Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Fine-Grained Policies are back with NGAC

Fine-Grained Policies are back with NGAC

The fine-grained nature of cloud native deployments requires fine-grained authorizations at each component. However, this may require security policies to be centrally defined and the configurations reflecting them to be defined in each microservice to enable uniform, consistent enforcement across the entire system which is hard to model and maintain.

Next-Generation Access Control (NGAC), developed by the U.S. National Institute of Standards and Technology (NIST), enables a systematic, policy-consistent approach to access control, granting or denying users administrative capabilities with a high level of granularity. It is based on the assumption that you can model the system you want to protect in a graph that represents the resources and your organizational structure, in a way that has meaning to you and that adheres to your organization semantics. On top of this model you can overlay fine-grained policies and also do effective auditing on access decisions.

This talk will offer an overview of NGAC and its advantages over more traditional RBAC and ABAC—like mitigating role explosion and indeterminate or surprising access verdicts— in the context of Zero Trust, as well as practical examples of how to use it to rationalize enterprise access control in ways that are easy to reason about, author, enforce and audit.

José Carlos Chávez

September 25, 2023
Tweet

More Decks by José Carlos Chávez

Other Decks in Technology

Transcript

  1. José Carlos Chávez SOFTWARE ENGINEER @ TETRATE • Open source

    enthusiast • OWASP Coraza Co-leader • Zipkin core member • Loving father About me @jcchavezs | #IstioCon
  2. Access control is an essential element of security that determines

    who is allowed to access certain data, apps, and resources—and in what circumstances. What is access control? - Security 101, Microsoft Access Control @jcchavezs | #IstioCon
  3. • Make access decision func check(p Principal, op Operation, r

    Resource) bool • Manage access policies • Type of access policy • Policy API • Policy Language BONUS: • Explain access decisions func explain(p Principal, op Operation, r Resource) []Reason func whatAccess(p Principal) []ResourceAndOperations func whoAccess(r Resource) []PrincipalAndOperations Access Control: use cases @jcchavezs | #IstioCon
  4. • Discretionary access control (DAC): every object has an owner,

    and owners grant access to users at their discretion. It provides case-by-case control over resources hence not scalable. • Mandatory access control (MAC): users are granted access in the form of a clearance. A central authority regulates access rights and organizes them into tiers, which uniformly expand in scope. Very common in government and military contexts where structures are static and rigid. • Role-based access control (RBAC): access rights are granted based on defined business functions (role), rather than individuals’ identity. Easy to understand and author policies rightly, hard to scale (e.g. role explosion). • Attribute-based access control (ABAC): access is granted flexibly based on a combination of attributes and environmental conditions, such as time and location. It is hard to understand and author policies rightly (permissions overlap) but easy to scale and model. Access Control: models @jcchavezs | #IstioCon
  5. Next Generation Access Control (NGAC) users user attributes objects object

    attributes policy classes Created by NIST. NGAC takes the approach of modeling access decision data as a directed acyclic graph. - Users/Subjects - Objects - User/subject attributes - Object attributes - Policy classes operations Source: https://thenewstack.io/why-you-should-choose-ngac-as-your-access-control-model @jcchavezs | #IstioCon
  6. e.g. ext_authz, wasmplugin, etc NGAC architecture PEP Object RAP Subject

    PDP PAP PIP • PEP for enforcement • PDP for decision • PAP for administration • PIP for information • RAP is for resource access • EPP is for event processing EPP operation @jcchavezs | #IstioCon
  7. Object DAG Subject DAG How fine-grained? @jcchavezs | #IstioCon RBAC

    Backend Instance 1 Instance 2 SRE Piotr Lance US Location EU US EU {r} {r,w} {*} Frontend Instance 3 Instance 4 Topology
  8. Can Lance access Instance 1? @jcchavezs | #IstioCon RBAC Backend

    Instance 1 Instance 2 SRE Piotr Lance Frontend Instance 3 Instance 4 Topology US Location EU US EU {r} {r,w} Location Yes {r} RBAC Yes {r,w} Conclusion Yes {r} {*} Object DAG Subject DAG
  9. Can Instance 4 reach Instance 1? @jcchavezs | #IstioCon {r}

    {r,w} {*} RBAC Backend Instance 1 Instance 2 SRE Piotr Lance Frontend Instance 3 Instance 4 Topology US Location EU US EU Topology Yes {*} Location No Conclusion No Object DAG Subject DAG
  10. • Overlay access policies on top of an existing representation

    of the world, provided by the user. • Scales linearly: roughly, O(|user attributes| + |object attributes| + |associations|) or, the size of the subgraph for the user and object in question • It can be configured to allow or disallow access based not only on object attributes, but also on other conditions - time, location, etc. • It can evaluate and combine multiple policies in a single access decision, while keeping its linear time complexity. • Audit to see what objects are affected by a policy. • Explain why a particular access was allowed. Next Generation Access Control (NGAC) @jcchavezs | #IstioCon
  11. NGAC comparison Pros Cons ABAC Flexibility Performance and auditability can

    be problematic due to the number of attributes and its combinations RBAC Simplicity • Role explosion • Fixed access rights • Challenges meeting regulatory requirements due to granularity and auditability. NGAC • High level of granularity • Auditability • Flexibility • Combined access policies On early stages it needs more high level APIs to help users maintain the graph. @jcchavezs | #IstioCon
  12. • ABAC is a natural fit for the class of

    cloud-native applications whose design is based on microservices due to its flexibility and also because it empowers owners to create their own policies. • Being able to understand an access decision in a human readable way is crucial to understand access leaks, unsecure points and forensic research. • Performance is a key in access decisions as making decisions in the critical path could have huge impact in latency. Conclusions @jcchavezs | #IstioCon
  13. • NIST 800-204B: Attribute-based Access Control for Microservices-based Applications Using

    a Service Mesh - Chandramouli, Butcher, Chetal • Imposing Fine-grain Next Generation Access Control over Database Queries - Ferraiolo, Gavrila, Katwala & Roberts • Why you should use choose NGAC as your Access Control model • Linear Time Algorithms to Restrict Insider Access using Multi- Policy Access Control Systems - Mell, Shook, Harang & Gavrila References @jcchavezs | #IstioCon