Policy Management

Access control policies are used throughout the Federal Government and serve as the linchpin that enables successful authorization decisions to both physical and logical resources, supports audit capabilities, and controls access to information. These policies are the rules that specify how to use resource and entitlement attributes to make an access control decision.

FAQ

What is the difference between Policy-Based Access Control (PBAC) and Access Control Policies?

While both terms include the word “policy,” PBAC is just one of several access control models, which are used to describe how access control decisions are made within an access control system. Access control policies, on the other hand, are the specific rules that are executed by an access control system that define what users should be granted access to what resources. Policies are found in association with each of the various access control models discussed in the previous section.



Creation of secure, implementable access control policies hinges on having accurate, reliable, and timely information about the resources that you are protecting, and the users and devices that require access to them. Pairing this information results in the creation of rules/policies that define what attributes a person must have in order to access a particular resource. Strategies for managing access control policies vary widely within the Federal Government; however, it often occurs at a local/resource level within federal agencies, where administrators modify policy to suit local operational requirements. At a general level, policy management can be broken down into a multi-step lifecycle, as depicted in Figure 19 below45:

Lifecycle

Phase Description Common Activities

Policy Definition

Process which defines the access control policy scope and requirements for a target asset or resource. The following

considerations and inputs influence the access control policy definition process, including but not limited to: environment, users, unauthorized access risks; and existing policies, rules or internal processes which currently govern access to the resource or asset. The Policy Definition phase is usually facilitated by several interviews and working sessions.

 Identify the asset or resource requiring discrete access control

 Discover the environment in which access control policies will be developed and applied  Discover the users affected by the access

control policies

 Discover and document the risks associated with unauthorized access risks based on government standards (e.g., NIST SP 800- 6346, OMB M-04-04, etc.)

 Discover and document the relevant policies, rules or internal processes which influence the access to the asset or resource

45 _{Additional information about policy management can be obtained in DoD‟s Enterprise Security Management, A Context Overview, March}

2009.

Lifecycle

Phase Description Common Activities

Policy Analysis

Process which includes examining and analyzing the policy definition outputs and findings to help design access control policies which can be implemented. During this phase, the risks, rules, and inputs discovered will be analyzed to determine the authentication token type, the access control model, the relevant authorization model, and the tools used to enforce access.

 Determine the access control model required (agency-level)

 Determine authentication token type(s) required for enterprise based on industry standards and guidelines (e.g., NIST 800-63)  Determine access control authorization model

by analyzing policy definition access  Determine the access control techniques,

standards, and technologies required to enforce the access control policy

 Develop metrics to measure effectiveness and performance of access control policies implemented

 Conduct testing to evaluate effectiveness and performance of access control policies

Policy Creation

Process of expressing access control policies using access control mechanisms and technology platforms.

 Build access control policies on physical or logical systems based on the access control policies, rules, and designs developed  Develop test use cases which can be used

during the access control policy evaluation phase

Policy Evaluation

Process of testing the policy or policies designed and developed on test assets or resources.

 Independently test the access control policy using the test use cases developed  Provide test feedback to improve access

control policy created and ensure metrics defined are met

Policy Implementation

& Enforcement

Process of implementing the newly created or revised access control policy on a production physical or logical asset or resource, and granting or denying access requests based upon policy-based authorization decisions.

 Implement the newly created or revised access control policy on a production physical or logical asset or resource

 Test the access control policy to ensure effectiveness

Policy Review & Revision

Process which includes measuring the effectiveness of the access control policy implemented, determining whether the access control policy should be retired, or deciding if the access control policy should be revised.

 Attestation certifying the effectiveness of the access control policy in production

 Recommendations to asset or resource stakeholders when access control policy metrics are not met

Figure 19: Policy Management Lifecycle

Modernized PACS and LACS solutions, as discussed in Chapters 10 and 11, respectively are capable of offering policy management services at an enterprise level. Enterprise level policy management services provide the ability to administer access control policies at a local resource level using authoritative data, common attributes, and job/role definitions through a centralized construct. The target state ICAM segment architecture does not require the use of centralized policy management services; however, certain efficiencies can be achieved by leveraging this capability. Those include:

 Reduced administrative burden. Local resource owners/administrators develop access control policies to suit their specific needs; however the administrative burden associated with storing policies occurs within the access control solution.

 Policies based upon a common formal language. Utilizing policy management services provided by centralized access control solutions ensures that access control policies

across an agency enterprise are based upon a single, common formal language and use a single access control model for enforcement.

 Ability to detect and address conflict. Coordinated management across agency policies ensures that policy privileges are not conflicting or inconsistent across the enterprise and are resolved before new policies are implemented.