Finn Frisch Access Management for the Cloud

• Focus area– Externalized authorization– Standardization of externalized authorization (XACML)

• Swedish Institute of Computer Science (SICS) Spin-Off– R&D since 2000– Company Axiomatics founded in 2006

• OASIS XACML Technical Committee Membership– Member since 2005– Editorial responsibilities

• Products enable externalized authorization

 About Axiomatics

2

 Identity and Access Management (IAM) Landscapes

3

What about the

cloud?

• AAA (or AAAA):

– Administration of users

– Authentication

– Authorization

– Accounting (auditing)

• “The authorization function determines whether a particular entity is authorized to perform a given activity, typically inherited from authentication when logging on to an application or service.”

 Core Identity and Access Management (IAM)

4

 Technology Change Impacting Data Custody

5

1990 20102000

PC revolution Outsourcing CloudMainframes

Client-/Server

Multi-tiered apps

Web apps

Service-Oriented Architectures (SOA)

Mainframe systems

Component-based

Monolithic

 From Technoloy-Driven to Business-Driven IAM

6

1990 20102000

AAA centralizedon mainframe

AAA per application

LDAP for Admin and AuthN

IdM centralizesadmin governance

Enterprise role management

PC revolution Outsourcing CloudMainframes

Business-oriented

Technology-driven

IAM Service-oriented

IAM implementingbusiness rules

• AAA (or AAAA):

– Administration of users Centralized management– Authentication Centralized management– Authorization Embedded in applications

– no transparency– Accounting (auditing) Managed through complex

reporting

• Authorization hard-coded into the code of individual applications

• Business rules must be translated into countless application-specific configurations

• Verification of compliance requires elaborate data mining

• Effectiveness and efficiency of internal controls?

 Current state of AAA

7

Authorization Authentication

 Note!

8

≠

  Authorization Concepts

Resource-Centric vs. User-Centric

The Inherent Flaws of Role Based Access Control (RBAC)

9

• Access control lists (ACL)

– Descretionary access control (DAC)Resource owner can set permissions

– Mandatory access control (MAC)Security policy overrules ACLs

  Resource-Centric Access Control Concepts

10

• Categorize based on similar needs

– Groups

– Roles

  User-Centric Access Control Concepts 

11

  Two Dimensions: Users + Resources

12

Users Information assets

Doc 1 Doc 2 Doc 3 Doc 4

Alice X X

Bob X X

Dave X X

Sue X X

Joe X X

Eve X X

Oscar X X X X

  Role Modeling on Two Dimensions

13

Users Information assets

Doc 1 Doc 2 Doc 3 Doc 4

Alice X X

Bob X X

Dave X X

Sue X X

Joe X X

Eve X X

Oscar X X X X

Finding commonalities

  Three Dimensions: Users + Resources + Actions

14

Users Information assets

Doc 1 Doc 2 Doc 3 Doc 4

Alice RW R

Bob RWD R

Dave Approve RWD

Sue AC+RWD R

Joe RW Approve

Eve AC AC

Oscar ALL ALL ALL ALL

Finding commonalities

  Four Dimensions: Users + Resources + Actions + Context

15

Users Information assets Doc 1 Doc 2 Doc 3 Doc 4

Alice RW RBob RWD1 R1

Dave Approve2 RWDSue AC3+RWD R1. During normal working hours2. Only in user’s own department3. Requires strong authentication

Finding commonalities?

  Segregation of Duties (SoD) – A Problem Caused by RBAC?

16

A never-ending Sudoku…

 Role Management

17

Role 1

Role 2SoD violation

PP

PP

PP

Assigning static permissions – directly or via roles, with discretionary or mandatory ACL models – is not sustainable!

18

Conclusion

  Beyond Roles – Attribute Based Access Control (ABAC)

The XACML Standard

19

 The Black Box Challenge

20

User Application

Informationasset

I want…

Okay, here you go …

if (user=bob) then...

