1 / 12

Combining KMIP and XACML

Explore how XACML, an XML language for access control, combined with KMIP, can provide powerful evaluation logic, scale from PDA to Internet, and offer federated policy administration within a standard framework. Learn about XACML features, benefits, and architecture, and understand the reasons for KMIP servers to utilize XACML for enhanced key relationship policies. Considerations on attributes, interfaces, and interactions between PDP and KMIP servers are also addressed. For further insights, check out Divay Bansal's master thesis on this subject.

javierc
Télécharger la présentation

Combining KMIP and XACML

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Combining KMIP and XACML

  2. What is XACML? • XML language for access control • Coarse or fine-grained • Extremely powerful evaluation logic • Ability to use any available information • Superset of Permissions, ACLs, RBAC, etc • Scales from PDA to Internet • Federated policy administration • OASIS and ITU-T Standard

  3. Key XACML Features • Federated Policy Administration • Multiple policies applicable to same situation • Combining rules to resolve conflicts • Decision may include Obligations • In addition to Permit or Deny • Obligation can specify present or future action • Examples: Log request, require human approval, delete data after 30 days • Protect any resource • Web Server, Java or C++ Object, Room in building, Network Access, Web Service, Geographic Data, Health Records, etc.

  4. XACML Benefits • Standard Policy Language • Investment protection • Skills reuse • Leverage XML tools • Policy not in application code • Reduce cost of changes • Consistent application • Enable audit

  5. Client PDP PDP Administration PDP Decision PDP Resources PEP Enforcement Attribute Repositories Policy Repository Authorities XACML Architecture Application

  6. Policy Evaluation in Brief - 1 • Attribute-based access control (ABAC) • Attributes associated with Subject(s), Action, Resource or Environment • Attributes may represent static (Group) or dynamic (# of accesses) properties • PDP is stateless • Policies contain Boolean expressions • If false, policy is not applicable • If true, Effect (Permit or Deny) is returned

  7. Policy Evaluation in Brief - 2 • Combining Algorithms resolve conflicting policy results • Typical: Deny Overrides • Obligations which are associated with final Effect are also returned • Policies are tree structured to simplify management

  8. Reasons for KMIP Servers to Use XACML • Implement more complex key relationship policies • Dependancies: derived key, wrapped key, split key • Enhance policies to meet Enterprise needs • Other Subject attributes (Roles) • Environmental attributes • Privacy or contractual requirements

  9. What to consider • Not Policy structure (this would be necessary with RBAC for example) • Attributes • What ones may be needed • Where will the come from • How will they get to PDP • Interface • Remote/Local • Protocol/API

  10. Attributes • Datatypes • XACML defines 14 scalar types • KMIP types are a subset • Commonly used are easy, e.g. string • Access • With decision request • KMIP request • Other request, e.g. LDAP • KMIP must maintain dynamic values

  11. Interfaces • PDP may be remote or imbedded • Tradeoff is ease of integration vs. performance • Most KMIP servers relatively low decision volume • Remote call via SOAP defined by XACML • Clearly the easiest to implement • OpenAz open source project is defining APIs • Defining a TTLV remote call is possible

  12. Excellent paper on this subject • Masters thesis by Divay Bansal • IBM / ETH Zurich • http://issuu.com/divaybansal/docs/master-thesis • If nothing else it demonstrates how XACML can implement key-dependancies policies • Alternative architectures

More Related