No 1 resolution adaf

© 2014 Axiomatics AB 1

The #1 New Year’s Resolution: Lock down your dataNext GenerationData Centric Securityis ABAC-powered

Webinar January 15, 2014


2:001:591:581:571:561:551:541:531:521:511:501:491:481:471:461:451:441:431:421:411:401:391:381:371:361:351:341:331:321:311:301:291:281:271:261:251:241:231:221:211:201:191:181:171:161:151:141:131:121:111:101:091:081:071:061:051:041:031:021:011:000:590:580:570:560:550:540:530:520:510:500:490:480:470:460:450:440:430:420:410:400:390:380:370:360:350:340:330:320:310:300:290:280:270:260:250:240:230:220:210:200:190:180:170:160:150:140:130:120:110:100:090:080:070:060:050:040:030:020:01NOWCount-down

for webinar start:

The #1 New Year’s Resolution: Lock down your data



Next GenerationData Centric Securityis ABAC-powered

The #1 New Year’s Resolution: Lock down your data


Guidelines


You are muted centrally

The webinar is recorded

Slides available for download

Q&A at the end

Today’s speakers


Gerry GebelJonas Iggbom

Agenda

Data Centric Security

Business Drivers

Technology Solutions

Attribute Based Access Control (ABAC) powering Data-Centric Security

DEMO




B2B

B-2-cloud-B

Organization YOrganization X

The new normal


Gobal connectivity

Collaboration

Mobility

Data sharing

Cloud

Big data

9

How do we protect confidentiality in this new landscape?

”The Death of Least Privilege”


“By 2020, over 80% of enterprises will allow unrestricted access to noncritical assets, up from <5% today, reducing spending on IAM by 25%.“

Gregg Kreizman, Gartner

How about critical assets?


“By 2020, 70% of all businesses will use attribute-based access control (ABAC) as the dominant mechanism to protect critical assets, up from <5% today.”

Gregg Kreizman, Gartner

“Roles Make Way for Other Attributes”


$3.5m

$300,000

Average cost to a company due to data breaches

Average cost for a single successful cyber attack

3.5m - 2014 Ponemon Institute: 2014 Cost of Data Breach Study300,000 – IBMX-Force 2012 mid-year trend and risk report


94m$194 The average cost per lost or breached record

Estimated number of citizen records lost by government agencies between 2009 and 2012

x

=

$18,000,000,00094 - 2012 Rapid7 report on Data Breaches in the Government Sector.

194 - Ponemon Institute’s 2011 Cost of Data Breach Study.

DBMS security focus in the past Default accounts

Users and roles

Exposed passwords

Patching

Privileges and permissions

Parameter settings

Password management

Profiles

Auditing

Listener security


Data Centric Security

Tokenization3678-4263-2321-0002 3678-6342-2527-0002

Element encryption3678-4263-2321-0002 &s#f=z¤VA(cCi][%TXy

Data Masking123-56-7890 ***-**-7890


Focus on sensitive content:Credit Card NumbersSocial Security Numbers

NextGen Data Centric Security: ABAC

User attributesdetermine WHO the user is

Attributes for context,database objects and actions determine WHAT, WHERE, WHEN, and HOW access is requested

Access control policies PERMIT or DENY


WYSIWAG: What you seeis what you are authorizedto get

ADAF MD 1+1>2

Combining two existing, robust and proven technology approaches:

Data Centric SecurityThe same core engine as in the market leading Data Masking solution is used as a SQL Proxy.

Attribute Based Access Control (ABAC)Axiomatics core technology with Reverse Query enhancement.

Result: Next generation database security integrates data access control with corporate Identity & Access Management.


Data Centric Security – ABAC based authorization


Policies

Attribute Sources

1. SQL statement is intercepted

2. A query is sent to the external authorization service

3. The authorization engine evaluates the relevant policies

4. It may also need to query external attribute sources for more info

5. The result: SQL statement is dynamically modified and only authorized data is returned to user

Application Data storage

User Bob wants to SELECT A,B from table T

SELECT A,BFROM TABLE T WHERE…

AuthorizationService

Filtereddata

Axiomatics Data Access Filter MD

Attributes for use data access policies

Clients

SSN FName LName Amount CreditCard Country

528-11-2543 Greg Miller $ 17 300 Visa4532 9965 5798 3440

USA

441-40-3329 Melissa Sanders $ 18 500 Mastercard5526 2777 6929 2069

UK

665-03-3478 Betty Roark $ 16 300 Visa4929 7639 2645 8194

Germany

043-04-5684 Gail Dandrea $ 14 500 Mastercard5196 7330 7610 9809

Italy

025-12-6134 Dorothy Scott $ 19 200 Mastercard5542 6593 8399 5146

UK

413-23-1218 Kristine Gamble $17 300 Visa4485 4810 9116 1750

Germany

Table(”Table=Clients”)

