Upload
axiomatics-ab
View
262
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Runtime ABAC Systems – Where are they Applicable? Presentation by Gerry Gebel, July 14.
Citation preview
© 2014 Axiomatics AB 1
Runtime ABAC Systems – Where are they Applicable?
How to Achieve ABAC Today – July 2014
Gerry [email protected]@ggebel
© 2014 Axiomatics AB 2
Agenda Business trends that are influencing authorization requirements
Externalized Authorization and ABAC
Standards update, if time permits JSON, REST, & ALFA
How to Achieve ABAC Today
© 2014 Axiomatics AB 3
Business Trends & AuthZ
How to Achieve ABAC Today
© 2014 Axiomatics AB 4
The information map has been completely redrawn and it’s not finished yet
© 2014 Axiomatics AB 5
© 2014 Axiomatics AB 6
Next generation information security
= dynamic authorization
= attribute based access control
© 2014 Axiomatics AB 7
Who
What Sensitive /business critical Information
Grant or deny access based on the following attributes
When
Where
Why
How
Legacy access controls fail in dynamic environments
© 2014 Axiomatics AB 8
ABAC thrives in dynamic environments
FROM: Internal controls, matrix and manual checklists
Application A Application B Application C
COMPLIANCEConforming with privacy regulation?
………………
………………
………………
RISK MGMTSegregation of duties checked?
………………
………………
………………
ISO 27000 ISMSClassification of data & access control policies implemented?
………………
………………
………………
TO: Centrally maintained policies consistently enforced across applications
© 2014 Axiomatics AB 9
Switch to effective & efficient access control policies
Authorization service
© 2014 Axiomatics AB 10
Externalized Authorization and ABAC
How to Achieve ABAC Today
© 2014 Axiomatics AB 11
Implementation Phases
Access policies: how are they authored/managed?
The attributes: where do they come from?
Application integration: how does ABAC connect with the application?
© 2014 Axiomatics AB 12
ABAC access policies
Choose the right tool for the audience Business analysts
Systems administrators
Application developers
© 2014 Axiomatics AB 13
Business Analysts
ABAC access policies
Natural Language Processing(XpressRules)
© 2014 Axiomatics AB 14
System Administrators
ABAC access policies
© 2014 Axiomatics AB 15
Application Developers
ABAC access policies
policy allowTransaction{target clause userRole=="manager" and
actionId=="approve" and resType=="transaction"apply firstApplicablerule allowIfLowRiskScore{
condition (transactionRiskScore < 5) && (transactionAmount <= userApprovalLimit)
permit}
}
ALFA* Eclipse Plug in
*Submitted to OASIS as XACML Profile
© 2014 Axiomatics AB 16
Attribute Sources
Attributes are contained in the access request message
Additional attributes are retrieved at runtime
17© 2014 Axiomatics AB
Attribute sources
Environment
Subject Action
Resource Environment
Action
Resource
Subject
XACML Request
© 2014 Axiomatics AB 18
Run time retrieval
Attribute sources
VDS
Directories
DatabasesActive Directory
Applications
© 2014 Axiomatics AB 19
Applying ABAC to every layer of your application
ADAF
© 2014 Axiomatics AB 20
ABAC at the presentation tier Hide or reveal menu items, drop down lists, widgets, etc.
Activate/deactivate portal buttons
Implement with any application framework or programming language Java, .NET, Ruby, Python, PHP, Spring, etc.
© 2014 Axiomatics AB 21
ABAC at the business / API tier
Web Services Server
Web Services
Client
Gateway acts as PEP
Licensing site
Licensing site
Licensing site
Note: optionally use Axiomatics PDP on the SecureSpan Gateway
Policies
Attribute Sources
1. SQL statement is intercepted
2. A query is sent to the external authorization service
3. The authorization engine evaluates the relevant policies
4. It may also need to query external attribute sources for more info
5. The result: SQL statement is dynamically modified and only authorized data is returned to user
Application Data storage
User Bob wants to SELECT * from table T
SELECT A,B FROM TABLE T
WHERE…
AuthorizationService
Filtereddata
ABAC at the Database tier
© 2014 Axiomatics AB
© 2014 Axiomatics AB 23
To Summarize The ABAC trend is underway, it’s time to get started with your plans
The technology is mature and ready to implement
This group of best-in-class vendors offers compelling integrations
…and a few more comments on standards, if time permits
© 2014 Axiomatics AB 24
REST, JSON, & ALFAWhat’s new on the standards front?
© 2014 Axiomatics AB 25
JSON encoding of an authZ request
{"subject":{"attribute":[{
"attributeId":"username","value":"alice"}]},
"resource":{"attribute":[{
"attributeId":"resource-id","value":"hello"}]},
"action":{"attribute":[{
"attributeId":"action-id","value":"say"}]}}
© 2014 Axiomatics AB 26
JSON vs. XML
Word count05
1015202530354045
XMLJSON
Char. Count0
200
400
600
800
1000
1200
1400
XMLJSON
Size of a XACML request
© 2014 Axiomatics AB 27
REST Profile
What’s new in the XACML standard
XML over HTTP
XML over HTTP
JSON over HTTP
JSON over HTTP
© 2014 Axiomatics AB 28
ALFA – Axiomatics Language for Authorization Domain Specific Language (DSL) that provides an abstraction over XACML
Pseudo language is similar to C# or Java
Author policies in Eclipse IDE, plug in automatically generates XACML
Axiomatics has committed to submit ALFA as an XACML profile
© 2014 Axiomatics AB 29
A policy example, in ALFA
policy allowTransaction{
target clause userRole=="manager" and actionId=="approve" and resType=="transaction"
apply firstApplicable
rule allowIfLowRiskScore{
condition (transactionRiskScore < 5) && (transactionAmount <= userApprovalLimit)
permit
}
}
Thank you for listening
Please save your questions for the vendor panel
Don’t miss out on these events! July 19th – July 23rd (Monterey, CA): Cloud Identity Summit
August 5th: Webinar: Why Your Organization Can’t Manage Without ABAC
December 2nd – December 4th (Las Vegas, NV): Gartner Identity & Access Management Summit North America
© 2014 Axiomatics AB 31
Upcoming events & webinars
More at www.axiomatics.com/events