The  Very  Latest  in  Authorization  Standards  and  Trends  

Twin Cities IAM Meetup – Spring 2014

Gerry Gebel Axiomatics gerry@axiomatics.com @ggebel

© 2014 Axiomatics AB 1

Agenda  §  Business trends that are influencing authorization requirements

§  Externalized Authorization and ABAC

§  Standards update §  JSON, REST, & ALFA

Twin Cities IAM Meetup

© 2014 Axiomatics AB 2

© 2014 Axiomatics AB 3

Business  Trends  &  AuthZ  

Twin Cities IAM

© 2014 Axiomatics AB 4

Collaboration   …depends on efficient information sharing… … which depends on precision in access controls…

Business challenge

Speed  in  business  transactions   …depends on efficient delegation of powers… … while losses due to fraud or excessive risk taking are minimized…

Business challenge

Regulatory  compliance   …depends on efficient IT governance … …which in turn depends on correct and verifiable authorizations …

Business challenge

Protecting  intellectual  property  §  Different types of users need access

to different types of data in different phases of Product Life Cycles

§  Organizations need to protect their own IP

§  They also act as the custodians of sensitive data from third parties

© 2014 Axiomatics AB 8

The data protection problem

Protecting  credit  card  numbers,    financial  data,  accounts,  etc.  

© 2014 Axiomatics AB 9

The data protection problem

Information  storage  –  global  increase  

© 2014 Axiomatics AB 10

The data protection problem

Based on: Hilbert and Lopez, 2011

86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07

300

250

200

150

100

50

0

~93% digital

~0,7% digital

DAC

MAC

RBAC

ABAC Increasing access control challenges

Privacy    regulations  

© 2014 Axiomatics AB 11

Data protection problem

Externalized  Authorization    and  ABAC  

Twin Cities IAM

© 2014 Axiomatics AB 12

What  is  Attribute  Based  Access  Control  (ABAC)?  §  A mode of externalized authorization

§  Authorization policies/rules are managed in a centralized service (deployment can be centralized/distributed/hybrid)

§  The Extensible Access Control Markup Language (XACML) is an example of an ABAC system

§  Policies utilize attributes to describe specific access rules, which is why it is called attribute based access control

© 2014 Axiomatics AB 13

The  ABAC  trend  

14

2005 XACML version 2.0: Concept production-ready for enterprise needs.

2009 US Federal CIO Council – (FICAM) Roadmap and Implementation Plan v1.0 advocates ABAC

2006 Axiomatics founded. First project: a nation- wide eHealth service.

2011 FICAM v2.0: ABAC recommended access control model for promoting information sharing between diverse and disparate organizations.

2013 XACML version 3.0

2014 NIST Guide on ABAC

2014 Gartner predicts: ”By 2020, 70% of all businesses will use ABAC as the dominant mechanism to protect critical assets, up from 5% today.”

ABAC = Attribute Based Access Control

© 2014 Axiomatics AB

Example  from  NIST  report*  §  “This flexibility [of ABAC] provides the greatest breadth of subjects to access

the greatest breadth of objects without specifying individual relationships between each subject and each object”

§  Nurse Practitioners in the Cardiology Department can View the Records of Heart Patients §  Variables in the policy language enable very efficient policy structures – reducing the

maintenance load §  Management of heart patient records is part of the business application – not an IT

function §  Multiple attributes must be available for policy evaluation – either as part of the access

request or retrieved from source

© 2014 Axiomatics AB 15

* nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf

NIST  example  -­‐  expanded  §  Nurse Practitioners can View the Records of Patients in the same Department

they are assigned to §  This rule can apply to all departments in the hospital §  Add a new department or change names of department and the rule does not change §  Rule compares department of the Nurse Practitioner to the department of the Patient §  Avoids the role explosion effect of RBAC models

© 2014 Axiomatics AB 16

Why  are  we  seeing  this  shift  to  ABAC?  §  Todays’ business environment is more global, dynamic and collaborative

§  Users demand access to any data, from any device, at any time

§  First generation access models cannot cope in a “need to share” world

© 2014 Axiomatics AB 17

Legacy access control Attribute based access control

© 2014 Axiomatics AB 18

Legacy  access  controls  fail  in  dynamic  environments  

Business challenge

ABAC  takes  multiple  factors  into  account  

§  Not just user roles….

§  But also attributes in the language of the business defining what information assets users try to access, their actions, the context and so on

§  Policies define precise access rules

© 2014 Axiomatics AB 19

Attribute Based Access Control (ABAC)

WHO WHAT WHERE WHEN WHY HOW It’s not just about but also and

Applying ABAC to every layer of your application

ADAF

© 2014 Axiomatics AB 20

REST,  JSON,  &  ALFA  What’s new on the standards front?

© 2014 Axiomatics AB 21

§  Profiles add functionality §  REST §  JSON §  Export Control §  IP Protection §  Hierarchal Resources §  Etc.

