Securing Data is a Four letter Word

© 2014 Axiomatics AB 1

Securing data is a four letter wordNext GenerationData Centric Securityis ABAC-powered

Webinar December 11, 2014

Today’s speakers


Finn FrischDavid Brossard

Agenda

Data Centric Security

Business Drivers

Technology Solutions

Attribute Based Access Control (ABAC) powering Data Centric Security

DEMO


Avsnittsrubrik



B2B

B-2-cloud-B

Organization YOrganization X

The new normal


Gobal connectivity

Collaboration

Mobility

Data sharing

Cloud

Big data

6

How to protect confidentialityin this new landscape?

”The Death of Least Privilege”


“By 2020, over 80% of enterprises will allow unrestricted access to noncritical assets, up from <5% today, reducing spending on IAM by 25%.“

Gregg Kreizman, Gartner

How about critical assets?


“By 2020, 70% of all businesses will use attribute-based access control (ABAC) as the dominant mechanism to protect critical assets, up from <5% today.”

Gregg Kreizman, Gartner

“Roles Make Way for Other Attributes”


$3.5m

$300,000

Average cost to a company due to data breaches

Average cost for a single successful cyber attack

3.5m - 2014 Ponemon Institute: 2014 Cost of Data Breach Study300,000 – IBMX-Force 2012 mid-year trend and risk report


94m$194 The average cost per lost or breached record

Estimated number of citizen records lost by government agencies between 2009 and 2012

+

=

$18,000,000,00094 - 2012 Rapid7 report on Data Breaches in the Government Sector.

194 - Ponemon Institute’s 2011 Cost of Data Breach Study.

DBMS security focus in the past Default accounts

Users and roles

Exposed passwords

Patching

Privileges and permissions

Parameter settings

Password management

Profiles

Auditing

Listener security


Data Centric Security

Tokenization3678-4263-2321-0002 3678-6342-2527-0002

Element encryption3678-4263-2321-0002 &s#f=z¤VA(cCi][%TXy

Data MaskingJohn Adams, March 13 1972 Pete Smith, February 11 1972


Focus on sensitive content:Credit Card NumbersSocial Security Numbers

NextGen Data Centric Security: ABAC

User attributesdetermine WHO the user is

Attributes for context,database objects and actions determine WHAT, WHERE, WHEN, and HOW access is requested

Access control policiesPERMIT or DENY


WYSIWAG: What you seeis what you are authorizedto get

ADAF MD 1+1>2

Combininging two existing, robust and proven technology approaches:

Data Centric SecurityThe same core engine as in the market leading Data Masking solution is usedas a SQL Proxy.

Attribute Based Access Control (ABAC)Axiomatics core technology with Reverse Query enhancement.

Result: Next generation database security integrates data access control with corporate Identity & Access Management.


Data Centric Security – ABAC based authorization


Policies

Attribute Sources

1. SQL statement is intercepted

2. A query is sent to the external authorization service

3. The authorization engine evaluates the relevant policies

4. It may also need to query external attribute sources for more info

5. The result: SQL statement is dynamically modified and only authorized data is returned to user

Application Data storage

User Bob wants to SELECT A,B from table T

SELECT A,BFROM TABLE T WHERE…

AuthorizationService

Filtereddata

1. SQL Proxy intercepts SQL query

2. SQL Proxy queriesSQL Filter service

3. SQL Filter evaluates requestagainst policies and may need to query further attribute sources

4. SQL Proxy rewrites SQL basedon SQL Filter conditions

5. RESULT: Filtered data returnedto application

Axiomatics Data Access Filter MD

Oracle MS SQL Server

Databases

Applications

Attribute Sources

Attributes for use data access policies

Clients

SSN FName LName Amount CreditCard Country

528-11-2543 Greg Miller $ 17 300 Visa4532 9965 5798 3440

USA

441-40-3329 Melissa Sanders $ 18 500 Mastercard5526 2777 6929 2069

UK

665-03-3478 Betty Roark $ 16 300 Visa4929 7639 2645 8194

Germany

043-04-5684 Gail Dandrea $ 14 500 Mastercard5196 7330 7610 9809

Italy

025-12-6134 Dorothy Scott $ 19 200 Mastercard5542 6593 8399 5146

UK

413-23-1218 Kristine Gamble $17 300 Visa4485 4810 9116 1750

Germany

Table(”Table=Clients”)

