A Manager’s Guide
to Identity & Access Control
Stephen T. Whitlock
Chief Strategist
Information Security
The Boeing Company
BOEING is a trademark of Boeing Management Company.
Copyright © 2008 Boeing. All rights reserved.
Privilege Management in Eight Words
Boeing Technology | Information Technology
Identification
Who are
you?
Information Security
Privilege Management in Eight Words
Boeing Technology | Information Technology
Identification
Information Security
Authentication
Who are
you?
Prove it!
Privilege Management in Eight Words
Boeing Technology | Information Technology
Identification
Information Security
Authentication
Who are
you?
Prove it!
Authorization
Here’s
your stuff...
Privilege Management in Eight Words
Boeing Technology | Information Technology
Identification
Information Security
Authentication
Who are
you?
• Identification: The presentation of
an identifier so that the system
can recognize and distinguish the
presenter from other principals
Prove it!
Authorization
Here’s
your stuff...
Privilege Management in Eight Words
Boeing Technology | Information Technology
Identification
Information Security
Authentication
Who are
you?
• Identification: The presentation of
an identifier so that the system
can recognize and distinguish the
presenter from other principals
Prove it!
• Authentication: The
exchange of information in
order to verify the claimed
identity of a principal
Authorization
Here’s
your stuff...
Privilege Management in Eight Words
Boeing Technology | Information Technology
Identification
Information Security
Authentication
Who are
you?
• Identification: The presentation of
an identifier so that the system
can recognize and distinguish the
presenter from other principals
Prove it!
• Authentication: The
exchange of information in
order to verify the claimed
identity of a principal
Authorization
Here’s
your stuff...
• Authorization: The granting
of rights, including access,
to a principal, by the proper
authority
Privilege Management in Eight Words
Boeing Technology | Information Technology
Identification
Information Security
Authentication
Who are
you?
• Identification: The presentation of
an identifier so that the system
can recognize and distinguish the
presenter from other principals
Prove it!
• Authentication: The
exchange of information in
order to verify the claimed
identity of a principal
Authorization
Here’s
your stuff...
• Authorization: The granting
of rights, including access,
to a principal, by the proper
authority
Principal: An entity (people, devices, applications, etc.) whose identity can be authenticated
Privilege Management in Eight Words
Boeing Technology | Information Technology
Identification
Information Security
Authentication
Who are
you?
• Identification: The presentation of
an identifier so that the system
can recognize and distinguish the
presenter from other principals
Prove it!
• Authentication: The
exchange of information in
order to verify the claimed
identity of a principal
Authorization
Here’s
your stuff...
• Authorization: The granting
of rights, including access,
to a principal, by the proper
authority
Principal: An entity (people, devices, applications, etc.) whose identity can be authenticated
Reference: Open Group XDSF (X/Open Distributed Security Framework), ISO 10181-3
ISO Authorization Model
Boeing Technology | Information Technology
Principal
Information Security
ISO Authorization Model
Boeing Technology | Information Technology
Principal
Information Security
Resource
ISO Authorization Model
Boeing Technology | Information Technology
Principal
Access Control
Enforcement Function
Information Security
Resource
ISO Authorization Model
Boeing Technology | Information Technology
Principal
Information Security
Access Control
Enforcement Function
Decision
Cache
Access
Control
Decision
Function
Resource
ISO Authorization Model
Boeing Technology | Information Technology
Information Security
Access Control
Enforcement Function
Principal
Identity,
Access Request
Resource
Access
Additional Attributes
Decision
Cache
Request,
Identity,
Attributes
Audit
Logs
Decision
Access
Control
Decision
Function
Decision
Support
Information
Environmental,
Resource,
& Principal
Attributes;
Identifiers
Policy
Rules
Admin
ISO Authorization Model
Boeing Technology | Information Technology
Information Security
Access Control
Enforcement Function
Principal
Identity,
Access Request
Resource
Access
Additional Attributes
Decision
Cache
Request,
Identity,
Attributes
Relatively Dynamic
Audit
Logs
Resource
Labels
Decision
Access
Control
Decision
Function
Decision
Support
Information
Environmental,
Resource,
& Principal
Attributes;
Identifiers
Policy
Rules
Admin
Relatively
Static
You Are All Wrong Right
Boeing Technology | Information Technology
Information Security
• All decisions should be made by Policy (Rules Based Access Control)
• Access decisions must be able to consume:
• Static decisions (Account & Resource Provisioning, etc)
– Attributes pulled from LDAP, Database, etc.
• Dynamic decisions
– SAML attributes (arrive during Authentication process)
– X.509 attributes (also arrive during Authentication)
– XACML attributes (arrive with Authorization request)
• Identifier + Attributes = Identity (Attribute Based Access Control)
• A Role is an attribute used to collect Principal identities for scalability
(RBAC)
• A Capability is an attribute used to collect Resources for scalability (but
it didn’t get an acronym )
• Identity based access control supports Discretionary Access Control
(DAC) policies
• Mandatory Access Control systems require Resource Metadata
• Labels attached to the data
• Labels stored in a directory and linked to the data
Access Control Matrix: The Authorization Ur-Text
Boeing Technology | Information Technology
Information Security
Resources
Principals
Alice
Bob’s
Capability List
A collection of principals
with the same rights
forms a Group
A Role is a
Group with a
meaningful name
A
B
C
D
READ
WRITE
READ
READ
READ
Bob
READ
WRITE
Eve
Alpha 1
Bob carries around Identity
AZN System checks
Principal identity
Capability Based System
READ
WRITE
READ
READ
READ
READ
WRITE
Alpha n
READ
READ
READ
READ
WRITE
Alpha
Group
READ
READ
READ
READ
WRITE
Backup
READ
READ
READ
READ
…
Access Control List for B
Access Control System
Bob carries around Capability List
AZN System checks
Resource identity
Terminology Guide or Why Am I Confused?
Boeing Technology | Information Technology
Accountable
person who
desires access
Information Security
User or process
acting for person
Potential actions
that may be
applied
Resource subject
to access control
Subject
Subject
Rights
Object
User
Identifier
User
Identifier
Access
Control List
Data Identifier
Computer Communications
Security, 1994,
Warwick Ford
User
Initiator
Access
Permissions
Target
X/Open Distributed Security
Framework, 1994, The Open
Group
User
Initiator
Initiator ACL
Target ACL
Target
Principal,
Subject
Initiator, Client,
Principal
Access policy rights,
Privilege attributes,
Control attributes
Target,
Target Object
User
Principal
Action
Resource
Secure Computing: Threats
and Safeguards, 1997,
Rita C. Summers
Computer Security, 1996,
John Carroll
CORBA Security Services
Specification 1.0, 1996,
Object Management Group
Me