© 2014 Axiomatics AB 1
Top Ten Reasons Why Developers Don’t Adopt ABAC
IRM Summit – Phoenix – June 2014
Gerry [email protected]@ggebel
© 2014 Axiomatics AB 2
IRM Summit 2014
© 2014 Axiomatics AB 3
Agenda
Business trends and ABAC
Top Ten List
IRM Summit
© 2014 Axiomatics AB 4
Business Trends & ABAC
IRM Summit
© 2014 Axiomatics AB 5
What is Attribute Based Access Control (ABAC)? A mode of externalized authorization
Authorization policies/rules are managed in a centralized service (deployment can be centralized/distributed/hybrid)
The Extensible Access Control Markup Language (XACML) is an example of an ABAC system
Policies utilize attributes to describe specific access rules, which is why it is called attribute based access control
Collaboration
…depends on efficientinformation sharing…
… which depends onprecision in access controls…
Business challenge
Speed in businesstransactions…depends on efficientdelegation of powers…
… while losses due to fraud or excessive risk taking are minimized…
Business challenge
Regulatorycompliance…depends on efficientIT governance …
…which in turn depends on correct and verifiable authorizations …
Business challenge
Protecting credit card numbers, financial data,accounts,etc.
© 2014 Axiomatics AB 9
The data protection problem
Information storage – global increase
© 2014 Axiomatics AB 10
The data protection problem
Based on: Hilbert and Lopez, 2011
86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07
300
250
200
150
100
50
0
~93% digital
~0,7% digital
DAC
MAC
RBAC
ABACIncreasing access control challenges
© 2014 Axiomatics AB 11
Legacy access control Attribute based access control
Legacy access controls fail in dynamic environments
© 2014 Axiomatics AB 12
Policy example – expanded from NIST* report Nurse Practitioners can View the Records of Patients in the same
Department they are assigned to during shift hours
This rule can apply to all departments in the hospital
Add a new department or change names of department and the rule does not change
Rule compares department of the Nurse Practitioner to the department of the Patient
Subject attributesAction attributesResource attributesEnvironment * nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf
© 2014 Axiomatics AB 13
Top Ten List
IRM Summit
© 2014 Axiomatics AB 14
ABAC Degree of Difficultyaka, ADD
© 2014 Axiomatics AB 15
1. “It will impact performance”
© 2014 Axiomatics AB 16
Response #1 There are many ways to scale or configure for maximum performance
Utilize caching of policies, attributes and decisions
Employ faster communication protocols, like Apache Thrift
Place the decision engine closer to the application it’s protecting
Embed the decision engine within the application to eliminate network hops
Use smart policy modeling to make evaluations more efficient
ABAC systems are proven in very large deployments 200+ million users
20,000 access requests per second
Your ABAC system should have many modes of operation to address many scenarios
© 2014 Axiomatics AB 17
2. “I don’t like XML”
© 2014 Axiomatics AB 18
Response #2 Fine, don’t use it… try JSON instead
Go from this:<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" > </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">hello</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">say</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes></xacml-ctx:Request>
© 2014 Axiomatics AB 19
Response #2 To this:
{"subject":{"attribute":[{
"attributeId":"username","value":"alice"}]},
"resource":{"attribute":[{
"attributeId":"resource-id","value":"hello"}]},
"action":{"attribute":[{
"attributeId":"action-id","value":"say"}]}}
Char. Count0
200
400
600
800
1000
1200
1400
XMLJSON
84%
smaller
© 2014 Axiomatics AB 20
3. “It makes the system more complex”
© 2014 Axiomatics AB 21
Response #3 So you prefer to pollute your application code
with security stuff?
There are trade-offs to consider when outsourcingfunctions to an external service
For the developer, the interface is very simple Send a package of attributes to AuthZ service
Process the Permit/Deny response
REST
© 2014 Axiomatics AB 22
4. “I can do it faster myself”
© 2014 Axiomatics AB 23
Response #4 IT lead time to set up authorization service can be time consuming
If you heavy weight processes for setting up new hardware, VM images, etc.
One time pain generates many returns for future projects But few want to be the first mover
Option: bundle the authorization service with your application Less reliance on IT services
All the necessary components are packaged with the application
© 2014 Axiomatics AB 24
5. “I don’t care about enterprise issues”
,
© 2014 Axiomatics AB 25
Response #5 What are the results of this bad attitude?
IT has to provision accounts and identity data to every application built this way (which launched the comma into IAM legend status)
Legions of application managers now hate you because they have to manually review stacks of permissions and roles from your app and everyone else that built apps the same way
Congratulations, we now have 500 applications and 50,000 roles
© 2014 Axiomatics AB 26
6. “My code is more flexible”
© 2014 Axiomatics AB 27
Response #6 You may be right, for a particular use case
But How long did it take to code?
Is it adaptable to the next scenario?
How much effort is required to maintain your code?
© 2014 Axiomatics AB 28
7. “I don’t know where the attributes are”
© 2014 Axiomatics AB 29
Response #7 No need to concern yourself
Just send the attributes available in the user session Subject identifier
Resource identifier
Action
Role or group info
Device type
Authentication type
Etc.
The authorization service handles the rest, looking up additional attributes if necessary
© 2014 Axiomatics AB 30
8. “What if the external service fails?”
© 2014 Axiomatics AB 31
Response #8 Practice good hygiene
Eliminate single points of failure
Understand failure modes and document processes for recovery
Implement change control processes, which permits roll back to known state
But these are tasks for the IT department, and it’s their specialty
© 2014 Axiomatics AB 32
9. “Who will manage the policies, me?”
© 2014 Axiomatics AB 33
Response #9 If you insist, yes
Policies are easily created using ALFA shorthand syntax Similar to C# or Java
Plug in for Eclipse
Submitted to OASIS for standardization
Or you can rely on business owner, security office or system administrators to create and manage access policies It’s another item off your plate
© 2014 Axiomatics AB 34
10. “Isn’t ABAC just a new fad?”
Like, say, sock shots at conferences…
© 2014 Axiomatics AB 35
Response #10: The ABAC trend
2005XACML version 2.0:Concept production-readyfor enterprise needs.
2009US Federal CIO Council –(FICAM) Roadmap and Implementation Plan v1.0advocates ABAC
2006Axiomatics founded.First project: a nation-wide eHealth service.
2011FICAM v2.0:ABAC recommended access control model for promoting informationsharing between diverse and disparate organizations.
2013XACML version 3.0
2014NIST Guideon ABAC
2014Gartner predicts:”By 2020, 70% of all businesses will use ABAC as the dominant mechanism to protectcritical assets,up from 5% today.”
ABAC = Attribute Based Access Control
© 2014 Axiomatics AB 36
Wrapping up
© 2014 Axiomatics AB 37
Summary Touched on some issues of why developers resist ABAC
There are others….
Hopefully you’ve learned some ways to deal with objections
IRM Summit 2014
Questions?Thank you for listening