+ All Categories
Home > Software > Top Ten Reasons Why Developers Don’t Adopt ABAC

Top Ten Reasons Why Developers Don’t Adopt ABAC

Date post: 27-May-2015
Category:
Upload: axiomatics-ab
View: 781 times
Download: 1 times
Share this document with a friend
Description:
We’ve all heard excuses for why application developers resist adopting externalized authorization and ABAC approaches, it is sometimes a lot like listening to a teenager trying to explain away their latest transgression. At Axiomatics, we’ve also heard many excuses over the years and they can range from legitimate to debatable. In this session, Gerry Gebel will review our Top Ten reasons for not adopting ABAC plus a rebuttal for each.
Popular Tags:
38
TopTen Reasons Why Developers Don’t Adopt ABAC IRM Summit – Phoenix – June 2014 Gerry Gebel Axiomatics [email protected] @ggebel © 2014 Axiomatics AB 1
Transcript
Page 1: Top Ten Reasons Why Developers Don’t Adopt ABAC

Top  Ten  Reasons  Why  Developers  Don’t  Adopt  ABAC  

IRM Summit – Phoenix – June 2014

Gerry Gebel Axiomatics [email protected] @ggebel

© 2014 Axiomatics AB 1

Page 2: Top Ten Reasons Why Developers Don’t Adopt ABAC

© 2014 Axiomatics AB 2

IRM Summit 2014

Page 3: Top Ten Reasons Why Developers Don’t Adopt ABAC

Agenda  

§  Business trends and ABAC

§  Top Ten List

IRM Summit

© 2014 Axiomatics AB 3

Page 4: Top Ten Reasons Why Developers Don’t Adopt ABAC

Business  Trends  &  ABAC  

IRM Summit

© 2014 Axiomatics AB 4

Page 5: Top Ten Reasons Why Developers Don’t Adopt ABAC

What  is  Attribute  Based  Access  Control  (ABAC)?  §  A mode of externalized authorization

§  Authorization policies/rules are managed in a centralized service (deployment can be centralized/distributed/hybrid)

§  The Extensible Access Control Markup Language (XACML) is an example of an ABAC system

§  Policies utilize attributes to describe specific access rules, which is why it is called attribute based access control

© 2014 Axiomatics AB 5

Page 6: Top Ten Reasons Why Developers Don’t Adopt ABAC

Collaboration   …depends on efficient information sharing… … which depends on precision in access controls…

Business challenge

Page 7: Top Ten Reasons Why Developers Don’t Adopt ABAC

Speed  in  business  transactions   …depends on efficient delegation of powers… … while losses due to fraud or excessive risk taking are minimized…

Business challenge

Page 8: Top Ten Reasons Why Developers Don’t Adopt ABAC

Regulatory  compliance   …depends on efficient IT governance … …which in turn depends on correct and verifiable authorizations …

Business challenge

Page 9: Top Ten Reasons Why Developers Don’t Adopt ABAC

Protecting  credit  card  numbers,    financial  data,  accounts,  etc.  

© 2014 Axiomatics AB 9

The data protection problem

Page 10: Top Ten Reasons Why Developers Don’t Adopt ABAC

Information  storage  –  global  increase  

© 2014 Axiomatics AB 10

The data protection problem

Based on: Hilbert and Lopez, 2011

86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07

300

250

200

150

100

50

0

~93% digital

~0,7% digital

DAC

MAC

RBAC

ABAC Increasing access control challenges

Page 11: Top Ten Reasons Why Developers Don’t Adopt ABAC

Legacy access control Attribute based access control

© 2014 Axiomatics AB 11

Legacy  access  controls  fail  in  dynamic  environments  

Page 12: Top Ten Reasons Why Developers Don’t Adopt ABAC

Policy  example  –  expanded  from  NIST*  report  § Nurse Practitioners can View the Records of Patients in the same

