XACML Data Loss Prevention / Network Access Control (DLP/NAC) Profile Version 1.0
Total Page:16
File Type:pdf, Size:1020Kb
1
2XACML Data Loss Prevention / Network 3Access Control (DLP/NAC) Profile 4Version 1.0
5Committee Specification Draft 01 / 6Public Review Draft 01
702 October 2014
8Specification URIs 9This version: 10 http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/csprd01/xacml-3.0-dlp-nac-v1.0- 11 csprd01.doc (Authoritative) 12 http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/csprd01/xacml-3.0-dlp-nac-v1.0- 13 csprd01.html 14 http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/csprd01/xacml-3.0-dlp-nac-v1.0- 15 csprd01.pdf 16Previous version: 17 N/A 18Latest version: 19 http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/xacml-3.0-dlp-nac-v1.0.doc 20 (Authoritative) 21 http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/xacml-3.0-dlp-nac-v1.0.html 22 http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/xacml-3.0-dlp-nac-v1.0.pdf 23Technical Committee: 24 OASIS eXtensible Access Control Markup Language (XACML) TC 25Chairs: 26 Bill Parducci ([email protected]), Individual 27 Hal Lockhart ([email protected]), Oracle 28Editors: 29 John Tolbert ([email protected]), Queralt, Inc. 30 Richard Hill ([email protected]), The Boeing Company 31 Crystal Hayes ([email protected]), The Boeing Company 32 David Brossard ([email protected]), Axiomatics AB 33 Hal Lockhart ([email protected]), Oracle 34 Steven Legg ([email protected]), ViewDS 35Related work: 36 This specification is related to:
1xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 2Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 1 of 48 37 eXtensible Access Control Markup Language (XACML) Version 3.0. Edited by Erik Rissanen. 38 22 January 2013. OASIS Standard. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core- 39 spec-os-en.html. 40Abstract: 41 This specification defines a profile for the use of XACML in expressing policies for data loss 42 prevention and network access control tools and technologies. It defines standard attribute 43 identifiers useful in such policies, and recommends attribute value ranges for certain attributes. It 44 also defines several new functions for comparing IP addresses and DNS names, not provided in 45 the XACML 3.0 core specification. 46Status: 47 This document was last revised or approved by the OASIS eXtensible Access Control Markup 48 Language (XACML) TC on the above date. The level of approval is also listed above. Check the 49 “Latest version” location noted above for possible later revisions of this document. Any other 50 numbered Versions and other technical work produced by the Technical Committee (TC) are 51 listed at https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml#technical. 52 TC members should send comments on this specification to the TC’s email list. Others should 53 send comments to the TC’s public comment list, after subscribing to it by following the 54 instructions at the “Send A Comment” button on the TC’s web page at https://www.oasis- 55 open.org/committees/xacml/. 56 For information on whether any patents have been disclosed that may be essential to 57 implementing this specification, and any offers of patent licensing terms, please refer to the 58 Intellectual Property Rights section of the Technical Committee web page (https://www.oasis- 59 open.org/committees/xacml/ipr.php). 60Citation format: 61 When referencing this specification the following citation format should be used: 62 [xacml-dlp-nac-v1.0] 63 XACML Data Loss Prevention / Network Access Control (DLP/NAC) Profile Version 1.0. Edited 64 by John Tolbert, Richard Hill, Crystal Hayes, David Brossard, Hal Lockhart, and Steven Legg. 02 65 October 2014. OASIS Committee Specification Draft 01 / Public Review Draft 01. 66 http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/csprd01/xacml-3.0-dlp-nac-v1.0- 67 csprd01.html. Latest version: http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/xacml-3.0- 68 dlp-nac-v1.0.html. 69
3xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 4Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 2 of 48 70Notices
71Copyright © OASIS Open 2014. All Rights Reserved. 72All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual 73Property Rights Policy (the "OASIS IPR Policy"). The full Policy may be found at the OASIS website. 74This document and translations of it may be copied and furnished to others, and derivative works that 75comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, 76and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice 77and this section are included on all such copies and derivative works. However, this document itself may 78not be modified in any way, including by removing the copyright notice or references to OASIS, except as 79needed for the purpose of developing any document or deliverable produced by an OASIS Technical 80Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must 81be followed) or as required to translate it into languages other than English. 82The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors 83or assigns. 84This document and the information contained herein is provided on an "AS IS" basis and OASIS 85DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY 86WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY 87OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A 88PARTICULAR PURPOSE. 89OASIS requests that any OASIS Party or any other party that believes it has patent claims that would 90necessarily be infringed by implementations of this OASIS Committee Specification or OASIS Standard, 91to notify OASIS TC Administrator and provide an indication of its willingness to grant patent licenses to 92such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that 93produced this specification. 94OASIS invites any party to contact the OASIS TC Administrator if it is aware of a claim of ownership of 95any patent claims that would necessarily be infringed by implementations of this specification by a patent 96holder that is not willing to provide a license to such patent claims in a manner consistent with the IPR 97Mode of the OASIS Technical Committee that produced this specification. OASIS may include such 98claims on its website, but disclaims any obligation to do so. 99OASIS takes no position regarding the validity or scope of any intellectual property or other rights that 100might be claimed to pertain to the implementation or use of the technology described in this document or 101the extent to which any license under such rights might or might not be available; neither does it represent 102that it has made any effort to identify any such rights. Information on OASIS' procedures with respect to 103rights in any document or deliverable produced by an OASIS Technical Committee can be found on the 104OASIS website. Copies of claims of rights made available for publication and any assurances of licenses 105to be made available, or the result of an attempt made to obtain a general license or permission for the 106use of such proprietary rights by implementers or users of this OASIS Committee Specification or OASIS 107Standard, can be obtained from the OASIS TC Administrator. OASIS makes no representation that any 108information or list of intellectual property rights will at any time be complete, or that any claims in such list 109are, in fact, Essential Claims. 110The name "OASIS" is a trademark of OASIS, the owner and developer of this specification, and should be 111used only to refer to the organization and its official outputs. OASIS welcomes reference to, and 112implementation and use of, specifications, while reserving the right to enforce its marks against 113misleading uses. Please see https://www.oasis-open.org/policies-guidelines/trademark for above 114guidance. 115
5xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 6Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 3 of 48 116Table of Contents
