NIST's National Cybersecurity Center of Excellence (NCCoE) has posted a revised draft white paper that will inform projects aimed at helping companies better manage who has access to their IT assets. This project is an NCCoE "building block," which are example cybersecurity implementations that apply to multiple industry sectors and can be incorporated into many of the center's sector-specific use cases.
"Attribute Based Access Control" will help businesses control who has access—and to what degree—to the applications, networks, systems and data on their IT systems. This project will result in a NIST Cybersecurity Practice Guide, a publicly available description of the practical steps needed to implement a cybersecurity reference design. In February 2014, the NCCoE posted a draft building block addressing attribute based access control and invited comments from the public. The center received and responded to 11 comments and revised the draft accordingly.
The NCCoE now seeks feedback on the revised document. Once that feedback is incorporated, the center will publish a notice for the project in the Federal Register to invite participation from the technology community.
Access to an organization's network or assets is traditionally managed according to a person's role. An accountant, for example, needs access to both financial records and sales software, while a salesperson needs access to sales software alone. If a person changes roles or leaves a company, an administrator must manually change the employee's role to change access rights, and perhaps within several systems. The NCCoE Attribute Based Access Control Building Block proposes that access to an organization's network or assets be made based on information that is available to systems across an organization, or even among organizations, about a person, the action she wants to execute, and the resource she wants to access. As an example, an orthopedist responding to a mass casualty event in a neighboring state can quickly gain access to a hospital's patient records and radiology and pharmacy ordering systems, and only to those systems, based on authentication of her credentials and attributes such as employee status, medical specialization and certifications.
The draft Attribute Based Access Control Building Block document can be viewed at https://www.nccoe.nist.gov/projects/building-blocks/attribute-based-access-control. Comments can be submitted online or to abac-nccoe [at] nist.gov (subject: ABAC%20building%20block%20comment) (abac-nccoe[at]nist[dot]gov) by June 2, 2015.
The NCCoE addresses businesses' most pressing cybersecurity problems with practical, standards-based solutions using commercially available technologies. The NCCoE collaborates with industry, academic and government experts to build modular, open, end-to-end reference designs that are broadly applicable and repeatable.