Unpacking Next Generation Access Control (NGAC) and Tetrate Q

David Ferraiolo of NIST and Tetrate’s Ignasi Barrera presented on Next Generation Access Control at Tetrate’s Service Mesh Day 2019 in San Francisco.

David Ferraiolo

Ferraiolo gave an in-depth presentation on Next Generation Access Control (NGAC), an ANSI/INCITS standard that boldly goes where no RBAC or ABAC has gone before. NGAC enables diverse access control policies to be specified and enforced in combinations. And while NGAC can be deployed in various environments, Tetrate’s Ignasi Barrera joined Ferraiolo to demonstrate its implementation in a service mesh where it’s capable of providing a complete authorization framework.

David Ferraiolo, NIST and Ignasi Barrera, Tetrate

What it’s for

It’s not possible to present a complete list of the policies and use cases that could be implemented with NGAC, but let’s take a look at a wide range of its capabilities:

Use caseObjectiveExample
Combat role explosionOnboard existing RBAC configurations to mitigate role explosion problem and leverage NGAC features.A bank moving to NGAC uses existing RBAC configurations to assign privileges across bank branches and roles without multiplying the work of configuration.
Central audit & access trackingProvide information on who accessed what, when and why, or why access was denied, at any point in time. (This is challenging in rule-based and ABAC systems)Organization can collect actionable data
Policy reviewGive an overview of the security of the system and the actual policies on any given resource.User can review and discover resources to answer the questions: “What are the objects a particular user has access to?” “Who can access a particular object?” “Why can’t a user access an object?”
Permission inheritancePermissions match the team hierarchy of the organization and are inherited up the user and object hierarchiesRead access capabilities are inherited up from tellers to loan officers and auditors, while the readable objects (loans, accounts, all bank products) are set granularly.
Location based policiesEnforce policies based on the location of the source and targets of the policies.Access or writing is limited to users requesting access from a given country. In this example, NGAC allows you to build GDPR-compliant policies.
Time based policiesConstraint when resources can be accessed. This can be done in combination with other policies to enforce time based policies just to a subset of users.Access is restricted to business hours.
DelegationControl who can manage the NGAC policies.An administrator can create associations to delegate privileges to another administrator. For example, an admin can delegate group creation and deletion to a group manager.
ProhibitionUsers are denied the ability to perform operations on objects in an object set.A bank teller can read and write accounts, but is prohibited from writing to their own account.
ObligationAn event or event pattern triggers a response.A user finishes reading a book and no longer has access to it; nested obligations can be used for workflow.
Non-repudiationA privilege can be uniquely assigned.A single gatekeeper is assigned to personally approve workflow.
NGAC-enabled applicationsCreate an application that captures much of the logic that’s typically implemented through access control logicCreate a calendar where users are able to read and write information and to distribute the ability to read/write data.
Other policies…RBAC, DAC, address communities of interest, history-based separation of duty, conflict of interest, forms of confinement, and more……it’s impossible to go through every policy NGAC is capable of configuring…

In summary, said Ferraiolo, we’re able to create a “virtual multi-cloud enterprise,” to specify and enforce combinations of dynamic and static policies, to combine discretionary and role-based access control across the virtual environment, and to review policy and analytics across all that data.

How it works

The NGAC framework comprises a set of relations and functions following an attribute-based access control model.

  • Types of objects: resource objects, and data elements and relations used to express access control policies.
  • Types of operations: resource operations (e.g., read, write), and administrative operations for configuring data elements and relations.
  • Functions for: trapping and enforcing policy on access requests, computing decisions to accommodate or reject those requests based on the current state of the data elements and relations, and automatically altering access state when specified events occur.

The targets of access are objects: resource objects, like the ones most people associate with access control, and a set of data elements and relations that define the targets of policy support.

NGAC recognizes two types of operations– resource operations and administrative operations– for configuring the access control data to realize policy state.

And there’s also a dynamic component: It has a set of functions for computing decisions to accommodate access requests based on the current state of the access control data, and a function for automatically altering access state in the face of certain events.

NGAC Framework

Ferraiolo described NGAC architecture in detail, noting along the way that users can actually see the resources they have access to, across a multitude of clouds, in advance of doing an access control check and without knowing where the data actually resides.

While the methods for performing operations on resources are implemented in the RAP and the methods for manipulating and retrieving access control data are implemented in the PEP, the event processing point (EPP) generates a central log of access events that can be used for a central audit across multiple clouds.

The data elements and relations that comprise access control data provide the basic ingredients that can be used for expressing a surprisingly large number of access control policies. One novel aspect of NGAC is that with this fresh look at the authorization representation model, access decisions and policy evaluations can be done in linear time, no matter how large the number of elements is. This allows NGAC to be performant at scale.

Among these data elements and relations, are basic elements like user access rights and resource operations; three types of containers (user attributes, object attributes and policy classes), and a set of relations that are just assignments that can be used to derive privileges, model prohibitions, and accommodate dynamic event responses.

Users can be assigned to their user attributes, which can be any characterization of a user– a role in an organizational unit, or any other characterization– eye color, political affiliation, etc. Object attributes characterize data – marking it sensitive or confidential, for instance, (though again, any characterization can be represented). In addition to assignments there are policy classes that can affiliate certain users, objects, or their attributes to an access control policy.

An administrative or resource privilege is a derived relation. And the algorithm for determining a privilege is based on combinations of policy and policy classes that give users access to protected elements.

Tetrate Q

Building on NGAC, Tetrate Q is a project to empower a complete authorization framework for distributed and multi-cloud architectures. Tetrate’s Ignasi Barrera presented a quick demonstration showing how to implement NGAC secure service to service communications and other use cases that are important but difficult to do with existing systems.

We consume most applications today from our mobile phones, tablets and laptops. As we travel around the world, we consume data provided by our apps from their different locations. So it’s more important than ever, noted Barrera, to be sure the data is consumed not just by the right people but under the right conditions. Barrera used a simple UI built on top of Ferraiolo’s graphs to show how access privileges to a service– with three deployments in different regions– could be easily confined to a specific location or region or a short period of time. The demo also illustrated how a user could see why access was granted or denied, based on the satisfaction of three policy classes: role, location and time.

“This is possible because of NGAC,” said Barrera. “You can nicely compose policies while keeping the semantics of your system.”

Visit tetrate.io for more information on Tetrate Q.

Also check out Tetrate’s Service Mesh Day interview with David Ferraiolo that provides a quick overview of NGAC:

David Ferraiolo, NIST

Back to Blog