Department they are assigned to during shift hours

§  This rule can apply to all departments in the hospital §  Add a new department or change names of department and the rule does not change §  Rule compares department of the Nurse Practitioner to the department of the Patient

© 2014 Axiomatics AB 12

Subject attributes Action attributes Resource attributes Environment * nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf

Page 13: Top Ten Reasons Why Developers Don’t Adopt ABAC

Top  Ten  List  

IRM Summit

© 2014 Axiomatics AB 13

Page 14: Top Ten Reasons Why Developers Don’t Adopt ABAC

ABAC  Degree  of  Difficulty  

© 2014 Axiomatics AB 14

aka,  ADD  

Page 15: Top Ten Reasons Why Developers Don’t Adopt ABAC

1.  “It  will  impact  performance”  

© 2014 Axiomatics AB 15

Page 16: Top Ten Reasons Why Developers Don’t Adopt ABAC

Response  #1  §  There are many ways to scale or configure for maximum performance §  Utilize caching of policies, attributes and decisions §  Employ faster communication protocols, like Apache Thrift §  Place the decision engine closer to the application it’s protecting §  Embed the decision engine within the application to eliminate network hops §  Use smart policy modeling to make evaluations more efficient

§  ABAC systems are proven in very large deployments §  200+ million users §  20,000 access requests per second §  Your ABAC system should have many modes of operation to address many scenarios

© 2014 Axiomatics AB 16

Page 17: Top Ten Reasons Why Developers Don’t Adopt ABAC

2.  “I  don’t  like  XML”  

© 2014 Axiomatics AB 17

Page 18: Top Ten Reasons Why Developers Don’t Adopt ABAC

Response  #2  §  Fine, don’t use it… try JSON instead

§  Go from this:

© 2014 Axiomatics AB 18

<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" > </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">hello</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">say</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> </xacml-ctx:Request>

Page 19: Top Ten Reasons Why Developers Don’t Adopt ABAC

Response  #2  §  To this:

© 2014 Axiomatics AB 19

{"subject": {"attribute":[{ "attributeId":"username", "value":"alice"}]},

"resource": {"attribute":[{ "attributeId":"resource-id", "value":"hello"}]},

"action": {"attribute":[{ "attributeId":"action-id", "value":"say"}]}} 0

200 400 600 800

1000 1200 1400

Char. Count

XML JSON

Page 20: Top Ten Reasons Why Developers Don’t Adopt ABAC

3.  “It  makes  the  system  more  complex”  

© 2014 Axiomatics AB 20

Page 21: Top Ten Reasons Why Developers Don’t Adopt ABAC

Response  #3  §  So you prefer to pollute your application code

with security stuff?

§  There are trade-offs to consider when outsourcing functions to an external service

§  For the developer, the interface is very simple §  Send a package of attributes to AuthZ service §  Process the Permit/Deny response

© 2014 Axiomatics AB 21

REST  

Page 22: Top Ten Reasons Why Developers Don’t Adopt ABAC

4.  “I  can  do  it  faster  myself”  

© 2014 Axiomatics AB 22

Page 23: Top Ten Reasons Why Developers Don’t Adopt ABAC

Response  #4  §  IT lead time to set up authorization service can be time consuming §  If you heavy weight processes for setting up new hardware, VM images, etc.

§  One time pain generates many returns for future projects §  But few want to be the first mover

§  Option: bundle the authorization service with your application §  Less reliance on IT services §  All the necessary components are packaged with the application

© 2014 Axiomatics AB 23

Page 24: Top Ten Reasons Why Developers Don’t Adopt ABAC

5.  “I  don’t  care  about  enterprise  issues”  

© 2014 Axiomatics AB 24

,

Page 25: Top Ten Reasons Why Developers Don’t Adopt ABAC

Response  #5  §  What are the results of this bad attitude? §  IT has to provision accounts and identity data to every application built this way (which

launched the comma into IAM legend status) §  Legions of application managers now hate you because they have to manually review

stacks of permissions and roles from your app and everyone else that built apps the same way

