From ABAC to ZBAC: The Evolution of Access Control Models
Karp, Alan H.; Haury, Harry; Davis, Michael H.
Keyword(s): Services Oriented Architecture; SOA; web services; access control; Federated Identity Management; FldM
Abstract: Controlling access to resources and services is fundamental to security. A variety of access control models have been developed over the years, each designed to address different aspects of the problem. This report will examine the strengths and weaknesses of the various approaches as applied in a cross domain services and as implemented in common SOA frameworks. Please note, the access control mechanisms are discussed in this context and the comments are not general critiques of the advantages and disadvantages of the various systems. Our primary use case comes from an example investigated by the US Navy, which is examined for illustrative purposes since it is easy to understand (For more additional applicability please refer to the Department of Defense and Intelligence Community Service-Oriented Architecture Security Reference Architecture, Version 1.0 and the discussion of hierarchical policy enforcement frameworks and the section 4.2 Advanced SOAP Interaction Patterns). That discussion also extends the enclosed use case slightly to address issues it doesn't cover. Recognizing those issues led to the development of an access control model that uses authorizations presented with the request to make an access decision, an approach we call authoriZation Based Access Control (ZBAC). This paper is intended to stimulate a structured technical dialogue within the IA&A community on potential alternative enterprise approaches and possible security risks with current approaches. The KEY implementation details are in the appendices, so be sure to read them too!
External Posting Date: February 21, 2009 [Fulltext]. Approved for External Publication
Internal Posting Date: February 21, 2009 [Fulltext]