 Externalizing AuthZ to Overcome the Black Box Challenge

21

Centrally managed policy: ”Managers may … provided ….”

User

Informationasset

I want…

PERMITorDENY?

AuthZservice

AuthZquery

  The eXtensible Access Control Markup Language (XACML)

22

Standardizing:

1. A reference architecture

2. A query/response protocol

3. A policy language

  Attribute Based Access Control (ABAC)

23

Subject Action Resource Environment

A user … … wants to do something …

… with an information asset …

… in a given context

Examples (claims administration in insurance company):

A claims administrator…

…wants to register a …

… a new claim on behalf of client A…

… via a secure channel and after authentication with smart card

An adjuster… …wants to approve payments of …

… claim payment … …from his office computer during regular business hours

A manager wants to …

… assign a claim… …to himself as claim adjuster…

… at 2 o’clock at night from a hotel lounge in Bogota on the day a payment is due…

  Federation and Attribute Based Access Control (ABAC)

for the Cloud 

The IAM (R)evolution

24

  SAML and XACML

25

User

I want…

AuthZservice

1. AuthN

AuthNservice

Identity Provider

Policy Decision Point

2. AuthZPERMIT/

DENY

SAMLtoken

Service Provider

Federation only:Service provider redirects to IdPIdP for AuthN and AuthZAccess control=login permitted yes/no

Federation and token:Service provider redirects to IdPIdP issues token with user attributesApplication uses attributes in token to filter user dataAccess control=coarse-grained

Federation and ABAC:Service provider redirects to IdPIdP issues token with user attributesService provider queries Policy Decision Point about AuthZAccess control=fine-grained

 Cloud scenarios*

26

* Scenario examples based on Gartner analyst Ian Glazer’s presentation at Catalyst 2012

  Login via Federation 

27

1. I want…

AuthN

IdP

Service Provider

2. AuthN?

LDAP

Corporate network

3. AuthN token…

4. I want…

  Federation – User Attributes used by Service Provider

28

1. I want…

AuthN

IdP

Service Provider

2. AuthN?

LDAP

Corporate network

3. AuthN tokenwith attributesdefining user’ssales territories…

4. I want to seemy sales territories…

  Federation + ABAC – The IAM (R)evolution

29

1. I want…

IdP

Service Provider2. AuthN?

LDAP

Corporate network

3. AuthN token

4. I want …

1. AuthN

2. PEP

PDP

5. AuthZ?

6. Permit / Deny

• Governance: Authorization subject to policy-based decisions controlled and updated based on business requirements. No rules in application code.

• Fine-grained: Authorization becomes context-aware and precise. Examples:

– “Permit LOB managers to approve purchase orders requested by their subordinates provided the total amount of POs approved so far does not exceed budget limits.”

– “Deny approval of PO if vendor is not on white list.”

– “Deny users to approve POs they created themselves.”

– “Deny approval of POs on the last Friday of every month when budget balance is recalculated.”

• Flexibility through decoupling: Componentized architecture allows many different deployment strategies

  Benefits

30

• A top-down approach to governance. Corporate access rules are maintained at a central point but enforced locally within each single information system.

• Risk intelligence. Key risk indicators can be used as parameters to control access as context-aware policies are enforced at run-time.

• Cost reductions. No need to maintain authorization schemes in each single application. Savings throughout entire application life-cycle.

• Enabling new business. Reduced time-to-market for new services. Faster adaptation to new risks and conditions. Enabling collaboration across previously isolated domains.

  Value Proposition

31

  A New IAM Landscape

32

In the cloud oron the ground

• How do we know that activated policies properly reflect corresponding business rules?

• Are privilege-giving attributes maintained in an acceptable manner?

• Access is dynamically granted based on – a) Policies and – b) state of attributes at the time of request

How can we maintain an audit trail of both policies and attributes?

  New Audit Challenges

33

  Questions?

finn.frisch@axiomatics.com

34