As part of its efforts to provide practical solutions to real-world cybersecurity challenges, the National Cybersecurity Center of Excellence (NCCoE) is requesting comments on a draft guidance to help organizations better control who has access to their information systems.
Today, access to many companies’ networks and assets is defined by a user’s job or role within the organization using a role-based access control (RBAC) system. If roles change or an employee leaves the company, an administrator must manually change access rights accordingly—oftentimes within several systems. However, as technology advances and businesses expand, so do the diversity of users and their access needs. With current RBAC capabilities, these types of transactions become increasingly difficult and inefficient to manage and audit. An attribute based access control (ABAC) system, however, can provide flexibility and efficiency by using granular attributes, such as title, division, certifications, training and even environmental conditions, to authorize an individual’s access.
The draft practice guide outlines potential security risks, benefits that may result from the implementation of an ABAC system and the approach that the NCCoE and its partners took using commercially available technologies.
“We wanted to demonstrate to organizations how some of ABAC’s fundamental capabilities can address their cybersecurity challenges,” said Bill Fisher, a security engineer at the NCCoE and lead on the ABAC project. “The strength of the center is its ability to bring together industry, academia and government researchers to help businesses find cost-effective, standards-based solutions.”
The draft guide shows how commercially available technologies can meet an organization’s needs to make access decisions for a diverse set of users and access needs, including those seeking access from external organizations. It includes a detailed description of the installation, configuration and integration of all components.
The guide is one in a new series of publications from the center, called NIST Cybersecurity Practice Guides (Special Publication Series 1800), which target specific cybersecurity challenges in the public and private sectors. The practical, user-friendly guides show members of the information security community how to implement example solutions that help them align more easily with relevant standards and best practices.
For each cybersecurity challenge, the center works with a variety of collaborators to use different sets of commercially available products. For nonindustry specific cybersecurity challenges, the center will work with a core set of partners within the National Cybersecurity Excellence Partnership to complete an initial build and guide. The center may produce additional guides with other vendors, depending on the challenge’s complexity and how broadly it affects industry.
In August 2015, the center issued a call for other collaborators for a second project to develop another example ABAC system.
While the reference solution was demonstrated with a certain suite of products, the guide does not endorse these products in particular. Instead, it presents the characteristics and capabilities that an organization’s security experts can use to identify similar standards-based products that can be integrated quickly and cost-effectively with an organization’s existing tools and infrastructure.