1、BS ISO/IEC 29146:2016 Information technology Security techniques A framework for access management BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06BS ISO/IEC 29146:2016 BRITISH STANDARD National foreword This British Standard is the UK implementation of ISO/IEC 2914
2、6:2016. The UK participation in its preparation was entrusted to Technical Committee IST/33/5, Identity Management and Privacy Technologies. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessa
3、ry provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2016. Published by BSI Standards Limited 2016 ISBN 978 0 580 65108 3 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard wa
4、s published under the authority of the Standards Policy and Strategy Committee on 30 June 2016. Amendments/corrigenda issued since publication Date T e x t a f f e c t e dBS ISO/IEC 29146:2016 Information technology Security techniques A framework for access management Technologies de linformation T
5、echniques de scurit Cadre pour gestion daccs INTERNATIONAL STANDARD ISO/IEC 29146 Reference number ISO/IEC 29146:2016(E) First edition 2016-06-01 ISO/IEC 2016 BS ISO/IEC 29146:2016ii ISO/IEC 2016 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2016, Published in Switzerland All rights reser
6、ved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO
7、 at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 29146:2016(E)BS ISO/IEC 29146:2016ISO/IEC 29146:2016(E)Forew
8、ord v Introduction vi 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 4 Abbreviated terms 4 5 Concepts 5 5.1 A model for controlling access to resources 5 5.1.1 Overview . 5 5.1.2 Relationship between identity management system and access management system . 6 5.1.3 Security charac
9、teristics of the access method 7 5.2 Relationships between logical and physical access control . 8 5.3 Access management system functions and processes 8 5.3.1 Overview . 8 5.3.2 Access control policy 9 5.3.3 Privilege management .10 5.3.4 Policy-related attribute information management .11 5.3.5 Au
10、thorization .12 5.3.6 Monitoring management .12 5.3.7 Alarm management 13 5.3.8 Federated access control13 6 Reference architecture 14 6.1 Overview .14 6.2 Basic components of an access management system .15 6.2.1 Authentication endpoint 15 6.2.2 Policy decision point (PDP) .15 6.2.3 Policy informat
11、ion point (PIP) 15 6.2.4 Policy administration point (PAP) .15 6.2.5 Policy enforcement point (PEP) 16 6.3 Additional service components .16 6.3.1 General.16 6.3.2 Subject centric implementation .16 6.3.3 Enterprise centric implementation 18 7 Additional requirements and concerns .19 7.1 Access to a
12、dministrative information 19 7.2 AMS models and policy issues 19 7.2.1 Access control models 19 7.2.2 Policies in access management 20 7.3 Legal and regulatory requirements .20 8 Practice 20 8.1 Processes .20 8.1.1 Authorization process 20 8.1.2 Privilege management process 21 8.2 Threats 21 8.3 Con
13、trol objectives 22 8.3.1 General.22 8.3.2 Validating the access management framework 22 8.3.3 Validating the access management system 25 8.3.4 Validating the maintenance of an implemented AMS .29 Annex A (informative) Current access models 31 ISO/IEC 2016 All rights reserved iii Contents PageBS ISO/
14、IEC 29146:2016ISO/IEC 29146:2016(E)Bibliography .35 iv ISO/IEC 2016 All rights reservedBS ISO/IEC 29146:2016ISO/IEC 29146:2016(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standa
15、rdization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of
16、mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this documen
17、t and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part
18、 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the developme
19、nt of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO spe
20、cific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information The committee responsible for this document is ISO/IEC JTC 1, Informati
21、on technology, Subcommittee SC 27, IT Security techniques. ISO/IEC 2016 All rights reserved vBS ISO/IEC 29146:2016ISO/IEC 29146:2016(E) Introduction Management of information security is a complex task that is based primarily on risk-based approach and that is supported by several security technique
22、s. The complexity is handled by several supporting systems that can automatically apply a set of rules or policies consistently. Within the management of information security, access management plays a key role in the administration of the relationships between the accessing party (subjects that can
23、 be human or non- human entities) and the information technology resources. With the development of the Internet, information technology resources can be located over distributed networks and the access to them needs to be managed in conformity under a policy and is expected to have common terms and
24、 models as a framework on access management. Identity management is also an important part of access management. Access management is mediated through the identification and authentication of subjects that seek to access information technology resources. This International Standard depends on the ex
25、istence of an underlying identity management system or an identity management infrastructure (see references in Clause 2). The framework for access management is one part of an overall identity and access management framework. The other part is the framework for identity management, which is defined
26、 in ISO/IEC 24760. This International Standard describes the concepts, actors, components, reference architecture, functional requirements and practices for access control. Example access control models are included. It focuses mainly on access control for a single organization, but adds other consi
27、derations for access control in collaborative arrangements across multiple organizations.vi ISO/IEC 2016 All rights reservedBS ISO/IEC 29146:2016Information technology Security techniques A framework for access management 1 Scope This International Standard defines and establishes a framework for ac
28、cess management (AM) and the secure management of the process to access information and Information and Communications Technologies (ICT) resources, associated with the accountability of a subject within some context. This International Standard provides concepts, terms and definitions applicable to