§  Congratulations, we now have 500 applications and 50,000 roles

© 2014 Axiomatics AB 25

Page 26: Top Ten Reasons Why Developers Don’t Adopt ABAC

6.  “My  code  is  more  flexible”  

© 2014 Axiomatics AB 26

Page 27: Top Ten Reasons Why Developers Don’t Adopt ABAC

Response  #6  §  You may be right, for a particular use case

§  But §  How long did it take to code? §  Is it adaptable to the next scenario? §  How much effort is required to maintain your code?

© 2014 Axiomatics AB 27

Page 28: Top Ten Reasons Why Developers Don’t Adopt ABAC

7.  “I  don’t  know  where  the  attributes  are”  

© 2014 Axiomatics AB 28

Page 29: Top Ten Reasons Why Developers Don’t Adopt ABAC

Response  #7  §  No need to concern yourself §  Just send the attributes available in the user session

§  Subject identifier §  Resource identifier §  Action

§  Role or group info §  Device type

§  Authentication type §  Etc.

§  The authorization service handles the rest, looking up additional attributes if necessary

© 2014 Axiomatics AB 29

Page 30: Top Ten Reasons Why Developers Don’t Adopt ABAC

8.  “What  if  the  external  service  fails?”  

© 2014 Axiomatics AB 30

Page 31: Top Ten Reasons Why Developers Don’t Adopt ABAC

Response  #8  §  Practice good hygiene §  Eliminate single points of failure §  Understand failure modes and document processes for recovery §  Implement change control processes, which permits roll back to known state

§  But these are tasks for the IT department, and it’s their specialty

© 2014 Axiomatics AB 31

Page 32: Top Ten Reasons Why Developers Don’t Adopt ABAC

9.  “Who  will  manage  the  policies,  me?”  

© 2014 Axiomatics AB 32

Page 33: Top Ten Reasons Why Developers Don’t Adopt ABAC

Response  #9  §  If you insist, yes §  Policies are easily created using ALFA shorthand syntax

§  Similar to C# or Java §  Plug in for Eclipse §  Submitted to OASIS for standardization

§  Or you can rely on business owner, security office or system administrators to create and manage access policies §  It’s another item off your plate

© 2014 Axiomatics AB 33

Page 34: Top Ten Reasons Why Developers Don’t Adopt ABAC

10.  “Isn’t  ABAC  just  a  new  fad?”  

© 2014 Axiomatics AB 34

Like, say, sock shots at conferences…

Page 35: Top Ten Reasons Why Developers Don’t Adopt ABAC

Response  #10:  The  ABAC  trend  

35

2005 XACML version 2.0: Concept production-ready for enterprise needs.

2009 US Federal CIO Council – (FICAM) Roadmap and Implementation Plan v1.0 advocates ABAC

2006 Axiomatics founded. First project: a nation- wide eHealth service.

2011 FICAM v2.0: ABAC recommended access control model for promoting information sharing between diverse and disparate organizations.

2013 XACML version 3.0

2014 NIST Guide on ABAC

2014 Gartner predicts: ”By 2020, 70% of all businesses will use ABAC as the dominant mechanism to protect critical assets, up from 5% today.”

ABAC = Attribute Based Access Control

© 2014 Axiomatics AB

Page 36: Top Ten Reasons Why Developers Don’t Adopt ABAC

Wrapping  up  

© 2014 Axiomatics AB 36

Page 37: Top Ten Reasons Why Developers Don’t Adopt ABAC

Summary  §  Touched on some issues of why developers resist ABAC

§  There are others….

§  Hopefully you’ve learned some ways to deal with objections

© 2014 Axiomatics AB 37

IRM Summit 2014

Page 38: Top Ten Reasons Why Developers Don’t Adopt ABAC

Questions?  Thank you for listening


Recommended