SAML, XACML

1
SAML, XACML the Terrorism Information Sharing
Environment

• Interoperable Trust Networks
• XML Community of Practice
• February 16, 2005
• Martin Smith
• Program Manager for IT Information Sharing
• DHS CIO Office

2
The Information-Sharing Environment Vision of EO
13356

• EO 13356, Aug 27, 2004, called for establishment
  of an interoperable terrorism information sharing
  environment to facilitate automated sharing of
  terrorism information
• Interagency group in homeland-security mission
  space (OMB Chair, DHS, IC, DOD, DOJ, others)
  delivered recommendations to President 12/24/2004
• Vision was a National shared information-sharing
  environment, based on SOA
• Environment, not network boundary defined by
  flexible access control

2/16/2005
2
3
Access-Control Requirements

• Federated to support common pool of
  credentials, roles, permissions with distributed
  maintenance
• harvest existing trust relationships at
  Federal, regional and local levels
• Fine-grained for this application, need
  accountability to individual person and
  individual transaction
• sharing requires control
• comprehensive audit capability
• Beyond RBAC, to ABAC and PBAC

2/16/2005
3
4
Implication look to converging Liberty
Alliance/SAML architecture
Source Liberty Identity System Role in securing
Web Services Slava Kavsan, Chief Technologist RSA
Security Inc.
5
Key XML Standard Security Assertion Markup
Language (SAML)

• Basis for exchanging detailed info (credentials,
  attributes, preferences) to support access
  decisions
• Architecture includes federation capability
• Standardization status - -
• 02-Sept-2003 SAML V1.1 approved as an OASIS
  Standard.
• 16-Feb-2005 Voting begins on approval of SAML
  V2.0 specifications and schemas as OASIS
  Standard. Ballot closes 28-Feb-2005
• SAML V1.1 not backwardly compatible with V1.0

2/16/2005
5
6
Policy-based Access Control
Metadata on the Content
Environment (Threat Level Orange)
Metadata on the User
Policy Authority (Rules Engine)
Directory
classification Secret us_citizen Yes
Access Decision
Policy Authority Business Rules If
Dataclassification lt Userclearance And
Userduty Intelligence Analyst And (
Dataus_citizen No OR Useremployer NOT
CIA OR EnvThreat_Level Red) Then Grant
Access
7
More on PBAC

• Framework to determine appropriate distribution
  (mandatory access control and need-to-know),
  required to automate access decisions
• Three sources of data (about the content about
  the requestor about the environment or
  situation) plus policy rule-set
• Key assertion the distribution decision is not
  made by the data custodian
• Separation of concerns originator is expert on
  the content directory holds user credentials
  and roles policy is created by management
• Benefits of implementing the model for the
  sharing environment
• Order-of-magnitude gain in speed, cost
  consistency of decisions
• Instant, consistent response to changes in
  environment or in policy
• Can be implemented gradually, via refer to human
  decision option
• Superior alternative to originator control, can
  be enforced via digital rights management
  technologies
• Automated process can provide full audit, data
  for process improvement

8
Key XML Standard Extensible Access-Control
Markup Language (XACML)

• Supports greatly increased complexity of
  access-control decisions capable of applying
  business rules and not just roles
• provide a method for basing an authorization
  decision on attributes of the subject and
  resource.
• designed to be used by policy decision points
  in Liberty/SAML architecture
• Not the only policy language, but leading
  contender for access-control application
• access control digital rights management
• Standardization status - -
• XACML 2.0 and all the associated profiles
  approved as OASIS Standards on 1 February 2005
• eXtensible Access Control Markup Language
  (XACML) Version 1.0 OASIS Standard, 18 February
  2003