Date post: | 19-Jun-2015 |
Category: |
Technology |
Upload: | ggebel |
View: | 118 times |
Download: | 0 times |
The Very Latest in Authorization Standards and Trends
Twin Cities IAM Meetup – Spring 2014
Gerry Gebel Axiomatics [email protected] @ggebel
© 2014 Axiomatics AB 1
Agenda § Business trends that are influencing authorization requirements
§ Externalized Authorization and ABAC
§ Standards update § JSON, REST, & ALFA
Twin Cities IAM Meetup
© 2014 Axiomatics AB 2
© 2014 Axiomatics AB 3
Business Trends & AuthZ
Twin Cities IAM
© 2014 Axiomatics AB 4
Collaboration …depends on efficient information sharing… … which depends on precision in access controls…
Business challenge
Speed in business transactions …depends on efficient delegation of powers… … while losses due to fraud or excessive risk taking are minimized…
Business challenge
Regulatory compliance …depends on efficient IT governance … …which in turn depends on correct and verifiable authorizations …
Business challenge
Protecting intellectual property § Different types of users need access
to different types of data in different phases of Product Life Cycles
§ Organizations need to protect their own IP
§ They also act as the custodians of sensitive data from third parties
© 2014 Axiomatics AB 8
The data protection problem
Protecting credit card numbers, financial data, accounts, etc.
© 2014 Axiomatics AB 9
The data protection problem
Information storage – global increase
© 2014 Axiomatics AB 10
The data protection problem
Based on: Hilbert and Lopez, 2011
86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07
300
250
200
150
100
50
0
~93% digital
~0,7% digital
DAC
MAC
RBAC
ABAC Increasing access control challenges
Privacy regulations
© 2014 Axiomatics AB 11
Data protection problem
Externalized Authorization and ABAC
Twin Cities IAM
© 2014 Axiomatics AB 12
What is Attribute Based Access Control (ABAC)? § A mode of externalized authorization
§ Authorization policies/rules are managed in a centralized service (deployment can be centralized/distributed/hybrid)
§ The Extensible Access Control Markup Language (XACML) is an example of an ABAC system
§ Policies utilize attributes to describe specific access rules, which is why it is called attribute based access control
© 2014 Axiomatics AB 13
The ABAC trend
14
2005 XACML version 2.0: Concept production-ready for enterprise needs.
2009 US Federal CIO Council – (FICAM) Roadmap and Implementation Plan v1.0 advocates ABAC
2006 Axiomatics founded. First project: a nation- wide eHealth service.
2011 FICAM v2.0: ABAC recommended access control model for promoting information sharing between diverse and disparate organizations.
2013 XACML version 3.0
2014 NIST Guide on ABAC
2014 Gartner predicts: ”By 2020, 70% of all businesses will use ABAC as the dominant mechanism to protect critical assets, up from 5% today.”
ABAC = Attribute Based Access Control
© 2014 Axiomatics AB
Example from NIST report* § “This flexibility [of ABAC] provides the greatest breadth of subjects to access
the greatest breadth of objects without specifying individual relationships between each subject and each object”
§ Nurse Practitioners in the Cardiology Department can View the Records of Heart Patients § Variables in the policy language enable very efficient policy structures – reducing the
maintenance load § Management of heart patient records is part of the business application – not an IT
function § Multiple attributes must be available for policy evaluation – either as part of the access
request or retrieved from source
© 2014 Axiomatics AB 15
* nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf
NIST example -‐ expanded § Nurse Practitioners can View the Records of Patients in the same Department
they are assigned to § This rule can apply to all departments in the hospital § Add a new department or change names of department and the rule does not change § Rule compares department of the Nurse Practitioner to the department of the Patient § Avoids the role explosion effect of RBAC models
© 2014 Axiomatics AB 16
Why are we seeing this shift to ABAC? § Todays’ business environment is more global, dynamic and collaborative
§ Users demand access to any data, from any device, at any time
§ First generation access models cannot cope in a “need to share” world
© 2014 Axiomatics AB 17
Legacy access control Attribute based access control
© 2014 Axiomatics AB 18
Legacy access controls fail in dynamic environments
Business challenge
ABAC takes multiple factors into account
§ Not just user roles….
§ But also attributes in the language of the business defining what information assets users try to access, their actions, the context and so on
§ Policies define precise access rules
© 2014 Axiomatics AB 19
Attribute Based Access Control (ABAC)
WHO WHAT WHERE WHEN WHY HOW It’s not just about but also and
Applying ABAC to every layer of your application
ADAF
© 2014 Axiomatics AB 20
REST, JSON, & ALFA What’s new on the standards front?
© 2014 Axiomatics AB 21
§ Profiles add functionality § REST § JSON § Export Control § IP Protection § Hierarchal Resources § Etc.
