You are implementing Zero Trust architecture. Which of the following is the best access control policy language for authorization? (Wentz QOTD)
A. Risk-based access control
B. Attribute-based access control
C. Security Assertion Markup Language (SAML)
D. eXtensible Access Control Markup Language (XACML)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. eXtensible Access Control Markup Language (XACML).
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
Risk-based and attribute-based access control are authorization mechanisms, not access control policy languages. SAML is a language for authentication, not for authorization. XACML is a common language for expressing security policy that supports the authorization mechanism, attribute-based access control.
XACML stands for “eXtensible Access Control Markup Language”. The standard defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies.
Source: Wikipedia
Zero Trust
Authorization decisions are made by the policy engine of the policy decision point (PDP) in a Zero Trust architecture. The trust algorithm (TA) used by the policy engine takes multiple sources of inputs to make authorization decisions based on fine-grained criteria or scores that entail attributes from subjects, objects, and the environment.
The system must ensure that the subject is authentic and the request is valid. The PDP/PEP passes proper judgment to allow the subject to access the resource. This implies that zero trust applies to two basic areas: authentication and authorization.
What is the level of confidence about the subject’s identity for this unique request?
Is access to the resource allowable given the level of confidence in the subject’s identity?
Does the device used for the request have the proper security posture?
Are there other factors that should be considered and that change the confidence level (e.g., time, location of subject, subject’s security posture)?Overall, enterprises need to develop and maintain dynamic risk-based policies for resource access and set up a system to ensure that these policies are enforced correctly and consistently for individual resource access requests. This means that an enterprise should not rely on implied trustworthiness wherein if the subject has met a base authentication level (e.g., logging into an asset), all subsequent resource requests are assumed to be equally valid.
Source: NIST SP 800-207
Reference
- Security Assertion Markup Language
- eXtensible Access Control Markup Language (XACML)
- The risk-based approach to cybersecurity
- Risk-Adaptable Access Control (RAdAC)
- Risk-Based Access Control Model – MDPI
您正在實施零信任架構。 以下哪一項是用於授權的最佳訪問控制政策語言? (Wentz QOTD)
A. Risk-based access control
B. Attribute-based access control
C. Security Assertion Markup Language (SAML)
D. eXtensible Access Control Markup Language (XACML)