-
8/14/2019 Secure Information Sharing and Trust Architecture
2009
1/15
-
8/14/2019 Secure Information Sharing and Trust Architecture
2009
2/15
1
Enterra Solutions, 2009 All Rights Reserved PROPRIETARY AND
CONFIDENTIAL
Overview
1
-
8/14/2019 Secure Information Sharing and Trust Architecture
2009
3/15
2
Enterra Solutions, 2009 All Rights Reserved PROPRIETARY AND
CONFIDENTIAL
Why ABAC?
Secure Information Sharing is increasinglyimportant
Inter-Organization and Intra-Organization
Other Approaches Focus on encryption of resources (e.g. Public
Key
Infrastructure PKI)
Focus on sharing of credentials (e.g., Security Assertion
Markup Language SAML) Implement gross-level policies (e.g.,
roles, groups,
document classification)
Depend upon offline agreements (e.g., Organization A
Owner == Organization B Member) Require centralized management
for multi-party
communication
Rely on programming to make changes
2
-
8/14/2019 Secure Information Sharing and Trust Architecture
2009
4/15
3
Enterra Solutions, 2009 All Rights Reserved PROPRIETARY AND
CONFIDENTIAL
New DHS/DoT Information Sharing Model
3
-
8/14/2019 Secure Information Sharing and Trust Architecture
2009
5/15
4
Enterra Solutions, 2009 All Rights Reserved PROPRIETARY AND
CONFIDENTIAL
Enterras Approach
Attribute-Based Access Control is a way torepresent security by
directly using features of thedifferent participants both the
requestor and the
item being requested
Extensible Access Control Markup Language(XACML) allows the
representation of attribute-
based access policies in XML Can work with SAML and PKI as well
as other
authentication and encryption mechanisms
Also allows for the introduction of a 3rd
dimension environment or situation into the policy
Introduces standard means for representing how thepolices should
be enacted
4
-
8/14/2019 Secure Information Sharing and Trust Architecture
2009
6/155 Enterra Solutions, 2009 All Rights Reserved PROPRIETARY
AND CONFIDENTIAL
Current Approach - RBAC
5
-
8/14/2019 Secure Information Sharing and Trust Architecture
2009
7/156 Enterra Solutions, 2009 All Rights Reserved PROPRIETARY
AND CONFIDENTIAL
ABAC using XACML
6
-
8/14/2019 Secure Information Sharing and Trust Architecture
2009
8/157 Enterra Solutions, 2009 All Rights Reserved PROPRIETARY
AND CONFIDENTIAL
Benefits of XACML-ABAC
Enables Fine Grained Access Policies
Rather than using gross buckets (roles, classificationsetc.),
access can be down at the individual subject,
resource, environment level within same infrastructure
Separates the policy from the implementation
Enables Highly Dynamic Policies
No longer need to come up with a new role etc.
Introduces environment dimension
i.e., under which conditions
Allows owners of the resources to maintain controlthrough policy
administration
Enables extensive auditing
7
-
8/14/2019 Secure Information Sharing and Trust Architecture
2009
9/158 Enterra Solutions, 2009 All Rights Reserved PROPRIETARY
AND CONFIDENTIAL
The Secure Information Sharing Environment
8
-
8/14/2019 Secure Information Sharing and Trust Architecture
2009
10/159 Enterra Solutions, 2009 All Rights Reserved PROPRIETARY
AND CONFIDENTIAL
Policy Automation [RSA]
9
-
8/14/2019 Secure Information Sharing and Trust Architecture
2009
11/1510 Enterra Solutions, 2009 All Rights Reserved PROPRIETARY
AND CONFIDENTIAL
High-Level Architecture
10
-
8/14/2019 Secure Information Sharing and Trust Architecture
2009
12/1511 Enterra Solutions, 2009 All Rights Reserved PROPRIETARY
AND CONFIDENTIAL
Component Level Architecture
11
-
8/14/2019 Secure Information Sharing and Trust Architecture
2009
13/1512 Enterra Solutions, 2009 All Rights Reserved PROPRIETARY
AND CONFIDENTIAL
Policy Decision Point
12
-
8/14/2019 Secure Information Sharing and Trust Architecture
2009
14/1513 Enterra Solutions, 2009 All Rights Reserved PROPRIETARY
AND CONFIDENTIAL
Policy Administration Point
13
-
8/14/2019 Secure Information Sharing and Trust Architecture
2009
15/15