29、 distributed access management techniques in network environments. This International Standard also provides explanations about related architecture, components and management functions. The subjects involved in access management might be uniquely recognized to access information systems, as defined
30、 in ISO/IEC 24760. The nature and qualities of physical access control involved in access management systems are outside the scope of this International Standard. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable fo
31、r its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 24760-1:2011, Information technology Security techniques A framework for identity management Part 1: Terminology
32、and concepts ISO/IEC 24760-2:2015, Information technology Security techniques A framework for identity management Part 2: Reference architecture and requirements ISO/IEC 29115:2013, Information technology Security techniques Entity authentication assurance framework ISO/IEC 27002:2013, Information t
33、echnology Security techniques Code of practice for information security controls 3 T erms a nd definiti ons For the purposes of this document, the terms and definitions given in ISO/IEC 24760-1, ISO/IEC 29115, and the following apply. 3.1 access control granting or denying an operation to be perform
34、ed on a resource (3.14) Note 1 to entry: A primary purpose of access control is to prevent unauthorized access to information or use of ICT resources based on the business and security requirements; that is, the application of authorization policies to particular access requests. Note 2 to entry: Wh
35、en an authenticated subject (3.15) makes a request, the resource owner will authorize (or not) access in accordance with access policy and subject privileges. INTERNATIONAL ST ANDARD ISO/IEC 29146:2016(E) ISO/IEC 2016 All rights reserved 1BS ISO/IEC 29146:2016ISO/IEC 29146:2016(E) 3.2 access managem
36、ent set of processes to manage access control (3.1) for a set of resources (3.14) 3.3 access token trusted object encapsulating the authority for a subject (3.15) to access a resource (3.14) Note 1 to entry: An access token is issued by the policy decision point (PDP) and consumed by the policy enfo
37、rcement point (PEP) for the resource. Note 2 to entry: An access token may contain access permission information for a subject to access the resource and identifying information for the authority of the authorization decision. Note 3 to entry: An access token may contain information that enables its
38、 integrity to be validated. Note 4 to entry: An access token may take a physical or a virtual form. 3.4 attribute characteristic or property used to describe and to control access to a resource (3.14) Note 1 to entry: The rules for accessing a resource are defined in an access control (3.1) policy w
39、hich specifies the attributes required for the granting of access by a subject (3.15) to a resource for a specific operation. Note 2 to entry: Attributes can include subject attributes, resource attributes, environmental attributes and other attributes used to control access as specified in the acce
40、ss control policy. 3.5 endpoint location in an access management (3.2) system where an access control (3.1) function is performed Note 1 to entry: There can be the following different types of endpoints: authentication endpoint, where subject (3.15) authentication is performed; authorization endpoin
41、t, where subject authorization is performed; endpoint discovery service, that searches for and locates endpoints; initial endpoint discovery service, used at the start of subject interactions with an access management system. Note 2 to entry: Endpoint discovery services are commonly used in distribu
42、ted and networked systems. 3.6 enterprise centric implementation access management (3.2) conducted under the control of a policy decision point 3.7 need-to-know security objective of keeping the subjects (3.15) access to data resources (3.14) to the minimum necessary for a requesting user to perform
43、 their functions Note 1 to entry: Need-to-know is authorized at the discretion of the resource owner. Note 2 to entry: Need-to-have is the security objective of the requester for the fulfilment of specific tasks that may be limited at the resource owners discretion.2 ISO/IEC 2016 All rights reserved
44、BS ISO/IEC 29146:2016ISO/IEC 29146:2016(E) 3.8 privilege access right permission authorization to a subject (3.15) to access a resource (3.14) Note 1 to entry: Privilege is a necessary but not sufficient condition for access. Access occurs when the access request is granted according to its access c
45、ontrol policy. The access control policy is based on privileges and may include other environmental factors (e.g. time-of-day, location, etc.) Note 2 to entry: Privileges take the form of data presented by a subject or obtained for a subject that is used by a Policy Decision Point in order to grant
46、or deny an operation that a subject is willing to perform on a resource. Note 3 to entry: A resource may have multiple distinct privileges associated with it which correspond to various defined levels of access. For example, a data resource could have read, write, execute and delete privileges avail
47、able for assignment to subjects. A request by a subject for access to the resource might be allowed for some levels of access request but disallowed for other levels depending on the level of access requested and the resource privileges that have been assigned to the subject. 3.9 role name given to
48、a defined set of system functions that may be performed by multiple entities Note 1 to entry: The name is usually descriptive of the functionality. Note 2 to entry: Entities can be but are not necessarily human subjects. Note 3 to entry: Roles are implemented by a set of privilege (3.8) attributes t
49、o provide the necessary access to data resources or objects. Note 4 to entry: Subjects assigned to a role inherit the access privileges associated with the role. In operational use, subjects will need to be authenticated as members of the role group before being allowed to perform the functions of the role. 3.10 policy decision point PDP service that implements an access control policy to adjudicate requests from entities to access resources (3.14) and provide authori