1171 Introduction...... 6 118 1.1 Glossary...... 6 119 1.2 Terminology...... 7 120 1.3 Normative References...... 7 121 1.4 Non-Normative References...... 8 122 1.5 Scope...... 8 123 1.6 Use cases...... 8 124 1.6.1 Data Loss Prevention...... 8 125 1.6.2 Network Access Control...... 9 126 1.7 Disclaimer...... 9 1272 Profile...... 10 128 2.1 Network Datatypes...... 10 129 2.1.1 Portranges...... 10 130 2.1.2 IP Address Datatypes...... 10 131 2.1.3 IP Address Functions...... 11 132 2.1.4 DNS Name Datatypes...... 12 133 2.1.5 DNS Name Functions...... 12 134 2.2 Resource Attributes...... 13 135 2.2.1 Resource-id...... 13 136 2.2.2 Resource-location...... 13 137 2.3 Access Subject Attributes...... 14 138 2.3.1 Subject-ID...... 14 139 2.3.2 Subject-Security-Domain...... 14 140 2.3.3 Authentication-Time...... 14 141 2.3.4 Authentication-Method...... 14 142 2.3.5 Request-Time...... 14 143 2.3.6 IP Address...... 14 144 2.3.7 DNS Name...... 14 145 2.4 Recipient Subject Attributes...... 15 146 2.4.1 Subject-ID...... 15 147 2.4.2 Subject-Security-Domain...... 15 148 2.5 Requesting Machine Attributes...... 15 149 2.5.1 Subject-ID...... 15 150 2.6 Recipient Machine Attributes...... 15 151 2.6.1 Subject-ID...... 15 152 2.6.2 Removable-Media...... 16 153 2.7 Codebase Attributes...... 16 154 2.7.1 Authorized-Application...... 16 155 2.8 Action Attributes...... 16 156 2.8.1 Action-ID...... 16 157 2.8.2 Action-Protocol...... 16 158 2.8.3 Action-Method...... 17 159 2.9 Obligations...... 17
7xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 8Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 4 of 48 160 2.9.1 Encrypt...... 17 161 2.9.2 Log...... 18 162 2.9.3 Marking...... 18 1633 Identifiers...... 19 164 3.1 Profile Identifier...... 19 1654 Examples (non-normative)...... 20 166 4.1 DLP use cases...... 20 167 4.1.1 Prevent sensitive data from being read/modified by unauthorized users...... 20 168 4.1.2 Prevent sensitive data from being emailed to unauthorized users...... 22 169 4.1.3 Prevent sensitive data from being transferred via web-mail...... 25 170 4.1.4 Prevent sensitive data from being copied/printed from one computer to another...... 28 171 4.1.5 Prevent sensitive data from being transferred to removable media...... 31 172 4.1.6 Prevent sensitive data from being transferred to disallowed URLs...... 33 173 4.1.7 Prevent sensitive data from being copied from one resource to another...... 35 174 4.1.8 Prevent sensitive data from being read/modified by unauthorized applications...... 37 175 4.2 NAC use case examples...... 40 176 4.2.1 Prevent traffic flow between network resources, based on protocol...... 40 177 4.2.2 Restrict users to certain network resources, based on subject-id...... 41 1785 Conformance...... 43 179 5.1 IP Address and DNS Name Datatypes and Functions...... 43 180 5.2 Category Identifiers...... 43 181 5.3 Attribute Identifiers...... 44 182 5.4 Attribute Values...... 45 183Appendix A. Acknowledgments...... 46 184Appendix B. Revision History...... 47 185 186
9xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 10Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 5 of 48 1871 Introduction 188{Non-normative} 189This specification defines a profile for the use of the OASIS eXtensible Access Control Markup Language 190(XACML) [XACML3] to write and enforce policies to govern data loss prevention (DLP) tools and to 191provide access control for network resources. Use of this profile requires no changes or extensions to the 192[XACML3] standard. 193This specification begins with a non-normative discussion of the topics and terms of interest in this profile. 194The normative section of the specification describes the attributes defined by this profile and provides 195recommended usage patterns for attribute values. 196This specification assumes the reader is somewhat familiar with XACML. A brief overview sufficient to 197understand these examples is available in [XACMLIntro]. 198Enterprises have legal, regulatory, and business reasons to protect their information, as exemplified by, 199contracts, privacy, financial, and export regulations. Organizations interpret those legal agreements, 200regulations, and business rules to form security and information protection policies, expressed in natural 201languages. Business policies and regulations are then instantiated as machine-enforceable access 202control policies. Most organizations employ a variety of security software tools to enforce access control 203policies and monitor compliance. In many cases, each tool must be configured independently of the 204others, leading to duplicative efforts and increased risk of inconsistent implementations. 205XACML-conformant access control systems provide scalable and consistent access control policy 206management, enforcement, and compliance for web services, web applications, and data objects in a 207variety of repositories. The XACML policy format and reference architecture can be extended to promote 208policy consistency and efficient administration in the following areas. 209DLP tools monitor “data-in-use” at endpoints (e.g., desktops, laptops, and mobile devices), “data-in-motio 210n” on networks, and “data-at-rest” in storage systems. DLP tools enforce access control policies at these l 211ocations to prevent unauthorized access to and unintended disclosure of sensitive data. If DLP systems s 212tandardized on the XACML policy format, enterprise policy authorities could use the same language to def 213ine access control policies for endpoints, networks, servers, applications, web services, and file repositori 214es. The cost savings and improvements to security posture will be substantial. 215Network Access Control (NAC) technologies enforce access control policies to restrict and regulate 216network traffic between routers, switches, firewalls, Virtual Private Network (VPN) devices, servers, and 217endpoint devices. Resources are commonly identified by Media Access Control (MAC) addresses, 218Internet Protocol (IP) addresses, and Domain Name Service (DNS) names. Traffic flows between 219devices according to defined ports and protocols, which can be described, grouped, and used as 220attributes in access control policies. 221XACML policy format is suitable for and should be used to create, enforce, and exchange policies 222between different DLP and NAC systems. Subject information, including a rich set of metadata about 223subjects, will be expressed as subject attributes. Data objects and network resources will be expressed 224as resource attributes. Requests made by subjects and traffic operations will be expressed as action 225attributes. 226This profile serves as a framework of common data loss prevention and network resource attributes upon 227which access control policies can be written, and to promote federated authorization for access to data 228objects and network resources. This profile will also provide XACML software developers and access 229control policy authors guidance on supporting DLP and NAC use cases. 230
2311.1 Glossary 232Attribute Based Access Control (ABAC)
11xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 12Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 6 of 48 233 ABAC is an access control methodology wherein subjects are granted access to resources based 234 primarily upon attributes of the subjects, resources, actions, and environments identified in a 235 particular request context. Attributes are characteristics of the elements above, which may be 236 assigned by administrators and stored in Policy Information Points [XACML 3], or may be 237 ascertained by Policy Decision Points [XACML 3] at runtime. 238Data Loss Prevention (DLP) 239 DLP tools monitor “data-in-use” at endpoints (e.g., desktops, laptops, and mobile devices), “data- 240 in-motion” on networks, and “data-at-rest” in storage systems. DLP tools enforce access control 241 policies at these locations to prevent unauthorized access to and unintended disclosure of sensitive 242 data. 243Discretionary Access Control (DAC) 244 DAC is an access control methodology wherein subjects are granted access to resources based 245 primarily upon attributes of the subjects. Administrators can assign access permissions, 246 sometimes called entitlements, to groups, roles, and other attributes, which are then associated 247 with specific subjects. 248Mandatory Access Control (MAC) 249 MAC is an access control methodology wherein subjects obtain access to resources based on 250 the evaluation of subject, resource, action, and environment attributes. Access requests typically 251 include resource attributes such as visible labels and metadata tags, which convey information 252 about the sensitivity of the associated resource. 253Network Access Control (NAC) 254 NAC is an access control methodology wherein subjects obtain access to network-layer 255 resources (routers, switches, and endpoints) based on the evaluation of subject, resource, action, 256 and environment attributes. Subjects may include users and devices. Actions may include 257 commonly defined services and protocols as well as Transmission Control Protocol (TCP) and 258 User Datagram Protocol (UDP) ports.
2591.2 Terminology 260The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD 261NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described 262in [RFC2119].
