SAML, XACML & the Terrorism Information Sharing Environment

1. SAML, XACML & the Terrorism Information Sharing Environment Martin SmithProgram Manager for IT Information SharingDHS CIO Office “Interoperable Trust Networks”Justice GLOBALApril 28, 2005 v. 20050428b

2. The Information-Sharing Environment: Vision of Executive Order 13356 • EO 13356, Aug 27, 2004, called for “establishment of an interoperable terrorism information sharing environment to facilitate automated sharing of terrorism information” • Interagency group in homeland-security mission space (OMB Chair, DHS, IC, DOD, DOJ, others) delivered recommendations to President 12/24/2004 • Vision was a National shared information-sharing “environment”, based on SOA • “Environment”, not “network”: boundary defined by flexible access control

3. Access-Control Requirements • “Federated” to support common pool of credentials, roles, permissions with distributed maintenance • “harvest” existing trust relationships at Federal, regional and local levels • Fine-grained: for this application, need accountability to individual person and individual transaction • sharing requires control • comprehensive audit capability • Beyond RBAC, to ABAC and PBAC

4. Implication: Look to converging Liberty Alliance/SAML architecture Source: Liberty Identity System Role in securing Web Services Slava Kavsan, Chief Technologist RSA Security Inc.

5. Key XML Standard: Security Assertion Markup Language (SAML) • Basis for exchanging detailed info (credentials, attributes, preferences) to support access decisions • Architecture includes federation capability • Standardization status - - • 02-Sept-2003: SAML V1.1 approved as an OASIS Standard. • 16-Feb-2005: Voting begins on approval of SAML V2.0 specifications and schemas as OASIS Standard. Ballot closes 28-Feb-2005 • SAML V1.1 not backwardly compatible with V1.0

6. Policy-Based Access Control (PBAC) Metadata on the Content Environment (Threat Level = Orange) Metadata on the User Policy Authority (Rules Engine) Directory classification = “Secret” us_citizen = “Yes” Access Decision Policy Authority Business Rules: If Data:classification <= User:clearance And User:duty = “Intelligence Analyst” And ( Data:us_citizen = “No” OR User:employer NOT= “CIA” OR Env:Threat_Level = “Red”) Then Grant Access

7. More on PBAC • Framework to determine appropriate distribution (mandatory access control and need-to-know), required to automate access decisions • Three sources of data (about the content; about the requestor; about the environment or situation) plus policy rule-set • Key assertion: the distribution decision is not made by the data custodian • “Separation of concerns”: originator is expert on the content; directory holds user credentials and roles; policy is created by management • Benefits of implementing the model for the sharing environment • Order-of-magnitude gain in speed, cost & consistency of decisions • Instant, consistent response to changes in environment or in policy • Can be implemented gradually, via “refer to human decision” option • Superior alternative to originator control, can be enforced via digital rights management technologies • Automated process can provide full audit, data for process improvement

8. Key XML Standard: Extensible Access-Control Markup Language (XACML) • Supports greatly increased complexity of access-control decisions: capable of applying “business rules” and not just roles • “provide a method for basing an authorization decision on attributes of the subject and resource.” • designed to be used by “policy decision points” in Liberty/SAML architecture • Not the only policy language, but leading contender for access-control application • access control ~= digital rights management • Standardization status - - • XACML 2.0 and all the associated profiles approved as OASIS Standards on 1 February 2005 • eXtensible Access Control Markup Language (XACML) Version 1.0 OASIS Standard, 18 February 2003