What’s in the XACML standard
XACML
Reference Architecture
Policy Language
Request / Response Protocol
© 2014 Axiomatics AB 22
The Request/Response format
• Subject User id = Alice Role = Manager
• Action Action id = approve
• Resource Resource type = Purchase Order PO #= 12367
• Environment Device Type = Laptop
XACML Request XACML Response
Can Manager Alice approve Purchase Order 12367? Yes, she can
• Result Decision: Permit Status: ok
The core XACML specification does not define any specific transport / communication protocol: - Developers can choose their own.
© 2014 Axiomatics AB 23
XML encoding of an authZ request
<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" > </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">hello</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">say</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> </xacml-ctx:Request>
Can Alice Say
Hello?
© 2014 Axiomatics AB 24
JSON encoding of an authZ request
{"subject": {"attribute":[{ "attributeId":"username", "value":"alice"}]},
"resource": {"attribute":[{ "attributeId":"resource-id", "value":"hello"}]},
"action": {"attribute":[{ "attributeId":"action-id", "value":"say"}]}}
© 2014 Axiomatics AB 25
JSON vs. XML
0
10
20
30
40
50
Word count
XML JSON
0 200 400 600 800
1000 1200 1400
Char. Count
XML JSON
Size of a XACML request
© 2014 Axiomatics AB 26
REST Profile
What’s new in the XACML standard
XML over HTTP
XML over HTTP
JSON over HTTP
JSON over HTTP
© 2014 Axiomatics AB 27
ALFA – Axiomatics Language for Authorization § Domain Specific Language (DSL) that provides an abstraction over XACML
§ Pseudo language is similar to C# or Java
§ Author policies in Eclipse IDE, plug in automatically generates XACML Axiomatics has committed to submit ALFA as an XACML profile
© 2014 Axiomatics AB 28
A policy example, in English
/**
* A manager can approve a transaction if their approval limit is greater than
* the transaction amount and if the risk is less than 5
*/
Let’s take a look at this policy in XACML and ALFA
© 2014 Axiomatics AB 29
A policy example, in XACML (1)
<?xml version="1.0" encoding="UTF-8"?> <!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).> <xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="http://axiomatics.com/alfa/identifier/policing.principles.allowTransaction" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"> <xacml3:Description>Let a manager approve a transaction if their approval limit is greater than the transaction amount and if the risk is less than 5</xacml3:Description> <xacml3:PolicyDefaults> <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion> </xacml3:PolicyDefaults> <xacml3:Target> <xacml3:AnyOf> <xacml3:AllOf> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="userRole" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false" /> </xacml3:Match> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">approve</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" MustBePresent="false" />
© 2014 Axiomatics AB 30
A policy example, in XACML (2)
</xacml3:Match> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">transaction</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="resourceType" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> </xacml3:Match> </xacml3:AllOf> </xacml3:AnyOf> </xacml3:Target> <xacml3:Rule Effect="Permit" RuleId="http://axiomatics.com/alfa/identifier/policing.principles.allowTransaction.allowIfLowRiskScore"> <xacml3:Description /> <xacml3:Target /> <xacml3:Condition> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:double-greater-than"/> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#double">5.0</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="transactionRiskScore" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" />
© 2014 Axiomatics AB 31
A policy example, in XACML (3)
</xacml3:Apply> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any"> <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:double-less-than-or-equal"/> <xacml3:AttributeDesignator AttributeId="transactionAmount" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> <xacml3:AttributeDesignator AttributeId="userApprovalLimit" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false" /> </xacml3:Apply> </xacml3:Apply> </xacml3:Condition> </xacml3:Rule> </xacml3:Policy>
© 2014 Axiomatics AB 32
A policy example, in ALFA
policy allowTransaction{
target clause userRole=="manager" and actionId=="approve" and resType=="transaction"
apply firstApplicable
rule allowIfLowRiskScore{
condition (transactionRiskScore < 5) && (transactionAmount <= userApprovalLimit)
permit
}
}
© 2014 Axiomatics AB 33
Questions? Thank you for listening
Don’t miss out on these events! § June 3rd – June 5th (Phoenix, AZ): Identity Relationship Management Summit
§ July 19th – July 23rd (Monterey, CA): Cloud Identity Summit
§ December 2nd – December 4th (Las Vegas, NV): Gartner Identity & Access Management Summit North America
© 2014 Axiomatics AB 35
Upcoming events & webinars
More at https://axiomatics.com/events
Reading materials § Axiomatics White Paper: The Business Case for Attribute Based Access Control
§ Axiomatics White Paper: Getting Started with ABAC
§ NIST paper on ABAC § nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf
© 2014 Axiomatics AB 36
References
Webinar recordings available § Get started now! Attribute Based Access Control (ABAC) for applications.
April 10, 2014
§ Protect business critical data with dynamic authorization for databases. May 8, 2014