The New Venn of Access Control in the API-Mobile-IOT Era

The New Venn Of Access ControlIn The API-Mobile-IoT EraEve Maler, Principal Analyst, Security & Risk

June 4, 2014

@xmlgrrl

The business tech landscape is handing us hard IAM problems.Traditional solutions don’t “work less well”…they don’t work at all.

3© 2012 Forrester Research, Inc. Reproduction Prohibited

Agenda

What are the implications of “BYO”?

Emerging technologies help you achieve a Zero Trust posture

What remains to be done?

© 2012 Forrester Research, Inc. Reproduction Prohibited

The extended enterprise forces IT to handle bring-your-own-everything

4

Source: April 7, 2014, “Navigate The Future Of Identity And Access Management” Forrester report


You can’t trust everything + everyone inside your crunchy perimeter anyway

Source: November 15, 2012, “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security” Forrester report

…so stop trying

Start with Zero TrustElevate trust selectively


Many APIs have acquired business models, driven by mobile


IT now confronts webdevification

value X

friction Y


Our worlds are collidingUNIFY YOUR STANCE AND PREPARE FOR ANYTHING

B2C

B2E

B2B

the identity singularity

B2D


Agenda





A tour through some previous Venns

vintage 2007



vintage 2007


vintage 2009



vintage 2009


14© 2012 Forrester Research, Inc. Reproduction Prohibited Source: October 2012 “TechRadar™ For Security Pros: Zero Trust Identity Standards, Q3 2012”

Emerging standards have an edge over traditional ones for Zero Trust

Key features:• Governance• Hubris

Key features:• “Solving the right problem”• Enterprise-only scope

Key features:• Agility• Mobile/cloud friendliness• Robustness


A new Venn for “access management 2.0”JUST WHAT THE API-MOBILE-IOT AXIS NEEDS*


IT LETS A RESOURCE OWNER DELEGATE CONSTRAINED ACCESS

OAuth is about more than the “password anti-pattern”


OpenID Connect turns SSO into a standard OAuth-protected identity API

SAML 2.0, OpenID 2.0 OAuth 2.0 OpenID Connect

X

Initiating user’s login session

Not responsible for collecting user consent

High-security identity tokens (SAML only)

Distributed and aggregated claims

Session timeout

X

X

Dynamic introduction (OpenID only)

X Not responsible for session initiation

Collecting user’s consent to share attributes

No identity tokensper seX

Client onboarding is staticX

No claims per se; protects arbitrary APIsX

Initiating user’s login session

Collecting user’s consent to share attributesHigh-security identity tokens (using JSON Web Tokens)

Distributed and aggregated claims

Session timeout (in the works)

Dynamic introduction

No sessions per seX


UMA enables authorization that’s friendly to OAuth, APIs, PbD, and (it appears) IoT

Standardized APIs enable Internet-scale authz-as-a-service

Outsources protection to a centralized “digital footprint control console” for Alice or an IT admin

The “user” in User-Managed Access (UMA) – can be an organization (“headless”)

Some guy not accounted for in OAuth…


Mapping UMA to classic authorization architecture

~PDP~PEP

Deliberately prepared for n:n relationships

Implicitly a PAP and PIP, or a client to them

Together,~requester

Claims and context gathered at run time

Policymaker (no std policy expression or evaluation)


The RS exposes whatever value-add API it wants, protected by an AS

App-specific API

UM

A-enabled

client

RPTrequesting party token

(can be profiled to move the PDP/PEP line)


The AS exposes an UMA-standardized protection API to the RS

Protection A

PI

Pro

tect

ion

clie

nt

PAT

protection API token

includes resource registration API and token

introspection API


The AS exposes an UMA-standardized authorization API to the client

Authorization API

Authorization client

AATauthorization API token

supports OpenID Connect-based claims-

gathering for authz


Detailed summary


Agenda





After the REST maturity ladder must come “scope design best practices”

actors(“subjects”)

resources accessed (“objects”) and operations (“verbs”)

rolesgroups

arbitrary otherauthz context

domain URL path HTTPmethod

field

Classicfine-

grained

Emergingscope-

grained

Classiccoarse-grained

authncontext

attributes/claims


Webdevs and IoT demand the right appsec design center and footprint


Federations must grow to accommodate outsourced access

I promise to Adhere-to-Terms once I get access using a valid RPT with the right authz data!

I promise to Adhere-to-Terms once the AS adds authz data to your RPT!


IRM for healthcare requires serious security, privacy, and discoverability

AS AS AS

RS RS RS RS

C C C C C C

C C

• Likely EHR operators in the US

• Healthcare providers• Wearables and other

quantified-self apps

• “Mint for patients and caregivers”

Benefits• Proactive, trackable consent

directives• Blue Button+-friendly data delivery

Challenges• Sclerotic IT practices• Nth-degree security, privacy, and

discoverability requirements

RS RS

Thank youEve Maler

+1 425.345.6756

[email protected]

@xmlgrrl

Software

The New Venn of Access Control in the API-Mobile-IOT Era