What’s in the XACML standard

XACML

Reference Architecture

Policy Language

Request / Response Protocol

© 2014 Axiomatics AB 22

The Request/Response format

•  Subject User id = Alice Role = Manager

•  Action Action id = approve

•  Resource Resource type = Purchase Order PO #= 12367

•  Environment Device Type = Laptop

XACML Request XACML Response

Can Manager Alice approve Purchase Order 12367? Yes, she can

•  Result Decision: Permit Status: ok

The core XACML specification does not define any specific transport / communication protocol: - Developers can choose their own.

© 2014 Axiomatics AB 23

XML encoding of an authZ request

<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" > </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">hello</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">say</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> </xacml-ctx:Request>

Can Alice Say

Hello?

© 2014 Axiomatics AB 24

JSON encoding of an authZ request

{"subject": {"attribute":[{ "attributeId":"username", "value":"alice"}]},

"resource": {"attribute":[{ "attributeId":"resource-id", "value":"hello"}]},

"action": {"attribute":[{ "attributeId":"action-id", "value":"say"}]}}

© 2014 Axiomatics AB 25

JSON vs. XML

0

10

20

30

40

50

Word count

XML JSON

0 200 400 600 800

1000 1200 1400

Char. Count

XML JSON

Size of a XACML request

© 2014 Axiomatics AB 26

REST  Profile  

What’s new in the XACML standard

XML over HTTP

XML over HTTP

JSON over HTTP

JSON over HTTP

© 2014 Axiomatics AB 27

ALFA  –  Axiomatics  Language  for  Authorization  §  Domain Specific Language (DSL) that provides an abstraction over XACML

§  Pseudo language is similar to C# or Java

§  Author policies in Eclipse IDE, plug in automatically generates XACML Axiomatics has committed to submit ALFA as an XACML profile

© 2014 Axiomatics AB 28

A policy example, in English

/**

* A manager can approve a transaction if their approval limit is greater than

* the transaction amount and if the risk is less than 5

*/

Let’s take a look at this policy in XACML and ALFA

© 2014 Axiomatics AB 29

A policy example, in XACML (1)

<?xml version="1.0" encoding="UTF-8"?> <!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).> <xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="http://axiomatics.com/alfa/identifier/policing.principles.allowTransaction" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"> <xacml3:Description>Let a manager approve a transaction if their approval limit is greater than the transaction amount and if the risk is less than 5</xacml3:Description> <xacml3:PolicyDefaults> <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion> </xacml3:PolicyDefaults> <xacml3:Target> <xacml3:AnyOf> <xacml3:AllOf> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="userRole" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false" /> </xacml3:Match> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">approve</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" MustBePresent="false" />

© 2014 Axiomatics AB 30

A policy example, in XACML (2)

</xacml3:Match> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">transaction</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="resourceType" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> </xacml3:Match> </xacml3:AllOf> </xacml3:AnyOf> </xacml3:Target> <xacml3:Rule Effect="Permit" RuleId="http://axiomatics.com/alfa/identifier/policing.principles.allowTransaction.allowIfLowRiskScore"> <xacml3:Description /> <xacml3:Target /> <xacml3:Condition> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:double-greater-than"/> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#double">5.0</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="transactionRiskScore" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" />

© 2014 Axiomatics AB 31

A policy example, in XACML (3)

</xacml3:Apply> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any"> <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:double-less-than-or-equal"/> <xacml3:AttributeDesignator AttributeId="transactionAmount" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> <xacml3:AttributeDesignator AttributeId="userApprovalLimit" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false" /> </xacml3:Apply> </xacml3:Apply> </xacml3:Condition> </xacml3:Rule> </xacml3:Policy>

© 2014 Axiomatics AB 32

A policy example, in ALFA

policy allowTransaction{

target clause userRole=="manager" and actionId=="approve" and resType=="transaction"

apply firstApplicable

rule allowIfLowRiskScore{

condition (transactionRiskScore < 5) && (transactionAmount <= userApprovalLimit)

permit

}

}

© 2014 Axiomatics AB 33

Questions?  Thank you for listening

Don’t  miss  out  on  these  events!  §  June 3rd – June 5th (Phoenix, AZ): Identity Relationship Management Summit

§  July 19th – July 23rd (Monterey, CA): Cloud Identity Summit

§  December 2nd – December 4th (Las Vegas, NV): Gartner Identity & Access Management Summit North America

© 2014 Axiomatics AB 35

Upcoming events & webinars

More at https://axiomatics.com/events

Reading  materials  §  Axiomatics White Paper: The Business Case for Attribute Based Access Control

§  Axiomatics White Paper: Getting Started with ABAC

§  NIST paper on ABAC §  nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf

© 2014 Axiomatics AB 36

References

Webinar  recordings  available  §  Get started now! Attribute Based Access Control (ABAC) for applications.

April 10, 2014

§  Protect business critical data with dynamic authorization for databases. May 8, 2014