2631.3 Normative References 264 [RFC2119] S. Bradner, Key words for use in RFCs to Indicate Requirement Levels, 265 http://www.ietf.org/rfc/rfc2119.txt, IETF RFC 2119, March 1997. 266 [RFC 3986] T. Berners-Lee, Uniform Resource Identifier (URI): Generic Syntax, 267 http://www.rfc-editor.org/rfc/rfc3986.txt, IETF RFC 3986, January 2005 268 [XACML-IPC] OASIS Standard, eXtensible Access Control Markup Language 269 (XACML) Intellectual Property Controls (IPC) profile, Version 1.0, March 2013. 270 http://docs.oasis-open.org/xacml/3.0/ipc/v1.0/cs02/xacml-3.0-ipc-v1.0-cs02- 271 en.pdf 272 [XACML3] OASIS Standard, eXtensible Access Control Markup Language 273 (XACML) Version 3.0, April 2010. http://docs.oasis-open.org/xacml/3.0/xacml- 274 3.0-core-spec-en.doc 275 [XACML2] OASIS Standard, "eXtensible Access Control Markup Language (XACML) 276 Version 2.0", February 2005. http://docs.oasis- 277 open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf 278 [XACML1] OASIS Standard, "eXtensible Access Control Markup Language (XACML) 279 Version 1.0", February 2003. http://www.oasis- 280 open.org/committees/download.php/2406/oasis-xacml-1.0.pdf
13xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 14Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 7 of 48 281 [JSON] JSON Profile of XACML 3.0 Version 1.0. Edited by David Brossard. 15 May 282 2014. OASIS Committee Specification Draft 03 / Public Review Draft 03. 283 http://docs.oasis-open.org/xacml/xacml-json-http/v1.0/csprd03/xacml-json-http- 284 v1.0-csprd03.html. Latest version: http://docs.oasis-open.org/xacml/xacml-json- 285 http/v1.0/xacml-json-http-v1.0.html. 286 287
2881.4 Non-Normative References 289 [XACMLIntro] OASIS XACML TC, A Brief Introduction to XACML, 14 March 2003, 290 http://www.oasis- 291 open.org/committees/download.php/2713/Brief_Introduction_to_XACML.html 292 [ISO3166] ISO 3166 Maintenance agency (ISO 3166/MA), 293 http://www.iso.org/iso/country_codes.htm 294 [DublinCore] Dublin Core Metadata Element Set, version 1.1. 295 http://dublincore.org/documents/dces/
2961.5 Scope 297DLP and NAC tools are policy-driven enforcement systems. This profile defines standard XACML 298attributes for these DLP and NAC use cases, and recommends the adoption of standardized attribute 299values.
3001.6 Use cases
3011.6.1 Data Loss Prevention
3021.6.1.1 Prevent sensitive data from being read/modified by unauthorized users 303This generic use case encompasses many permutations of these attributes. Consider the nearly 304ubiquitous case where an administrator needs to limit the actions of users to certain groups for each 305action type. For example, Group 1 should be able to create data objects in the target location; group 2 306should be able to edit data objects in the target location; groups 1, 2, and 3 should be able to read the 307contents without being able to edit them; and groups 1 and 4 should be able to delete the data objects. 308These policies must be enforceable on a plethora of computing and network devices with diverse 309operating systems.
3101.6.1.2 Prevent sensitive data from being emailed to unauthorized users 311Email systems are often the vector through which sensitive data escapes, both intentionally and 312unintentionally, without authorization. To prevent data loss, security administrators must be able to define 313and enforce policies that limit which subjects may email certain types of resources to specific recipient 314subjects. For example, a policy may prohibit sending proprietary information to recipients who are not 315licensed to have it [XACML-IPC]. These policies may be enforced on the email client and/or the email 316gateway servers.
3171.6.1.3 Prevent sensitive data from being transferred via web-mail 318Security administrators need to be able to prohibit subjects from transferring sensitive data resources via 319web-mail systems. These policies may be enforced on endpoint devices such as desktops, laptops, and 320mobile devices, and on web proxy computers and appliances.
15xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 16Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 8 of 48 3211.6.1.4 Prevent sensitive data from being copied/printed from one computer to 322 another 323Security administrators need to be able to ensure data containment, i.e., certain data objects must not be 324copied or transferred outside of special or high-security computing and network environments. These 325policies may be enforced on endpoint devices (such as desktops, laptops, and mobile devices), servers, 326printers, network devices, and firewalls.
3271.6.1.5 Prevent sensitive data from being transferred to removable media 328Removable media is another common vector for data loss. Security administrators must be able to 329enforce policies to prohibit subjects from transferring specific resources to removable media devices. 330These policies will be enforced on endpoint devices and servers.
3311.6.1.6 Prevent sensitive data from being transferred to disallowed URLs 332Data exfiltration may occur via standard web protocols such as HTTP and HTTPS. Security 333administrators need to be able to prohibit subjects from transferring specific resources via HTTP(S) 334outside the local domain or to certain disallowed URLs. These policies may be enforced at endpoint 335devices as well as firewalls, network devices, web proxies, and web portals.
3361.6.1.7 Prevent sensitive data from being copied from one resource to another 337Sensitive data may not be copied from a specific resource or location to another. This prevents malicious 338actors from copying data into new files or databases to evade security controls.
3391.6.1.8 Prevent sensitive data from being read/modified by unauthorized 340 applications 341Policies may stipulate which applications can read or modify resources to prevent insecure applications or 342malware-compromised applications from contaminating or exfiltrating sensitive data. This use case 343assumes that the Policy Decision Point (PDP) can call an external configuration management database to 344determine if the application is on the approved list.
3451.6.2 Network Access Control
3461.6.2.1 Prevent traffic flow between network resources, based on protocol 347Network devices that control the flow of network traffic (e.g. firewall) may need to restrict network traffic 348based on policy regarding the type of protocols allowed. For example, a policy may disallow transfer of 349resources using unsecured protocols such as ftp, but will allow the more secure SFTP protocol.
3501.6.2.2 Restrict users to certain network resources, based on subject attributes 351Network devices that control access to network resources (e.g. VPN) may restrict an authenticated user’s 352access to certain subnets, such as secure access zones or enclaves, based on policy regarding the type 353of subject attributes.
3541.7 Disclaimer
17xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 18Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 9 of 48 3552 Profile
3562.1 Network Datatypes 357This section defines several datatypes and functions related to determining network location using either 358IP Address or DNS name. Network locations are used as both Resource and Subject Attributes as 359described in the sections below.
3602.1.1 Portranges 361Both IP Address types and DNS Name types MAY include a port range list. An IP port is a 16 bit number 362expressed in decimal. Port 0 is not used. Thus valid values for a portnumber range from 1 to 65536. The 363syntax SHALL be: 364portrange = portnumber | "-"portnumber | portnumber"-"[portnumber] 365portrangelist = portrange [“,” portrange] 366where "portnumber" is a decimal port number. When two port numbers are given in a range, the first must 367be lower than the second. The port range includes the given ports. If the port range is of the form "-x", 368where "x" is a port number, then the range is all ports numbered "x" and below. If the port range is of the 369form "x-", then the range is all ports numbered "x" and above. 370Port range is the same as defined in A.2 of [XACML3]. Port range list allows multiple non contiguous 371ranges to be specified. The port ranges in a given port range list MAY appear in any order and MAY 372overlap. The port range list indicates all the ports in any of the ranges.
3732.1.2 IP Address Datatypes 374The “urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-value” primitive type represents an IPv4 or IPv6 375network address value, with optional port. The syntax SHALL be: 376ipAddress-value = ipAddress [ ":" port ] 377For an IPv4 address or IPv6 address, the address is formatted in accordance with the syntax for a "host" 378in [RFC 3986], section 3.2.2. (Note that an IPv6 address, in this syntax, is enclosed in literal "[" "]" 379brackets.) The subnet mask SHALL be omitted. 380The “urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-pattern” primitive type represents an IPv4 or IPv6 381network address pattern, with optional portrange list. 382The syntax SHALL be: 383ipAddressrange = ipAddress | "-" ipAddress | ipAddress "-"[ ipAddress ] 384ipAddressrangelist = ipAddressrange [“,”ipAddressrange ] 385ipAddress-pattern = ipAddressrangelist [ ":" portrangelist ] 386 387The subnet mask SHALL be omitted. When two IP addresses are given in a range, the first must be lower 388than the second. The IP address range includes the given IP addresses. If the IP address range is of the 389form "-x", where "x" is an IP address, then the range is all IP addresses numbered "x" and below. If the 390IP address range is of the form "x-", then the range is all IP addresses numbered "x" and above. IP 391address range list allows multiple non contiguous ranges to be specified. The IP address ranges in a 392given IP address range list MAY appear in any order and MAY overlap. The IP address range list 393indicates all the IP addresses in any of the ranges. 394 395Note that any string which is a valid IP Address value is by definition a valid IP Address pattern.
19xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 20Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 10 of 48 396 397Examples 398 Valid ipAddress-values 399 192.168.1.2 400 101.86.23.0:443 401 [602:ea8:85a3:8d3:223:8a2e:370:ff04] 402 [602:ea8:85a3::370:ff04] 403 [2001:db8:85a3:8d3:1319:8a2e:370:7348]:80 404 405 Invalid ipAddress-values 406 192.168.1.556 // value too large 407 101.12.2.1-101.12.2.127 // ip address range not allowed 408 192.168.54.3/16 // mask not allowed 409 101.86.23.0:443-1024 // port range not allowed 410 [602:ea8:85a3:8d3:223:8a2e:cex:ff04] // value not hexadecimal 411 [602:ea8::85a3::370:ff04] // multiple :: 412 [2001:db8:85a3:8d3:1319:8a2e:370:7348]:80-200 // port range not allowed 413 414 415 Valid ipAddress-patterns 416 192.168.1.2-192.168.1.125 417 101.86.23.0-101.86.100.255, 101.20.1.1-101.86.50.255:443 418 [602:ea8:85a3:8d3:223:8a2e:370:ff04]:1-1023 419 [602:ea8:85a3::370:1]-[602:ea8:85a3::370:ff04]:80 420 421 Invalid ipAddress-patterns 422 192.168.5.2-192.168.1.125 // range not low to high 423 [602:ea8:85a3:8d3:223:8a2e:370:ff04]:1-90000 // port out of range 424 425
4262.1.3 IP Address Functions 427The following functions are matching functions for the IP Address datatypes. 428 urn:oasis:names:tc:xacml:3.0:function:ipAddress-match 429 This function SHALL take one argument of data-type “urn:oasis:names:tc:xacml:3.0:data- 430 type:ipAddress-pattern” and a second argument of type “urn:oasis:names:tc:xacml:3.0:data- 431 type:ipAddress-value” and SHALL return an “http://www.w3.org/2001/XMLSchema#boolean”. The 432 function SHALL return "True" if and only if the following conditions are met. 433 The first and second arguments SHALL both be of the same IP version (4 or 6). 434 The value of the second argument SHALL be identical to one of the values in the IP address 435 range list of the first argument. 436 Any port or port range values in either argument SHALL be ignored.
21xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 22Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 11 of 48 437 Otherwise, it SHALL return “False”. 438 439 urn:oasis:names:tc:xacml:3.0:function:ipAddress-endpoint-match 440 This function SHALL take one argument of data-type “urn:oasis:names:tc:xacml:3.0:data- 441 type:ipAddress-pattern” and a second argument of type “urn:oasis:names:tc:xacml:3.0:data- 442 type:ipAddress-value” and SHALL return an “http://www.w3.org/2001/XMLSchema#boolean”. The 443 function SHALL return "True" if and only if the following conditions are met. 444 The first and second arguments SHALL both be of the same IP version (4 or 6). 445 The value of the second argument SHALL be identical to one of the values in the IP address 446 range list of the first argument. 447 The first argument SHALL contain a port range list and the second SHALL contain a port 448 value which is included in the port range list of the first. 449 Otherwise, it SHALL return “False”. 450 451 urn:oasis:names:tc:xacml:3.0:function:ipAddress-value-equal 452 This function SHALL take two arguments of data-type “urn:oasis:names:tc:xacml:3.0:data- 453 type:ipAddress-value” and SHALL return an “http://www.w3.org/2001/XMLSchema#boolean”. The 454 function SHALL return "True" if and only if the following conditions are met. 455 The first and second arguments SHALL both be of the same IP version (4 or 6). 456 The value of the first argument SHALL have a value identical to the second argument. 457 Any port value in either argument SHALL be ignored. 458 Otherwise, it SHALL return “False”.
4592.1.4 DNS Name Datatypes 460The “urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value” primitive type represents a Domain Name 461Service (DNS) host name, with optional port. The syntax SHALL be: 462dnsName-value = hostname [ ":" port ] 463The hostname is formatted in accordance with [RFC 3986], section 3.2.2. 464 465The “urn:oasis:names:tc:xacml:3.0:data-type:dnsName-pattern” primitive type represents a Domain Name 466Service (DNS) host name, with optional portrange list. The syntax SHALL be: 467dnsName-pattern = hostname [ ":" portrangelist ] 468The hostname is formatted in accordance with [RFC 3986], section 3.2.2, except that a wildcard "*" may 469be used in the left-most component of the hostname to indicate "any subdomain" under the domain 470specified to its right.
4712.1.5 DNS Name Functions 472The following functions are matching functions for the DNS Name datatypes. 473 urn:oasis:names:tc:xacml:3.0:function:dnsName-match 474 This function SHALL take one argument of data-type “urn:oasis:names:tc:xacml:3.0:data- 475 type:dnsName-pattern” and a second argument of type “urn:oasis:names:tc:xacml:3.0:data- 476 type:dnsName-value” and SHALL return an “http://www.w3.org/2001/XMLSchema#boolean”. The 477 function SHALL return "True" if and only if the following conditions are met. 478 The number of name components in the second argument SHALL be the same as the 479 number in the first argument and each component in the second argument SHALL be 480 identical to the corresponding component in the first argument, except that if the leftmost 23xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 24Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 12 of 48 481 component in the first argument has the value “*” it SHALL be deemed to match any value in 482 the corresponding component of the second argument. (Any port or port range values in 483 either argument SHALL be ignored.) 484 Otherwise, it SHALL return “False”. 485 486 urn:oasis:names:tc:xacml:3.0:function:dnsName-endpoint-match 487 This function SHALL take one argument of data-type “urn:oasis:names:tc:xacml:3.0:data- 488 type:dnsName-pattern” and a second argument of type “urn:oasis:names:tc:xacml:3.0:data- 489 type:dnsName-value” and SHALL return an “http://www.w3.org/2001/XMLSchema#boolean”. The 490 function SHALL return "True" if and only if the following conditions are met. 491 The number of name components in the second argument SHALL be the same as the 492 number in the first argument and each component in the second argument SHALL be 493 identical to the corresponding component in the first argument, except that if the leftmost 494 component in the first argument has the value “*” it SHALL be deemed to match any value in 495 the corresponding component of the second argument. 496 The first argument SHALL contain a port range list and the second SHALL contain a port 497 value which is included in the port range list of the first. 498 Otherwise, it SHALL return “False”. 499 500 urn:oasis:names:tc:xacml:3.0:function:dnsName-value-equal 501 This function SHALL take two arguments of data-type “urn:oasis:names:tc:xacml:3.0:data- 502 type:dnsName-value” and SHALL return an “http://www.w3.org/2001/XMLSchema#boolean”. The 503 function SHALL return "True" if and only if the following conditions are met. 504 The number of name components in the second argument SHALL be the same as the 505 number in the first argument and each component in the second argument SHALL be 506 identical to the corresponding component in the first argument. (Any port values in either 507 argument SHALL be ignored.) 508 Otherwise, it SHALL return “False”. 509
5102.2 Resource Attributes 511The following Resource Attributes defined in section 10.2.6 of [XACML3] facilitate the description of DLP 512and NAC objects for the purpose of creating access control policies.