Column(”Column=CreditCard”)

Col/Row Valueexamples:(” Country=UK”)or(“Amount<17000”)

ActionSELECT, UPDATE, INSERT, DELETE


Axiomatics Data Access Filter

Manager can see Clients but not SSN and CreditCard

Clients


528-11-2543 Greg Miller $ 17 300 Visa4532 9965 5798 3440

USA

441-40-3329 Melissa Sanders $ 18 500 Mastercard 5526 2777 6929 2069

UK

665-03-3478 Betty Roark $ 16 300 Visa4929 7639 2645 8194

Germany


Italy


UK


Germany

User ID: Greg MillerRole: Manager

SQL statementSELECT Fname, Lname, Amount FROM Clients

ResultAs requested.Note: No protected columns were requested.



Clients


528-11-2543 Greg Miller $ 17 300 Visa4532 9965 5798 3440

USA


UK

665-03-3478 Betty Roark $ 16 300 Visa4929 7639 2645 8194

Germany


Italy


UK


Germany

Manager can see Clients but not SSN and CreditCard User ID: Greg Miller

Role: Manager

SQL statementSELECT Fname, Lname, Amount, CreditCard FROM Clients

ResultEmpty data set because Greg is not allowed to see CreditCard as requested.



Clients


528-11-2543 Greg Miller $ 17 300 Visa4532 9965 5798 3440

USA

441-40-3329 Melissa Sanders $ 18 500 Mastercard5526 2777 6929 2069

UK

665-03-3478 Betty Roark $ 16 300 Visa4929 7639 2645 8194

Germany


Italy


UK


Germany

Manager sees CreditCards for clients in managed country User ID: Greg Miller

Role: ManagerManaged country: UK

SQL JOIN statementSELECT

A.Fname, A.Lname, A.Amount,B.CreditCard,A.Country

FROM Clients as ALEFT JOIN(SELECT ID, CreditCardFROM Clients) AS B

ON A.ID = B.ID;

ResultCreditCards omitted as mandated by policy



EMPTY

EMPTY

EMPTY

EMPTY

Manager sees all Client data but only for managed country

Clients


528-11-2543 Greg Miller $ 17 300 Visa4532 9965 5798 3440

USA


UK

665-03-3478 Betty Roark $ 16 300 Visa4929 7639 2645 8194

Germany


Italy


UK


Germany

User ID: Greg MillerRole: ManagerManaged country: UK

SQL statementSELECT *FROM Clients

ResultSubset of recordsretrieved



DEMO


The use case

Acme Insurance Company is building a new application

The application is aimed at

Customers via a rich mobile-friendly web portal

Brokers who sell insurance policies and manage contracts on behalf of their customers

Claims processors who look at claims and approve them

In this demo, we will use MS Excel as the front-end for brokers

The database being protected is Oracle 11g XE

DEMO

Actors in the demo

Brokers

View insurance policies

Claims processors

View insurance claims

DEMO

Protected information

Insurance policies

amount, SSN, region, customer financial information

Insurance claims

amount, approved, description, location, individuals involved…

DEMO

Demo architecture

DEMO

Authorization scenario

DEMO

Brokers can view the insurance policies of a customer if the broker is assigned to the customer

Role==broker

Action==view

Resource==insurance policy This is the relationship

userId == customer.assignedBroker

A user with the role == broker can do the action == view on resources of type == insurance policy

if the user id == the customer’s assigned broker id.

What will happen in the demo? Change the user’s role access is impacted

Add data to the database access is impacted

Add or remove a broker – customer relationship access is impacted

DEMO

Is there a backdoor?

DEMO

No, ADAF protects your sensitive data right no matter

how it is accessed

Key Capabilities Context-aware

Filter data based on any available criteria (e.g. location, date/time, device type…)

Multi-database capability

Microsoft SQL Server; Oracle Database

Other databases in the future

Enterprise-ready

Fault-tolerant

High performance

Datacenter ready

Powerful XACML 3.0 Policy support

User attributes from any data store



Protect database contents to achieve business goals

Promote the right level of data sharing and collaboration – especially when personally identifiable information (PII) and confidential data are at stake

Enable collaboration across business units and with external partners

Reduce risk of data leakage

Ensure effective compliance and governance

Easily demonstrate that effective controls are in place

Data filtering promotes data sharing, reduces risk

Upcoming webinar

Using the OWASP Top Ten to Upgrade your Authorization Services

February 10 at 2pm Eastern, 11am Pacific

Register here: bit.ly/14WtOVo



Questions?

Thank you for listening

Date post:	16-Jul-2015
Category:	Software
Upload:	axiomatics-ab
View:	132 times
Download:	0 times

No 1 resolution adaf

Software