Question
How to enforce access and usage control policies for different types of authentication?
Context
In general, the access and usage control of data are governed by policies in which it defines who can do what in which circumstance. However, ensuring user respects what is defined in policy is a challenge. For example, if policy states that user needs to notify data owner before accessing or using it, it is an obligation to ensure that notification message reaches data owner before data is released or made accessible to user.
Solution
The key solution to policy enforcement is to develop the policy enforcement point (PEP) acting as the intermediary between policy decision point (PDP) and client application. PEP forwards request from client to PDP system and retrieves access and usage control decision from PDP. PEP is also responsible for enforcing policy by executing obligation if needed.
References
Risk-adaptable access control - csrc.nist.gov
Access control policies enforcement in a cloud environment: Openstack - ieeexplore.ieee.org