NIST Issues Access-Control GuidanceGuidelines for Access-Control Systems Evaluate Metrics
The National Institute of Standards and Technology has released an interagency report, Guidelines for Access-Control Systems Evaluation Metrics, which provides background information on access-control properties.
NIST says the guidance, NISTIR 7874, is aimed to help access control experts improve their evaluation of the highest security access-control systems by discussing the administration, enforcement, performance and support properties of mechanisms that are embedded in each access-control system. The new report extends the information in NISTIR 7316, Assessment of Access Control Systems, which demonstrates the fundamental concepts of policy, models and mechanisms of access-control systems.
Why is this guidance important? NIST explains:
Adequate security of information and information systems is a fundamental management responsibility. Nearly all applications include some form of access control. Access control is concerned with determining the allowed activities of legitimate users, mediating every attempt by a user to access a resource in the system. Access control is concerned with how authorizations are structured; in some systems, complete access is granted after successful authentication of the user, but most systems require more sophisticated and complex control.
Access-control system planning consists of three primary abstractions: Policies, models and mechanisms.
According to NIST, policies consist of high-level requirements that specify how access is managed and who may access information under what circumstances. At a high level, access-control policies are enforced through a mechanism that translates a user's access request, often in terms of a structure that a system provides.
Access-control models bridge the gap in abstraction between policy and mechanism. Rather than attempting to evaluate and analyze access-control systems exclusively at the mechanism level, access-control models are usually written to describe the security properties of an access-control system.
These systems come with a wide variety of features and administrative capabilities, and their operational impact can be significant. In particular, NIST says, this impact can pertain to administrative and user productivity, as well as to the organization's ability to perform its mission. It's reasonable to use quality metrics to verify the mechanical properties of access-control systems.
The publication provides metrics for the evaluation of AC systems based on these features:
- Administration, the main consideration of cost;
- Enforcement capabilities, the requirements for access-control applications;
- Performance, a major factor for access-control usability; and
- Support, functions allowing an access-control system to use and connect to related technologies so as to enable more efficient integration with network and host services.
"Because of the rigorous nature of the metrics and the knowledge needed to gather them, these metrics are intended to be used by access-control experts who are evaluating the highest security access-control systems," the authors of the report write.