Risk-Adaptive Access Control (RAdAC) is an advanced access control model where access decisions depend on dynamic risk assessments. In this post, I’ll show how RAdAC can be used in the fight against Advanced Persistent Threats (APTs).

Before I make that point, let me start off with a simple illustration of RAdAC in action. Then I’ll show how to implement RAdAC using eXtensible Access Control Markup Language (XACML).

Risk-Adaptive Access Control Demo

I’ve built a simple demo around RAdAC, which Jeroen van Rotterdam showed at EMC World 2012. Here’s how it works.

In the default situation, the threat level is at green, and the user is able to see and edit a document:

However, when the threat level goes to yellow, the user is no longer able to edit the document:

Finally, when the threat level goes to red, the user can’t even see the document anymore:

Using XACML to Implement Risk-Adaptive Access Control

The demo may be simplistic, but it is a fully working system based on XACML. And, not unimportant from a software development perspective, it was very easy to build.

Remember the XACML architecture:

Given this architecture, all we need (from a technical perspective) to support RAdAC is a Policy Information Point (PIP) that looks up the dynamic risk attributes (environment oval in the above diagram). Once we have that, these attributes can be used in access control policies like any other attribute (subject-id, role, resource-id, action-id, etc, etc.)

In the demo, the threat level is set by clicking the traffic light. In the real world, a PIP would be connected to an Intrusion Detection System so that it can calculate the value of the threat level attribute.

The nice thing with an access control architecture based on XACML, is that no software needs to be updated to support RAdAC. All we need is to hook up the Policy Decision Point (PDP) to a PIP that calculates the threat level. You could go finer-grained as well, and split the one threat level attribute into several, if that’s what your access control policies require. How you write your policies has no impact on your applications, since the PDP and PIP can be re-used across all applications in your organization.

Risk-Adaptive Access Control and the Fight Against Advanced Persistent Threats

I think it won’t be long before we’ll start seeing implementations of RAdAC, since it can be a big help in the struggle against APTs.

With RAdAC, we make decisions up front about what to do in the event of an intrusion, and formalize those decisions in automated access control policies. Then when a security incident occurs, we can focus our energy on getting the intruder off the system instead of on protecting our information assets, since that will already have been taken care of.

What do you think? Is your organization interested in solutions like these in the fight against APTs? Please share your thoughts in the comments.