Security Policy Tool: Preventing Access Control Leaks; The Story Behind

Top 50Access control systems are widely used by organizations to protect company property and online assets. Examples include online services or network access such as an employee viewing company data online. These systems play an essential role in enabling specific individuals/groups to access what is required to do their job while also preventing other individuals/groups from gaining access to what is not relevant to their job.

Very generally, access control can be looked at as having two central areas. One portion of the system that makes or “enforces” decisions when a person tries to take action (e.g., scan their keycard to gain entry) and another portion of the system that provides information for the system to base its decision. To provide this information, access control policies are created to instruct the system exactly what to do (e.g., Permit/Deny) when a person tries to take action. Usually, an IT Security Specialist has the responsibility of taking a general statement such as “Employees in Role A cannot access the document in Role B” and converting it into a document that the access control system can understand called XACML.

Just one rule in XACML typically contains several lines of code. Take these several lines of code needed to describe each rule and multiply it by the total number of rules an organization has (e.g., 1,000) and you quickly have a large, complex document. If within this XACML document there is even one error such as rule logic flaw, incomplete rule/policy sets, improper role/policy combining algorithms, or others it could result in a significant security vulnerability. If these vulnerabilities are left unfound, it may enable unintended persons to gain access to sensitive information resulting in substantial economic or political consequences (e.g., Edward Snowden; WikiLeaks). The National Institute of Standards and Technology (NIST) identified this critical problem with access control security nearly ten years ago and has ever since dedicated time to researching potential solutions to minimize this problem. With the increase of the access control complexity in systems (e.g., cloud, distributed systems, and IoT), it was apparent something needed to be developed that would allow organizations to model and verify their policies more efficiently.

In 2015, NIST released their prototype solution Access Control Policy Tool (ACPT) to assist organizations in verifying that their access control policies are free from errors. The tool garnered a sizeable amount of interest even being adopted by notable organizations such as NSA, MITRE, Fermi Lab, BAE system, Lockheed Martin, Raytheon, Boeing and many others. However, there were still some significant downsides. ACPT is a prototype and as a result has several limitations regarding user-friendliness, stability, and processing speed. Through the Small Business Innovation Research (SBIR) program NIST began accepting proposals from R&D Technology companies around the country for the opportunity to take ACPT prototype and transform it into a full commercial solution. InfoBeyond Technology LLC was awarded this opportunity and has since improved ACPT significantly into what is now Security Policy Tool.

InfoBeyond Technology LLC officially launched Security Policy Tool into the commercial market in July 2017. Since becoming available, Security Policy Tool has experienced a consistent increase in customers acquired each month and undergone several enhancements - most recently seen in the release of Version 2.0.2. It has been utilized by several notable organizations including Costco, Edmond Scientific, Honeywell, JP Morgan, REA Group, University California San Diego, UK Government, and many others.

Security Policy Tool solves two critical problems facing organizations who utilize access control systems. It enables organizations to verify that their access control policies have been created free of vulnerabilities, and it allows organizations to gain confidence that when their access control system is handling live requests that the intended access decision will be made. Hidden errors and flaws in access control policies (XACML) are not the only reason security vulnerabilities can be created. For example, an organization could have entirely accurate policies; however, in those policies, some rules are connected/conflicting with other rules in other policies. As the system is receiving a request, it may in turn incorrectly Permit or Deny the request based on a misinterpretation of these connected/conflicting rules. This is why policy modeling and verification is so important. Organizations can confirm that their system will administer the intended access decision before going live. Unfortunately, organizations who do not choose to verify their policies before deployment likely will not become aware a vulnerability was present until after noticeable damage has already occurred (e.g., ransomware, data breach, etc.).

Security Policy Tool is especially valuable for organizations that are required to create large amounts of policies/rules to define their organization-wide access privileges. They gain this value from the tool’s capability to compose access control models, define rules and policies, test and verify the access control security of their modeled policies, and finally convert their models into XACML automatically. These features provide key savings in the time and cost required to create and verify secure access control policies. The security specialist can further edit their XACML policies in the powerful XACML editor included in the software. The editor has been designed with the user in mind by helping them prevent error creation by providing suggestions and warnings based off all XACML 2.0/3.0 standards.

With Security Policy Tool, IT Security Specialists can gain confidence in their access control security while also experiencing savings in the time required to analyze their policies for errors and vulnerabilities. If your organization utilizes an access control system to protect their online assets, then you should be leveraging Security Policy Tool today!

As a Limited Time promotion, the Free Lite Version is delivering more value than ever. By signing up right now, users can define up to 25 attribute values compared to the standard (non-promotional) limit of 10 attribute values. Included with the Free Lite Version are industry examples to get you started as well as the powerful XACML Editor with no limitations.

Gain the benefits of access control policy modeling, testing, and verification sign up for an account, today! Click here -> https://securitypolicytool.com/demo