Visible to the public Access Control Policy Enforcement for Zero-Trust-Networking

TitleAccess Control Policy Enforcement for Zero-Trust-Networking
Publication TypeConference Paper
Year of Publication2018
AuthorsVanickis, R., Jacob, P., Dehghanzadeh, S., Lee, B.
Conference Name2018 29th Irish Signals and Systems Conference (ISSC)
Keywordsaccess control policy enforcement, access control process, authorisation, Authorization, computer network management, computer network security, computer networks, decision making, dynamicity, enterprise computing landscape, firewall, Firewalls (computing), fog/edge computing, generic firewall policy language, heterogeneous user contexts, Human Behavior, human factors, Industrial Internet, Internet of Things, micro-segment, Network topology, network zone, policy enforcement, policy enforcement framework, policy-based governance, Production, pubcrawl, resilience, Resiliency, rigorous access control, risk-based access control, risk-based access control decision making, Scalability, securing computer networks, Software, transaction-based interactions, Trust, virtualized infrastructures, zero trust, zero trust networking, zero-trust-networking, zone resources, ZTN networks

The evolution of the enterprise computing landscape towards emerging trends such as fog/edge computing and the Industrial Internet of Things (IIoT) are leading to a change of approach to securing computer networks to deal with challenges such as mobility, virtualized infrastructures, dynamic and heterogeneous user contexts and transaction-based interactions. The uncertainty introduced by such dynamicity introduces greater uncertainty into the access control process and motivates the need for risk-based access control decision making. Thus, the traditional perimeter-based security paradigm is increasingly being abandoned in favour of a so called "zero trust networking" (ZTN). In ZTN networks are partitioned into zones with different levels of trust required to access the zone resources depending on the assets protected by the zone. All accesses to sensitive information is subject to rigorous access control based on user and device profile and context. In this paper we outline a policy enforcement framework to address many of open challenges for risk-based access control for ZTN. We specify the design of required policy languages including a generic firewall policy language to express firewall rules. We design a mechanism to map these rules to specific firewall syntax and to install the rules on the firewall. We show the viability of our design with a small proof-of-concept.

Citation Keyvanickis_access_2018