20 December 2021
Disclaimer: Please note that the following information serves only as a guide and is not a legal document for the purposes of compliance. Every organization needs to independently confirm that Policy Based Access Control meets with the requirements for their specific industry and the responsibility of enforcement lies with the organization.
The 800-53 version of the NIST Framework provides standards and best practices for cybersecurity strategies for organizations. PlainID’s policy based approach to access control (PBAC) maps to a number of elements in the NIST Framework ensuring that your organization is meeting these standards.
The full framework contains more than 20 sections and 1100 controls. While there are a number of requirements in the NIST framework that could be relevant to PlainID, we have decided to focus on three in particular that we believe map the closest to our policy based access control solution. These are AC-24 (Access Control), AC-3 (Access Enforcement), and AC-5 (Segregation of Duties).
What is AC-24?
Access Control AC-24 (Access Control Decisions) sets specifications to ensure consistent decisions are applied before access enforcement. According to NIST, this control can said to be in place when:
“The organization establishes procedures to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement.”
In PlainID’s approach, Authorization policies are evaluated at run-time by the Policy Decision Point (PDP). When the access decision is reached, it passes the decision to the access enforcement layer that applies the access decision. This model offers a clear “separation of concern” between making the access decisions and enforcing the access. This way, organization-defined access control decisions are being made prior to access enforcement, per NISTs recommendations.
The AC-3 control requires that “the information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.”
Ultimately, AC-24 and AC-3 (Access Enforcement) go hand in hand to protect data and the same time enable smooth business processes and collaboration. The Policy Decision Point serves as the ‘judge and jury’ of approved authorizations while the Policy Enforcement Point (PEP) establishes the enforcement of those authorizations when the users access the data.
The advantage of the PBAC approach is that it supports several diverse methods to provide an authorization decision to the client application. This enables organizations to implement a new authorization strategy that supports a larger set of applications and platforms.
NIST Authorization Control AC-5, Segregation of Duties (SoD), reduces the risk of fraud, error, and access abuse by assigning different users a part of each task.
The control states that the organization sets defined duties of individuals, documents that separation, and defines information system access to support this separation.
The PlainID PBAC Platform supports SoD in three ways:
Authorization Management
The ability to define who can author, manage and maintain the authorization policies, and how these can be separated by varying access levels. The PlainID solution offers a sophisticated hierarchical delegation model to ensure that separation, but also collaboration amongst policy authors and administrators.
Run-time Authorization
The ability to prevent SoD violations in the business process. Users are prohibited from performing conflicting actions. A user would not be able to register a vendor, register a payment to that vendor, and then approve a transaction to that vendor themselves.
Preventative Admin-time Authorization
The ability to to prevent that conflicting access is granted in legacy applications. Admin-time access requires authorization data to be pre-provisioned to the application repository (pre-authorized process). Similar to the run-time decisions, SoD violations with conflicting capabilities can be created by a provisioning service. For example: a user for the IT department, might be given access to restricted financial reports, or similar. PlainID offers restrictive policies that prevent those violations, by enforcing the required controls on the provisioning process.
PlainID’s PBAC solution maps effortlessly to the NIST Framework.
The visual representation results in a simplified platform providing full visibility of otherwise complex intertwining policies, for a more in depth look at our platform, or if you have further questions on how we can help with these compliance requirements, request a demo of PlainID’s Policy Based approach.
[Click here to schedule a demo with a member of the PlainID team.]