXRlSWQ9JiYm&&&100&&&http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf>

An announcement about this documents released can be found on the CSRC
Announcement page:
http://csrc.nist.gov/news_events/#jan21<http://links.govdelivery.com/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTQwMTIxLjI3ODAyMzExJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE0MDEyMS4yNzgwMjMxMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3OTM3NDg3JmVtYWlsaWQ9YmV2Y29yd2luQGdtYWlsLmNvbSZ1c2VyaWQ9YmV2Y29yd2luQGdtYWlsLmNvbSZmbD0mZXh0cmE9TXVsdGl2YXJpYXRlSWQ9JiYm&&&101&&&http://csrc.nist.gov/news_events/#jan21>

The SP 800-162 listing can be found on the NIST CSRC Special Publications
page (for bookmarking purposes):
http://csrc.nist.gov/publications/PubsSPs.html#800-162<http://links.govdelivery.com/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTQwMTIxLjI3ODAyMzExJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE0MDEyMS4yNzgwMjMxMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3OTM3NDg3JmVtYWlsaWQ9YmV2Y29yd2luQGdtYWlsLmNvbSZ1c2VyaWQ9YmV2Y29yd2luQGdtYWlsLmNvbSZmbD0mZXh0cmE9TXVsdGl2YXJpYXRlSWQ9JiYm&&&102&&&http://csrc.nist.gov/publications/PubsSPs.html#800-162>
  "



Bev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140121/7bb4c6d5/attachment.html>


More information about the OWASP-Leaders mailing list