Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)

Preview:

Click to see full reader

Citation preview

Lean & Mean - Authorization for kick-ass APIs

Jonas MarkströmAPI Security Ninja

© Axiomatics 2016 2

Feeling lonely?

© Axiomatics 2016 3

Not one but many monoliths

© Axiomatics 2016 4

Time to rethink the plumbing…

© Axiomatics 2016 5

© Axiomatics 2016 6

© Axiomatics 2016 7

Feeling pretty happy?

© Axiomatics 2016 8

A single entry into the kingdom

© Axiomatics 2016 9

Open up to business

© Axiomatics 2016 10

Before & After

⁃ From the monolith to... ⁃ The decoupled approach

Acme Enterprise

Firewall

Web Container

Processes Data

Acme Enterprise

Firewall

Web Container

Processes Data

API API

API Gateway

Third Party

API

© Axiomatics 2016 11

Is your access control broken?

© Axiomatics 2016 12

Who gets to decide?

© Axiomatics 2016 13

Who gets to decide?

User API

I, Alice, want to view bank accounts

Can Alice view account #123?

Data

© Axiomatics 2016 14

The Guardian Angel

© Axiomatics 2016 15

Authorization as Infrastructure

User API

I, Alice, want to view bank accounts

Can Alice view account #123?

Data

API G

atew

ay

ABAC Authorization

Service

SQL

Prox

y

Which data can be

retrieved?

© Axiomatics 2016 16

Did you say ABAC?

Externalized Centralized Policy Driven AttributeBased Standardized

© Axiomatics 2016 17

Attributes are labels that describe anyone and anything

© Axiomatics 2016 18

Attributes are Multi-Dimensional

Who What Where When Why How

© Axiomatics 2016 19

Policies bring attributes

together to make it all

work

© Axiomatics 2016 20

“Managers can view accounts in their region”

“Customers can create transfers up to $1,000”

“A user cannot approve a transfer they requested”

“Tellers can view transactions in their own region”

© Axiomatics 2016 21

Policies that apply to a specific API or service

Policies that apply across the enterprise / API sets

Policies can be local or global

© Axiomatics 2016 22

Use ABAC to implement... Time-based policies

“Deny access to the API outside

office hours”

© Axiomatics 2016 23

Use ABAC to implement... Location-based policies

“Dutch Employees cannot view Singapore

client data”

© Axiomatics 2016 24

Use ABAC to implement... Dynamic access control

“Managers can view accounts that are in the

same branch.”

© Axiomatics 2016 25

Use ABAC to implement... Dynamic Segregation of Duty

“Employees cannot approve transactions

they initiate.”

© Axiomatics 2016 26

Secure APIs start with ABAC...

Any APIAny Policy

Any Attribute

Recommended

Strafrecht BT Köperverletzung (Fortsetzung) sowie Gefährdung des Lebens und der Gesundheit Vorlesung vom 2. November 2009 HS 2009 Ass.-Prof. Dr. Jonas
Documents
Barbara+ Jonas
Documents
JONAS: DE COSTAS Jonas 1.1-17 Jonas 1 1 Veio a palavra do Senhor a Jonas, filho de Amitai, dizendo:
Documents
medias.tourism-system.commedias.tourism-system.com/9/8/491020_programme... · ass. ass. ass. ass. alayam darpana holi holi mohini/acdeij ishwarane kalai koudame surya dance adalarasi
Documents
Jonas Brothers Puzzle by Party-Games-Etc.com Jonas ... · Jonas Brothers Puzzle by Party-Games-Etc.com Jonas Brothers Jonas Brothers . Created Date: 6/18/2010 12:03:27 PM
Documents
Norrbottens Innebandyförbundepiadmin.innebandy.se/Global/SDF/Norrbotten/Årsmötes Handlingar/2013... · Ass Förbundskapten F 99 Jonas Johansson Luleå Material/Sjukvård F 99 Mattias
Documents
石英机芯 - Longines · Long life / EOL ASS / EOL ASS / EOL ASS / EOL ASS / EOL ASS / EOL ASS / EOL ASS / EOL ASS / EOL ASS / EOL L129 L156 L176 L178 L209 L250 L140 L156.3 L152
Documents
Profeta Jonas
Spiritual
ass. Medvid I.I., ass. Burmas N.I
Documents
Strafrecht BT Straftaten gegen die Freiheit (2. Teil) Vorlesung vom 23. November 2009 HS 2009 Ass.-Prof. Dr. Jonas Weber Institut für Strafrecht und Kriminologie
Documents
HANDS -ON WORKSHOP IN VASCULAR ULTRASOUND...Jonas Eiberg MD. PhD, Ass. Prof., Dept. Vasc Surg, Rigshospitalet, Copenhagen, Denmark ... BLM Tutor : Gaspar Mestres MD. PhD. Vascular
Documents
Strafrecht BT Gefährdung des Lebens und der Gesundheit (Fortsetzung) Vorlesung vom 9. November 2009 HS 2009 Ass.-Prof. Dr. Jonas Weber Institut für Strafrecht
Documents
Cappe Filtæn con 130 2 ass ess Luc E ass 2 LEO ass sox 2 ... · 2 LEO ass con ess x soft ass 57768 soft ass Model I o Tip, co Ess x ass ass sox RECT . Cappe DI 1m Luc E ARP Accessori
Documents
Strafrecht BT Tötungsdelikte (Repetition) und Schwangerschaftsabbruch Vorlesung vom 19. Oktober 2009 HS 2009 Ass.-Prof. Dr. Jonas Weber Institut für Strafrecht
Documents
Jonas akerlund
Education
puslapiai.ltskaidres.puslapiai.lt/images/3b/11kl 18 tema.pdf · Jonas Jablonskis Jonas Jablonskis Jonas Jablonskis Zemynai Jonas Jab Ion skis Zemynai. Pagal pateiktQ pavyzdi parenkite
Documents
LÖRDAG 7 AUGUSTI KL. 14Tränare: Jonas Björk Ass. tränare: Rikard Johansson Fredrik Oskarsson Målvaktstränare: Jonathan Hårenberg GREBBESTADS IF 1 Mattias Jansson, mv 3 Lukas
Documents
JONAS: DE COSTAS Jonas 1.1-17 TÁRSIS NÍNIVE Jonas 1
Documents
Hans Jonas
Documents
Big Ass Light High Bay LED - Big Ass Solutionsdocs.bigassfans.com/bigasslight/Big-Ass-Light-LB-LED-10k.pdf · Big Ass Light High Bay LED Big Ass Light offers high-performance, high-efficiency
Documents