Secure Collaboration - Collaboration Architecture

Transform your current collaboration architecture to utilize Attribute Based Access Control (ABAC) for flexible, productive and secure interchange.

Today, in most products, many of the constituent components are outsourced beyond the boundaries of the product builder. An area of increased importance over the past decade relates to offloading the design and manufacture of parts to partners and key vendors in the supply chain who have a core competency in the nature of the part. Although this approach frees critical resources to address your own core competency, it also places dependencies on clarity of design intent and collaboration formats, intellectual property protection, regulatory compliance especially ITAR & EAR, and schedule. TransR understands the problems and more importantly how to lead your team to the correct solution.

Security requirements present themselves at many levels. Although it is true that technology safeguards are an ever evolving consideration, the human aspect of security cannot be overlooked. In fact, security technologists often state that the weakest link in a security scheme are the people--some oblivious, others nefarious. It is common to find passwords on notes stuck to terminals in plain sight, and we’ve all heard of damage done by disgruntled employees.

Single sign-on, automated sign-off with inactivity and authentication are the first level of security assurance, and the basic level to enforce protection of your environment. This is an important area for personnel training. For e-signature, double authentication, a second log-in at the time of approvals, is mandatory. Establishment of these basics is considered a given for the remainder of the discussion below.

Enterprise solutions induce change at all levels of the organization. In its most robust manifestation, it can involve a company’s entire supply chain. Firewall and virus protection service providers are common place and certainly fulfill a basic security need. However, enterprise level secure collaboration requires a holistic approach.

There is virtually no enterprise wide scenario where just authentication is enough to support a company's information control. In other words, a simple binary decision to provide access to the system based on authentication is not granular enough.

Two key more sophisticated approaches exist: Role Based Access Control (RBAC) and Attribute Based Access Control (ABAC). In the RBAC approach, a role like Designer is assigned privileges with respect to types of information or objects like parts and documents. An individual user is then assigned one or more roles to define their privileges. This approach is very common in current enterprise solutions, inherently intuitive, but begins to degrade as the need to differentiate access increases as is the case for ITAR, EAR or HIPPA compliance. A common consequence is role proliferation and an increase in administrative burden. In the ABAC approach, attributes provide the differentiation. Roles and groups are simply additional attributes and so too are characteristics like country of origin, specific document type, product line, or a given patient. Rules/policies provide privileges, permissions, authorizations, entitlements and rights. TransR is an advocate of ABAC due to the ability to provide the highest degree of granular control without a dramatic increase in administration.

The international standard OASIS eXtensible Access Control Markup Language (XACML) is a standard dedicated to formalizing the approach to ABAC. TransR resources are familiar with the XACML standard and have implemented it successfully in scenarios related to ITAR, EAR and IP protection.

From a simplified view, there are 4 key architectural components:

TransR XACML Arch
  • PDP - Policy Decision Point
  • PAP - Policy Administration Point
  • PIP - Policy Decision Point
  • PEP - Policy Enforcement Point

The PDP is the singular component where access is granted or denied to the requesting subject whose request is initiated from an application or interface via the PEP. A PEP architectural component is embedded logic in a given application that consults with the PDP at an access control event. The decision of the PDP is supported by information about the resources in question via the PIP. The actual rules/polices are administered via the PAP. This robust architecture allows for a logically centralized PDP, PAP, and PIP while only requiring the creation of a PEP for a newly added application in the enterprise environment.

Undoubtedly, RBAC solutions, messy and cumbersome as they are when applied to a large enterprise that collaborates beyond its borders, will still be in the security landscape for a long time to come. Those who adopt an ABAC solution, ideally adherent to the XACML standard, will emerge as an enterprise with the most flexible, extensible, granular, consistent and administratively simple solution.

Secure Collaboration - Collaboration Process Framework

Transform your current collaboration strategy to maximize secure, productive interchange while ensuring compliance and protecting intellectual property.

read more