5132.2.1 Resource-id 514The Resource-id value shall be designated with the following attribute identifier: 515 urn:oasis:names:tc:xacml:1.0:resource:resource-id 516The DataType of this attribute is http://www.w3.org/2001/XMLSchema#anyURI. This attribute 517denotes the uniform resource identifier of the requested resource.
5182.2.2 Resource-location 519The Resource-location value shall be designated with the following attribute identifier: 520 urn:oasis:names:tc:xacml:1.0:resource:resource-location 521Allowable DataTypes for this attribute are: http://www.w3.org/2001/XMLSchema#anyURI, 522urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-value, 523urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value, and 524urn:ogc:def:dataType:geoxacml:1.0:geometry. This attribute denotes the logical and/or 525physical location of the requested resource.
25xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 26Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 13 of 48 5262.3 Access Subject Attributes 527The attributes in this section appear in conjunction with the access subject category [XACML3]. 528 urn:oasis:names:tc:xacml:1.0:subject-category:access-subject
5292.3.1 Subject-ID 530This is the identifier for the subject issuing the request, which may include user identifiers, machine 531identifiers, and/or application identifiers. 532Subject-ID classification values shall be designated with the following attribute identifier: 533 urn:oasis:names:tc:xacml:1.0:subject:subject-id 534The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string.
5352.3.2 Subject-Security-Domain 536This identifier indicates the security domain of the access subject. It identifies the administrator and 537policy that manages the name-space in which the subject id is administered. 538Subject-Security-Domain classification values shall be designated with the following attribute identifier: 539 urn:oasis:names:tc:xacml:3.0:subject:subject-security-domain 540The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string.
5412.3.3 Authentication-Time 542This identifier indicates the time at which the subject was authenticated. Authentication-Time 543classification values shall be designated with the following attribute identifier. 544 urn:oasis:names:tc:xacml:1.0:subject:authentication-time 545The DataType of this attribute is http://www.w3.org/2001/XMLSchema#dateTime.
5462.3.4 Authentication-Method 547This identifier indicates the method used to authenticate the subject. Authentication-Method 548classification values shall be designated with the following attribute identifier: 549 urn:oasis:names:tc:xacml:1.0:subject:authentication-method 550The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string.
5512.3.5 Request-Time 552This identifier indicates the time at which the subject initiated the access request, according to the PEP. 553Request-Time classification values shall be designated with the following attribute identifier: 554 urn:oasis:names:tc:xacml:1.0:subject:request-time 555The DataType of this attribute is http://www.w3.org/2001/XMLSchema#dateTime.
5562.3.6 IP Address 557This identifier indicates the location where authentication credentials were activated, expressed as an IP 558Address: 559 urn:oasis:names:tc:xacml:3.0:subject:authn-locality:ip-address 560The DataType of this attribute is urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-value.
5612.3.7 DNS Name 562This identifier indicates that the subject location is expressed as a DNS name.
27xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 28Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 14 of 48 563urn:oasis:names:tc:xacml:3.0:subject:authn-locality:dns-name 564The DataType of this attribute is urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value.
5652.4 Recipient Subject Attributes 566The attributes in this section appear in conjunction with the recipient subject category [XACML3]: 567 urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject
5682.4.1 Subject-ID 569This identifier indicates the entity that will receive the results of the request, which may include user 570identifiers, machine identifiers, and/or application identifiers. 571Subject-ID classification values shall be designated with the following attribute identifier: 572 urn:oasis:names:tc:xacml:1.0:subject:subject-id 573The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string.
5742.4.2 Subject-Security-Domain 575This identifier indicates the security domain of the recipient subject. It identifies the administrator and 576policy that manages the name-space in which the recipient-subject id is administered. 577Subject-Security-Domain classification values shall be designated with the following attribute identifier: 578 urn:oasis:names:tc:xacml:3.0:subject:subject-security-domain 579The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string.
5802.5 Requesting Machine Attributes 581The attributes in this section appear in conjunction with the requesting machine category [XACML3]. 582 urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine
5832.5.1 Subject-ID 584This identifier indicates the address of the machine from which the access request originated. 585Requesting-machine classification values shall be designated with the following attribute identifier. 586 urn:oasis:names:tc:xacml:1.0:subject:subject-id 587The following DataTypes can be used with this attribute: urn:oasis:names:tc:xacml:3.0:data- 588type:ipAddress-value and urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value. For Media Access 589Control (MAC) addresses, use http://www.w3.org/2001/XMLSchema#string.
5902.6 Recipient Machine Attributes 591The following identifier is defined to indicate the machine to which access is intended to be granted. 592 urn:oasis:names:tc:xacml:3.0:subject-category:recipient-machine 593The shorthand notation for this category in the JSON representation [XACML3] is RecipientMachine.
5942.6.1 Subject-ID 595This identifier indicates the address of the machine(s) to which the access will be granted. Recipient 596machine classification values shall be designated with the following attribute identifier. 597 urn:oasis:names:tc:xacml:1.0:subject:subject-id 598The following DataTypes can be used with this attribute: urn:oasis:names:tc:xacml:3.0:data- 599type:ipAddress-value and urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value. The attribute value 600may include full paths including volume names, where applicable. For Media Access Control (MAC)
29xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 30Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 15 of 48 601addresses, use http://www.w3.org/2001/XMLSchema#string. The attribute may take multiple 602values.
6032.6.2 Removable-Media 604This identifier indicates whether or not the destination of the action is a removable media device. 605Removable media classification values shall be designated with the following attribute identifier. 606 urn:oasis:names:tc:xacml:3.0:subject:removable-media 607The DataType of this attribute is http://www.w3.org/2001/XMLSchema#boolean.
6082.7 Codebase Attributes
6092.7.1 Authorized-Application 610This identifier indicates whether or not the requesting application is approved for the actions requested. 611 urn:oasis:names:tc:xacml:3.0:codebase:authorized-application 612The DataType of this attribute is http://www.w3.org/2001/XMLSchema#boolean.
6132.8 Action Attributes 614In order to create fine-grained access control rules and policies, specific action attributes must be defined. 615Action attributes will be grouped according to type of action.
6162.8.1 Action-ID 617The following action attribute values correspond to the action-id identifier: 618 urn:oasis:names:tc:xacml:1.0:action:action-id 619The DataType of this attribute is http://www.w3.org/2001/XMLSchema#boolean. 620The following action-id attributes are defined. 621 urn:oasis:names:tc:xacml:1.0:action:action-id:create 622 urn:oasis:names:tc:xacml:1.0:action:action-id:read 623 urn:oasis:names:tc:xacml:1.0:action:action-id:update 624 urn:oasis:names:tc:xacml:1.0:action:action-id:delete 625 urn:oasis:names:tc:xacml:1.0:action:action-id:copy 626 urn:oasis:names:tc:xacml:1.0:action:action-id:print 627 urn:oasis:names:tc:xacml:1.0:action:action-id:email-send 628Additional action-IDs can be defined as needed.
