INCITS 526-2016: Generic Operations And Data Structures
Next Generation Access Control Functional Architecture (NGAC-FA) enables unfettered access for users to networks, competing service providers, and/or services of their choice. INCITS 526-2016: Information Technology – Next Generation Access Control – Generic Operations And Data Structures (NGAC-GOADS) defines the abstract data structures that govern the operation of the NGAC-FA.
What Is the Next Generation Access Control (NGAC)?
Fundamental changes to the concept of access control became necessary because of the widespread adoption of technologies such as the Internet of Things (IoT), bring your own device (BYOD), the Cloud, and software as a service (SaaS). The increasing complexity in managing access to sensitive data has sparked both an evolution of access control policy and led to the definition of Next Generation Access Control (NGAC): a system that offers fine-grained authorization policy creation and management within the complex ecosystem of the perimeter-less enterprise network.
What Is INCITS 526?
INCITS 526-2016 provides a detailed refinement of the definitions and concepts in the access control architecture and framework defined by the NGAC-FA standard. To provide a precise specification of the abstractions involved, the refinements are based on the mathematics of set theory and predicate calculus in consonance with the Z notation. By capturing the essential properties of NGAC mathematically, free from constraints on how these properties are achieved, NGAC-GOADS serves as a formal, conceptual model for the composition and working of NGAC.
Types of Access Control Models
With most organizations migrating to the cloud, access control is becoming increasingly complex with the need for both on-premise and cloud solutions. Different companies or software providers have devised countless ways to control user access to functions or resources, such as:
- Discretionary Access Control (DAC)
- Mandatory Access Control (MAC)
- Role-Based Access Control (RBAC)
- Attribute-Based Access Control (ABAC)
- Next Generation Access Control Functional Architecture (NGAC-FA)
What Is the Access Control Process?
Each access control method is chosen based on the level of access needed by each user, security requirement, infrastructure, etc. Whatever the type of access control model used, there are, however, three basic elements that can be abstracted: user, system/application, and policy. In other words, the access control process includes:
- Identifying a person doing a specific job
- Authenticating the person by looking at their identification
- Granting a person only the key to the door or computer that they need access to and nothing more
Why Choose NGAC
A key advantage of NGAC is its flexibility, as it can be configured to allow or disallow access based not only on object attributes, but also on other conditions like time, location, phase of the moon, etc. It supports generalized mobility, which will allow consistent and ubiquitous provision of services to user.
NGAC can also evaluate and combine multiple policies in a single access decision while keeping its linear time complexity. In other words, NGAC offers great operational efficiency because it computes decisions by applying a single combining algorithm over applicable policies that do not conflict. With NGAC, computation of a decision is through an algorithm that is linear.
Lastly, NGAC has the ability to set ephemeral policies consistently (i.e., to meet compliance requirements). For example, NGAC could grant a developer one-time access to resources during an outage, without leaving unnecessary permissions in place that could potentially later lead to a security breach.
INCITS 526-2016: Information Technology – Next Generation Access Control – Generic Operations And Data Structures (NGAC-GOADS) is available on the ANSI Webstore.
