Application and Network Resource Access Control
Controlling access to enterprise resources is of outmost importance for effective and secure functioning of an enterprise. Access control is provided in terms of authentication and authorization. The former verifies a user or an entity’s identity and credentials when access is attempted, whereas the latter deals with what actions are allowed on the resources to which access has been granted. A modern enterprise has to provide resource access control (RAC) to wide varieties of resources, from (ISO/OSI) layer 1 to layer 7 (L1–L7) resources. Typically, accesses to application, server, and storage (or L7) level resources are controlled by an application RAC (ARAC) system and that of network resources controlled by a network RAC (NRAC) system.
In an enterprise, ARAC and NRAC are performed separately. As a result, frameworks or systems to manage them are separate, which hinders enhanced security and effectiveness of RAC. Hence integration or interoperation of ARAC and NRAC is needed.
Accesses to resources are controlled via policies managed by policy management frameworks (PMF) or systems. The policies are specified via a policy specification language (PSL), where the policy elements can be a subject attempting access, resource to which access is requested by the subject, an action a subject wants to perform on the resource, a policy rule condition to be satisfied, etc. Integration or interoperation of ARAC and NRAC requires enhanced model of PSL, in particular extended definition of subject, resource, and policy rule. Two of the major components of a PMF are policy decision point (PDP) and policy enforcement point (PEP). While the former typically resides outside of the resources being access controlled, the latter resides embedded within the resource concerned. The PDP manages enterprise-wide centralized policies, whereas the PEP manages and enforces policies locally on the resource. A request by a subject to access a resource is intercepted by the PEP, which then may forward the request to a PDP for (centralized) policy decision. In an integrated or interoperated ARAC and NRAC (IA/NRAC), PDP or PEP components of them interact with each other, improving security and effectiveness of enterprise-wide RAC. In addition, in an IA/NRAC, an ARAC PEP may be embedded within the network (network device or OS).
Employing detail use cases (involving policy specification and interaction between PDP, PEP, and other components or entities), we discuss in this chapter the following: functioning of ARAC and NRAC, integration and interoperation of them, enhanced definition of policy specification elements providing a common model for ARAC and NRAC policy specification, network-based or network-embedded ARAC (application PEP), and possible use cases of IA/NRAC in a Cloud environment.
KeywordsPublic Cloud Network Device Access Control Policy Policy Decision Point Network Segment
- 1.IEEE 802.1x. http://www.ieee802.org/1/pages/802.1x.html
- 2.XACML (eXtensible access control markup language). http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
- 3.Cisco common classification policy language. http://www.cisco.com/en/US/docs/routers/access/cisco_router_and_security_device_manager/24/software/user/guide/C3PL.html
- 4.Remote Authentication Dial In User Service (RADIUS), RFC 2865. http://tools.ietf.org/html/rfc2865
- 6.Configuration guidelines for DiffServ service classes, RFC 4594. http://tools.ietf.org/html/rfc4594
- 7.MPLS VPN VRF. http://en.wikipedia.org/wiki/VRF
- 8.NIST definition of cloud. http://www.nist.gov/itl/cloud/upload/cloud-def-v15.pdf
- 9.Hasan MZ et al (2011) Seamless cloud abstraction, models and interfaces. In: Proceedings of the ITU/IEEE Kaleidoscope conference, Cape TownGoogle Scholar
- 10.Hasan MZ et al (2011) Network abstraction for enterprise and SP class cloud: seamless cloud abstraction and interfaces, IETF draft. http://trac.tools.ietf.org/area/app/trac/attachment/wiki/Clouds/draft-rfc-seamless-Cloud-masum-01.txt