6292.8.2 Action-Protocol 630For both DLP and NAC purposes, standard protocols must be available for policy authors to use. 631The following action attribute values correspond to the action-protocol identifier: 632 urn:oasis:names:tc:xacml:3.0:dlp-nac:action:action-protocol 633The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string. 634The list below contains a number of common protocols which can be used to construct DLP and NAC 635policies. The list is not comprehensive, and may be extended as need by implementers. SMTP FTP
31xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 32Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 16 of 48 SFTP IMAP POP RPC HTTP HTTPS LDAP TCP (ports can be specified as TCP:81, TCP:100- 120, etc.) UDP (ports can be specified as UDP:54, UDP:100- 120)
6362.8.3 Action-Method 637The following action attribute values correspond to the action-protocol identifier: 638 urn:oasis:names:tc:xacml:3.0:dlp-nac:action:action-method 639The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string. 640The list below contains a number of action-methods which can be used to construct DLP and NAC 641policies. The list is based on HTTP as an example, and is not comprehensive. Additional methods may 642be created as needed by implementers. GET PUT POST HEAD DELETE OPTIONS
643
6442.9 Obligations 645The
6522.9.1 Encrypt 653The Encrypt obligation shall be designated with the following identifier: 654 urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:encrypt
33xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 34Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 17 of 48 655The encrypt obligation can be used to command PEPs (Policy Enforcement Points) to encrypt the 656resource. This profile does not specify the type of encryption or other parameters to be used; rather, the 657details of implementation are left to the discretion of policy authors and software developers as to how to 658best meet their individual requirements. 659 660The following is an example of the Encrypt obligation: 661
6672.9.2 Log 668The Log obligation shall be designated with the following identifier: 669 urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:log 670The log obligation can be used to command PEPs to make an electronic record of the access request and 671result. Examples of log types are syslog, application logs, operating system logs, etc. Policy authors can 672use this obligation to meet legal, contractual, or organizational policy requirements by forcing PEPs to 673record the request and response. Policy authors may find that logging both
6842.9.3 Marking 685Marking classification values shall be designated with the following identifier: 686 urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:marking 687The marking obligation can be used to command PEPs to embed visual marks, sometimes called 688watermarks, on data viewed both on-screen and in printed form. Policy authors may use this obligation to 689meet legal or contractual requirements by forcing PEPs to display text or graphics in accordance with 690
7093.1 Profile Identifier 710The following identifier SHALL be used as the identifier for this profile when an identifier in the form of a 711URI is required. 712 urn:oasis:names:tc:xacml:3.0:dlp-nac
37xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 38Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 19 of 48 7134 Examples (non-normative) 714This section contains examples of how the profile attributes can be used.
7154.1 DLP use cases
7164.1.1 Prevent sensitive data from being read/modified by unauthorized 717 users 718 This example illustrates the above use case with the following scenario: 719 Acme security policy restricts the ability to read and modify certain documents on a “need-to-know” 720 basis, according to the mandatory access control model. Subjects with appropriate attributes, 721 which may include roles, group memberships, etc., will succeed in accessing these documents, 722 while those without the requisite attribute values will fail. 723 Resource Attributes Values Resource-ID http://confidential.acme.com/eyes-only.xml Resource-location webserver1.acme.com 724 Access Subject Attributes Values Subject-ID Alice Subject-Security-Domain acme.com 725 Requesting Machine Attributes Values Subject-ID alice-laptop.acme.com 726 Action Attributes Values Action-ID Read, Update
7274.1.1.1 Description 728 This sample policy can be summarized as follows: 729 Target: This policy is only applicable to Resource-location = “webserver1.acme.com” 730 731 Rule: This rule is only applicable if Resource-ID contains “confidential.acme.com” 732 Then if 733 Access-Subject.Subject-Security-Domain = “acme.com” 734 Requesting-machine.Subject-ID matches “*.acme.com” AND 735 Action-ID = “Read” OR “Update” THEN 736 PERMIT 737 738 Obligation: 739 On PERMIT mark AND encrypt the resource 39xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 40Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 20 of 48 7404.1.1.2 Sample Implementation in XACML 3.0 741 41xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 42Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 21 of 48 811 MustBePresent="false"/> 812
8584.1.2 Prevent sensitive data from being emailed to unauthorized users 859 Acme security policy prohibits sending confidential information to users outside the acme.com 860 domain. Alice attempts to send a document to Bob at Wileycorp.com. The request fails. Sample 861 attributes and values are listed below. 862 Resource Attributes Values Resource-ID http://confidential.acme.com/eyes-only.xml Resource-location webserver1.acme.com 863 Access Subject Attributes Values Subject-ID Alice Subject-Security-Domain acme.com 864
43xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 44Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 22 of 48 Recipient Subject Attributes Values Subject-ID [email protected] Subject-Security-Domain Wileycorp.com 865 Requesting Machine Attributes Values Subject-ID alice-repository.acme.com 866 Action Attributes Values Action-ID Email-send
8674.1.2.1 Description 868 This sample policy can be summarized as follows: 869 870 Target: This policy is only applicable to Resource-location = “webserver1.acme.com” 871 AND Resource-ID contains “confidential.acme.com” 872 873 Rule: This rule is only applicable if Action-ID = “Email-send” 874 Then if 875 Access-Subject.Subject-Security-Domain = “acme.com” AND 876 Recipient-Subject.Subject-ID contains “@[Aa][Cc][Mm][Ee]\.[Cc][Oo][Mm]” AND 877 Recipient-Subject.Subject-Security-Domain = “acme.com” AND 878 Requesting-machine.Subject-ID matches “*.acme.com” THEN 879 PERMIT 880 881 Obligation: 882 On PERMIT mark AND encrypt the resource
8834.1.2.2 Sample Implementation in XACML 3.0 884
47xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 48Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 24 of 48 979 980 981 982
10154.1.3 Prevent sensitive data from being transferred via web-mail 1016 Acme security policy prohibits sending proprietary information to personal web-mail accounts. 1017 Alice attempts to send a document to her account at big-email-service.com so that she can work on 1018 it after-hours. The request fails. Sample attributes and values are listed below. 1019 Resource Attributes Values Resource-ID http://confidential.acme.com/eyes-only.xml Resource-location webserver1.acme.com 1020 Access Subject Attributes Values Subject-ID Alice Subject-Security-Domain acme.com 1021 Recipient Subject Attributes Values Subject-ID [email protected] Subject-Security-Domain big-email.service.com 1022 Requesting Machine Attributes Values Subject-ID alice-repository.acme.com 1023 49xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 50Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 25 of 48 Action Attributes Values Action-Protocol HTTP(S)
10244.1.3.1 Description 1025 This sample policy can be summarized as follows: 1026 1027 Target: This policy is only applicable to Resource-location = “webserver1.acme.com” 1028 AND Resource-ID contains “confidential.acme.com” 1029 1030 Rule: This rule is only applicable if Action-Protocol contains “HTTP” 1031 Then if 1032 Access-Subject.Subject-Security-Domain = “acme.com” AND 1033 Recipient-Subject.Subject-ID contains @[Aa][Cc][Mm][Ee]\.[Cc][Oo][Mm]” AND 1034 Recipient-Subject.Subject-Security-Domain = “acme.com” AND 1035 Requesting-Machine.Subject-ID matches “*.acme.com” THEN 1036 PERMIT 1037 1038 Obligation: 1039 On PERMIT mark AND encrypt the resource.