Column(”Column=CreditCard”)

Col/Row Valueexamples:(” Country=UK”)or(“Amount<17000”)

ActionSELECT, UPDATE, INSERT, DELETE


Axiomatics Data Access Filter

Manager can see Clients but not SSN and CreditCard

Clients


528-11-2543 Greg Miller $ 17 300 Visa4532 9965 5798 3440

USA


UK

665-03-3478 Betty Roark $ 16 300 Visa4929 7639 2645 8194

Germany


Italy


UK


Germany

User ID: Greg MillerRole: Manager

SQL statementSELECT Fname, Lname, AmountFROM Clients

ResultAs reqeusted



Manager can see Clients but not SSN and CreditCard

Clients


528-11-2543 Greg Miller $ 17 300 Visa4532 9965 5798 3440

USA


UK

665-03-3478 Betty Roark $ 16 300 Visa4929 7639 2645 8194

Germany


Italy


UK


Germany


SQL statementSELECT Fname, Lname, Amount,SSN FROM Clients

ResultNo records retrieved



Manager sees Clients but only own SSN and CreditCard

Clients


528-11-2543 Greg Miller $ 17 300 Visa4532 9965 5798 3440

USA


UK

665-03-3478 Betty Roark $ 16 300 Visa4929 7639 2645 8194

Germany


Italy


UK


Germany


SQL statementSELECT Fname, Lname, Amount,SSN,CreditCardFROM Clients

ResultOnly the user’s ”own” record is retrieved



Manager can see Clients but only for managed country

Clients


528-11-2543 Greg Miller $ 17 300 Visa4532 9965 5798 3440

USA


UK

665-03-3478 Betty Roark $ 16 300 Visa4929 7639 2645 8194

Germany


Italy


UK


Germany

User ID: Greg MillerRole: ManagerManaged country: UK

SQL statementSELECT *FROM Clients

ResultSubset of recordsretrieved



DEMO


The use case

Acme Insurance Company is building a new application

The application is aimed at

Customers via a rich mobile-friendly web portal

Brokers who sell insurance policies and manage contracts on behalf of their customers

Claims processors who look at claims and approve them

In this demo, we will use MS Excel as the front-end for brokers

The database being protected is Oracle 11g XE

DEMO

Actors in the demo

Brokers

View insurance policies

Claims processors

View insurance claims

DEMO

Sensitive information

Insurance policies

amount, SSN, region, customer financial information

Insurance claims

amount, approved, description, location, individuals involved…

DEMO

Demo architecture

DEMO

Authorization scenario

DEMO

Brokers can view the insurance policies of a customer if the broker is assigned to the customer

Role==broker

Action==view

Resource==insurance policy This is the relationship

userId == customer.assignedBroker

A user with the role == broker can do the action == view on resources of type == insurance policy

if the user id == the customer’s assigned broker id.

What will happen in the demo? Change the user’s role access is impacted

Add data to the database access is impacted

Add or remove a broker – customer relationship access is impacted

Log out and log in as a separate user access is impacted

DEMO

Is there a backdoor?

DEMO

Is that all?

No, of course not!

You can use the full strength of ABAC to protect your data

Relationships

Device information

Time of day

Authentication type

And more…

DEMO

Key Capabilities Context-aware

Filter data based on any available criteria (e.g. location, date/time, device type…)

Multi-database capability

Microsoft SQL Server; Oracle

May support others in the future

Enterprise-ready

Fault-tolerant

High performance

Datacenter ready

Powerful XACML 3.0 Policy support

User attributes from any data store



Standards based ABAC = Simplicity and Security

Single point of access control management for database layer

Enforces authorization in a non-intrusive way; application changes not required

Minimizes risk exposure for data in transit

Consistently enforces authorization across multiple channels/applications

Ensures policies and control rules are in place by users accessing and extracting source data

Benefits of ABAC data filtering

Date post:	13-Jul-2015
Category:	Software
Upload:	axiomatics-ab
View:	269 times
Download:	4 times

Securing Data is a Four letter Word

Software