NGAC vs. XACML: What’s Really the Difference?Oren Harel May 22, 2017
The growing complexity in managing access to sensitive data has prompted an ongoing evolution of access control policy and led to the definition of NGAC – a system that offers fine-grained authorization policy creation and management within the complex ecosystem of the perimeter-less enterprise network.
NGAC follows on the heels of XACML (Extensible Access Control Markup Language), an earlier ABAC (Attribute Based Access Control) standard. At first glance, it can be hard to see the advantages of one over the other.
Both XACML and NGAC offer flexible, mechanism-independent representations of policy rules. But, as pointed out in NIST’s comprehensive, Comparison of ABAC Standards for Data Services: XACML and NGAC, XACML’s approach involves defining policies using logical formulas with attribute values; NGAC uses enumeration involving configurations of relations.
So, is there a real difference? And how do you make that determination? Here’s what differentiates NGAC from other approaches and how it solves the practical challenges of fine-grained authorization and policy management.
Does the platform let you separate access control functionality from proprietary operating environments?
As explained in this ITL Bulletin, while XACML authorization policy offers partial separation, it does not support data service-agnostic PEPs (Policy Enforcement Points).
This is very different from NGAC, which offers near-complete separation. With NGAC policy management, a deployment can include a standard PEP, with an API that is not operating environment-specific.
Which option offers greater operational efficiency?
XACML involves collecting attributes, matching conditions, computing rules, and resolving conflicts involving at least two data stores. It involves a complex process with multiple steps.
NGAC, in contrast, offers greater operational efficiency because it computes decisions differently: by applying a single combining algorithm over applicable policies that don’t conflict. With NGAC, computation of a decision is through an algorithm that is linear.
The information necessary in computing an access decision can reside in memory; the memory is initially loaded when the PDP is initialized, and is updated to reflect each administrative change.
How does each system handle attribute and policy management?
Simply put, XACML does not recognize administrative operations.
It manages policy content using a Policy Administration Point (PAP) and the interface differs from that used for accessing data resources. As a result, it only provides a partial solution for administration of some of its access policies.
In contrast, NGAC manages attributes and policies through a standard set of administrative operations, with the same enforcement interface and decision-making function as for accessing data resources – offering a full solution for administration of access policies.
What about DAC (Discretionary Access Control)?
With DAC, system users can choose to allow or disallow another user’s access to resources. NGAC has the capability to fully support DAC policies.
With XACML, it is theoretically possible to do this – but it’s complicated, requiring the creation and maintenance of metadata for each object or resource.
Is there sufficient support for administrative review?
Any fine-grained authorization policy requires the ability to review the capabilities of users and the access control entries of objects.
With NGAC, there is support both per-object and per-user reviews – of combined policies. This is significant because it differs from the support offered by RBAC and ACL mechanism, which can only handle one type of review efficiently.
XACML can also combine policies, but it doesn’t support either kind of review efficiently.
The Significance of Scalability
NIST’s recent publication, Linear Time Algorithms to Restrict Insider Access Using Multi-Policy Access Control Systems, highlights a key advantage of the NGAC approach: The system’s ability to tightly restrict access without losing the all-important capability of scalability.
With the ever-increasing risks of cyber terror, that’s a key piece. By enabling IT to keep up with an enterprise’s constant growth, NGAC provides the ability to secure an organization successfully – with maximum control of access, and efficient policy management.
Why NGAC’s Fine-Grained Authorization Policies are now essential
Fundamental changes to the concept of access control became necessary very quickly due to the development and widespread adoption of technologies such as IoT, BYOD, the Cloud and SaaS. It is obvious why.
While older approaches to access control were designed to meet the authorization needs of enterprises in which all users are managed centrally, today’s IT reality demands that companies deal with users whose identities they don’t manage – and secure digital assets in a constantly changing and distributed environment.
Renowned programmer Alan Perlis once said, “Simplicity does not precede complexity, but follows it.” Within the context of access control, his words ring true. As enterprises adopt new technologies and move more and more of their resources to the cloud – NGAC, designed for cloud-based, distributed deployment – streamlines access control and meets the security challenges of today’s perimeter-less network.