10404.1.3.2 Sample Implementation in XACML 3.0 1041
51xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 52Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 26 of 48 1076
11684.1.4 Prevent sensitive data from being copied/printed from one computer 1169 to another 1170 Acme security policy disallows copying highly sensitive data from a hardened computer to other 1171 computers. Any attempt to copy must fail. Sample attributes and values are listed below. 1172 Resource Attributes Values Resource-ID http://confidential.acme.com/eyes-only.xml Resource-location fortress.acme.com 1173 Access Subject Attributes Values Subject-ID Alice Subject-Security-Domain acme.com 1174 Requesting Machine Attributes Values Subject-ID alice-desktop.acme.com 1175 Recipient Machine Attributes Values Subject-ID public-facing.acme.com 1176 Action Attributes Values Action-ID Copy or Print
11774.1.4.1 Description 1178 This sample policy can be summarized as follows: 1179 1180 Target: This policy is only applicable to Resource-location = “fortress.acme.com” 1181 AND Resource-ID contains “confidential.acme.com” 1182 1183 Rule: This rule is only applicable if Action-ID = “Copy” or “Print”
55xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 56Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 28 of 48 1184 Then if 1185 Requesting-Machine.Subject-ID = Recipient-Machine.Subject-ID 1186 PERMIT 1187 1188 Obligation: 1189 On PERMIT mark AND encrypt the resource.
11904.1.4.2 Sample Implementation in XACML 3.0 1191 57xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 58Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 29 of 48 1250 MustBePresent="false" 1251 /> 1252
13094.1.5 Prevent sensitive data from being transferred to removable media 1310 Acme security policy prohibits the transfer of sensitive data to removable media, such as CDs, 1311 DVDs, and USB drives. Any attempt to copy data to removable media must fail. Sample attributes 1312 and values are provided below: 1313 Resource Attributes Values Resource-ID http://confidential.acme.com/eyes-only.xml
59xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 60Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 30 of 48 Resource-location webserver1.acme.com 1314 Access Subject Attributes Values Subject-ID Alice Subject-Security-Domain acme.com 1315 Requesting Machine Attributes Values Subject-ID alice-laptop.acme.com 1316 Recipient Machine Attributes Values Removable-media true 1317 Action Attributes Values Action-ID Copy or Print
13184.1.5.1 Description 1319 This sample policy can be summarized as follows: 1320 1321 Target: This policy is only applicable to Resource-location = “webserver1.acme.com” 1322 AND Resource-ID contains “confidential.acme.com” 1323 1324 Rule: This rule is only applicable if Action-ID = “Copy” 1325 Then if 1326 Access-Subject.Subject-Security-Domain = “acme.com” AND 1327 Requesting-Machine.Subject-ID matches “*.acme.com” AND 1328 Recipient-Machine.Removable-Media = “TRUE” THEN 1329 DENY
13304.1.5.2 Sample Implementation in XACML 3.0 1331
61xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 62Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 31 of 48 1351
63xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 64Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 32 of 48 14174.1.6 Prevent sensitive data from being transferred to disallowed URLs 1418 Acme security policy prohibits sensitive data from being transferred outside the organization to 1419 specific sites. Alice attempts to upload a sensitive document, but the attempt fails. Sample 1420 attributes and values follow: 1421 Resource Attributes Values Resource-ID http://confidential.acme.com/eyes-only.xml Resource-location webserver1.acme.com 1422 Access Subject Attributes Values Subject-ID Alice Subject-Security-Domain acme.com 1423 Requesting Machine Attributes Values Subject-ID alice-laptop.acme.com 1424 Recipient Machine Attributes Values Subject-ID cloudstoragesite.com 1425 Action Attributes Values Action-Protocol HTTP
14264.1.6.1 Description 1427 This sample policy can be summarized as follows: 1428 1429 Target: This policy is only applicable to Resource-location = “webserver1.acme.com” 1430 1431 Rule: This rule is only applicable if Resource-ID contains “confidential.acme.com” 1432 Then if 1433 Action-Protocol contains “HTTP” OR 1434 Action-Protocol contains “FTP” THEN 1435 DENY 1436 1437 Obligation: 1438 On DENY log transfer attempt.
14394.1.6.2 Sample Implementation in XACML 3.0 1440
65xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 66Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 33 of 48 1447
15354.1.7 Prevent sensitive data from being copied from one resource to 1536 another 1537 Acme security policy prohibits copying proprietary information from one resource to another. Alice 1538 attempts to copy sensitive data from one resource to a new one she just created. The request 1539 fails. Sample attributes and values are listed below. 1540 Resource Attributes Values Resource-ID http://confidential.acme.com/eyes-only.xml Resource-location webserver1.acme.com 1541 Access Subject Attributes Values Subject-ID Alice Subject-Security-Domain acme.com 1542 Action Attributes Values Action-ID Copy
15434.1.7.1 Description 1544 This sample policy can be summarized as follows: 1545 1546 Target: This policy is only applicable if Resource-location = “webserver1.acme.com” 1547 AND Resource-ID contains “confidential.acme.com” 1548 1549 Rule: This rule is only applicable if Action-ID = “Copy” 1550 Then if 1551 Access-Subject.Subject-Security-Domain = “acme.com” 1552 DENY 1553 1554 Obligation: 1555 On DENY log copy attempt. 1556
69xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 70Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 35 of 48 15574.1.7.2 Sample Implementation in XACML 3.0 1558 71xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 72Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 36 of 48 1628 FulfillOn="Deny"> 1629
16544.1.8 Prevent sensitive data from being read/modified by unauthorized 1655 applications 1656 Acme security policy prohibits unapproved applications from reading and modifying sensitive data. 1657 Alice attempts to open a sensitive document with an unauthorized application. The request fails. 1658 Sample attributes and values are listed below. 1659 Resource Attributes Values Resource-ID http://confidential.acme.com/eyes-only.xml Resource-location webserver1.acme.com 1660 Access Subject Attributes Values Subject-ID Alice Subject-Security-Domain acme.com 1661 Codebase Attribute Values Authorized-application false 1662 Action Attributes Values Action-Protocol HTTP
16634.1.8.1 Description 1664 This sample policy can be summarized as follows: 1665 1666 Target: This policy is only applicable to Resource-location = “webserver1.acme.com” 1667 AND Resource-ID contains “confidential.acme.com”
73xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 74Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 37 of 48 1668 1669 Rule: This rule is only applicable if Action-Protocol contains “HTTP” 1670 Then if 1671 Access-Subject.Subject-Security-Domain = “acme.com” AND Authorized-application = false 1672 DENY 1673 1674 Obligation: 1675 On DENY log attempt to use an authorized application
16764.1.8.2 Sample Implementation in XACML 3.0 1677 75xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 76Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 38 of 48 1732 DataType="http://www.w3.org/2001/XMLSchema#string" 1733 Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" 1734 MustBePresent="false" 1735 /> 1736
17754.2 NAC use case examples
17764.2.1 Prevent traffic flow between network resources, based on protocol 1777 Acme security policy prohibits sensitive data from being transferred using unsecure protocols. 1778 Alice attempts to retrieve a document resource on a server using the ftp protocol, in which case 1779 the attempt fails. 1780 Resource Attributes Values Resource-location 192.168.0.1 1781 Access Subject Attributes Values Subject-ID CN=Alice, OU=Contractor, O=Acme, C=US 1782 Action Attributes Values Action-Protocol FTP
77xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 78Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 39 of 48 17834.2.1.1 Description 1784 This sample policy can be summarized as follows: 1785 1786 Target: This policy is only applicable if Subject-ID ends with “O=Acme,C=US” 1787 1788 Rule: 1789 If Action-Protocol = “FTP” 1790 DENY
17914.2.1.2 Sample Implementation in XACML 3.0 1792
18374.2.2 Restrict users to certain network resources, based on subject-id 1838 Acme security policy restricts access to certain secure access zones based on an authenticated 1839 subject DN of a user when using certificate-based authentication and the destination IP address. 1840 Alice, a contractor at Acme, attempts access a server containing sensitive data within a secure 1841 access zone, but is denied based on her subject-id OU value.
79xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 80Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 40 of 48 1842 Resource Attributes Values Resource-location 10.0.0.1 1843 Access Subject Attributes Values Subject-ID CN=Alice, OU=Contractor, O=Acme, C=US 1844 Action Attributes Values Action-Protocol HTTP Action-Method GET
18454.2.2.1 Description 1846 This sample policy can be summarized as follows: 1847 1848 Target: This policy is only applicable to resource type Resource-location = 10\.\d*\.\d*\.\d* 1849 1850 Rule: This rule is only applicable if Subject-ID ends with “O=Employee,O=Acme,C=US” 1851 Then if 1852 Action-Protocol = “HTTP” AND 1853 Action-Method = “GET” 1854 THEN 1855 PERMIT
18564.2.2.2 Sample Implementation in XACML 3.0 1857
81xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 82Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 41 of 48 1888
83xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 84Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 42 of 48 19195 Conformance 1920Conformance to this profile is defined for policies and requests generated and transmitted within and 1921between XACML systems.
19225.1 IP Address and DNS Name Datatypes and Functions 1923Conformant XACML policies and requests SHALL use the IP Address and DNS Name datatypes and 1924functions defined in Section 2 for their specified purpose and SHALL NOT use any other identifiers for the 1925purposes defined by attributes in this profile. Conformant XACML PDPs SHALL implement these 1926datatypes and functions. The following table lists the datatypes and functions that must be supported. 1927Note: “M” is mandatory “O” is optional. 1928 Identifiers
urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-value M
urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-pattern M
urn:oasis:names:tc:xacml:3.0:function:ipAddress-match M
urn:oasis:names:tc:xacml:3.0:function:ipAddress-endpoint-match M
urn:oasis:names:tc:xacml:3.0:function:ipAddress-value-equal M
urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value M
urn:oasis:names:tc:xacml:3.0:data-type:dnsName-pattern M
urn:oasis:names:tc:xacml:3.0:function:dnsName-match M
urn:oasis:names:tc:xacml:3.0:function:dnsName-endpoint-match M
urn:oasis:names:tc:xacml:3.0:function:dnsName-value-equal M
1929
19305.2 Category Identifiers 1931Conformant XACML policies and requests SHALL use the category identifiers defined in Section 2 for 1932their specified purpose and SHALL NOT use any other identifiers for the purposes defined by categories 1933in this profile. The following table lists the categories that must be supported. 1934Note: “M” is mandatory “O” is optional. 1935 Identifiers
urn:oasis:names:tc:xacml:1.0:subject-category:access-subject M
85xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 86Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 43 of 48 urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject M
urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine M
urn:oasis:names:tc:xacml:3.0:subject-category:recipient-machine M
urn:oasis:names:tc:xacml:1.0:subject-category:codebase M
urn:oasis:names:tc:xacml:3.0:attribute-category:action M
1936
19375.3 Attribute Identifiers 1938Conformant XACML policies and requests SHALL use the attribute identifiers defined in Section 2 for 1939their specified purpose and SHALL NOT use any other identifiers for the purposes defined by attributes in 1940this profile. The following table lists the attributes that must be supported. 1941Note: “M” is mandatory “O” is optional. 1942 Identifiers
urn:oasis:names:tc:xacml:1.0:resource:resource-id M
urn:oasis:names:tc:xacml:1.0:resource:resource-location M
urn:oasis:names:tc:xacml:1.0:subject:subject-id M
urn:oasis:names:tc:xacml:3.0:subject:subject-security-domain M
urn:oasis:names:tc:xacml:3.0:subject:removable-media M
urn:oasis:names:tc:xacml:1.0:subject:authentication-time M
urn:oasis:names:tc:xacml:1.0:subject:authentication-method M
urn:oasis:names:tc:xacml:1.0:subject:request-time M
urn:oasis:names:tc:xacml:3.0:subject:authn-locality:ip-address M
urn:oasis:names:tc:xacml:3.0:subject:authn-locality:dns-name M
urn:oasis:names:tc:xacml:3.0:codebase:authorized-application M
urn:oasis:names:tc:xacml:1.0:action:action-id M
urn:oasis:names:tc:xacml:3.0:dlp-nac:action:action-protocol M
urn:oasis:names:tc:xacml:3.0:dlp-nac:action:action-method M
87xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 88Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 44 of 48 urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:encrypt M
urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:marking M
19435.4 Attribute Values 1944Conformant XACML policies and requests SHALL use attribute values in the specified range or patterns 1945as defined for each attribute in Section 2 (when a range or pattern is specified). 1946 NOTE: In order to process conformant XACML policies and requests correctly, PIP and 1947 PEP modules may have to translate native data values into the datatypes and formats 1948 specified in this profile.
89xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 90Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 45 of 48 1949Appendix A. Acknowledgments
1950The following individuals have participated in the creation of this specification and are gratefully 1951acknowledged: 1952Participants: 1953 John Tolbert, The Boeing Company 1954 Richard Hill, The Boeing Company 1955 Crystal Hayes, The Boeing Company 1956 David Brossard, Axiomatics AB 1957 Hal Lockhart, Oracle 1958 Steven Legg, ViewDS 1959Committee members during profile development:
Person Organization Role
1960
91xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 92Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 46 of 48 1961Appendix B. Revision History
1962 Revision Date Editor Changes Made WD 1 8/21/2013 John Tolbert Initial committee draft. WD 2 9/6/2013 John Tolbert, Richard Added glossary terms, text for use cases and Hill, Crystal Hayes examples, attributes for recipient machine and recipient-removable-media, and data-types for macAddress. WD 3 10/18/2013 John Tolbert, David Added glossary terms, edited text, added Brossard sample policy for use case example 1. WD 4 11/18/2013 Hal Lockhart Added IP Address and DNS Name datatypes and functions. Adjusted attribute definitions and example to use new datatypes. Added them to conformance section. WD 5 3/18/2014 John Tolbert Separated action-id, action-protocol, and action-method. Moved authorized-application from subject to codebase category. WD 6 6/10/2014 John Tolbert, Richard Added Log obligation, inserted policy Hill, Hal Lockhart examples, fixed typos and some word changes. Removed Mask from IP address datatypes. Removed network match function. Replaced IP address wildcards with IP address range list. WD 7 6/26/2014 Hal Lockhart Fixed typo in ipAddress-pattern definition. Corrected typos, conformance to profile and datatype mismatches in examples WD 8 7/30/2014 Steven Legg Defined a recipient-machine subject category to hold attributes of the machine to which access is intended to be granted. Defined a JSON short name for recipient- machine and added a reference to the JSON Profile. Replaced recipient-subject-id, requesting- machine and recipient-machine attributes with the subject-id attribute in the recipient-subject, requesting-machine and recipient-machine subject categories respectively. Replaced subject-id-qualifier attribute with a new subject-security-domain attribute that is a better fit for the purpose. Moved and renamed recipient-subject-id- qualifier to subject-security-domain in the recipient-subject category. Replaced the recipient-removable-media attribute with the removable-media attribute in
93xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 94Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 47 of 48 the recipient-machine category. Updated the examples in section 4 to reflect the preceding changes. Rewrote the XACML policy in example 4.1.2.2 to be consistent with its high level description. Added a missing term for (Action-ID = “Copy”) into the XACML policy in section 4.1.5.2. Tweaked the matching of DNs in the examples in section 4.2 and added sample XACML policies. Added category identifiers to the Conformance section and revised the attribute identifiers. WD09 7/30/2014 Steven Legg Accepted the changes to WD08.
1963
95xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 96Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 48 of 48