Upload
lucas-wilfred-hawkins
View
220
Download
3
Tags:
Embed Size (px)
Citation preview
• Focus area– Externalized authorization– Standardization of externalized authorization (XACML)
• Swedish Institute of Computer Science (SICS) Spin-Off– R&D since 2000– Company Axiomatics founded in 2006
• OASIS XACML Technical Committee Membership– Member since 2005– Editorial responsibilities
• Products enable externalized authorization
About Axiomatics
2
• AAA (or AAAA):
– Administration of users
– Authentication
– Authorization
– Accounting (auditing)
• “The authorization function determines whether a particular entity is authorized to perform a given activity, typically inherited from authentication when logging on to an application or service.”
Core Identity and Access Management (IAM)
4
Technology Change Impacting Data Custody
5
1990 20102000
PC revolution Outsourcing CloudMainframes
Client-/Server
Multi-tiered apps
Web apps
Service-Oriented Architectures (SOA)
Mainframe systems
Component-based
Monolithic
From Technoloy-Driven to Business-Driven IAM
6
1990 20102000
AAA centralizedon mainframe
AAA per application
LDAP for Admin and AuthN
IdM centralizesadmin governance
Enterprise role management
PC revolution Outsourcing CloudMainframes
Business-oriented
Technology-driven
IAM Service-oriented
IAM implementingbusiness rules
• AAA (or AAAA):
– Administration of users Centralized management– Authentication Centralized management– Authorization Embedded in applications
– no transparency– Accounting (auditing) Managed through complex
reporting
• Authorization hard-coded into the code of individual applications
• Business rules must be translated into countless application-specific configurations
• Verification of compliance requires elaborate data mining
• Effectiveness and efficiency of internal controls?
Current state of AAA
7
Authorization Concepts
Resource-Centric vs. User-Centric
The Inherent Flaws of Role Based Access Control (RBAC)
9
• Access control lists (ACL)
– Descretionary access control (DAC)Resource owner can set permissions
– Mandatory access control (MAC)Security policy overrules ACLs
Resource-Centric Access Control Concepts
10
Two Dimensions: Users + Resources
12
Users Information assets
Doc 1 Doc 2 Doc 3 Doc 4
Alice X X
Bob X X
Dave X X
Sue X X
Joe X X
Eve X X
Oscar X X X X
Role Modeling on Two Dimensions
13
Users Information assets
Doc 1 Doc 2 Doc 3 Doc 4
Alice X X
Bob X X
Dave X X
Sue X X
Joe X X
Eve X X
Oscar X X X X
Finding commonalities
Three Dimensions: Users + Resources + Actions
14
Users Information assets
Doc 1 Doc 2 Doc 3 Doc 4
Alice RW R
Bob RWD R
Dave Approve RWD
Sue AC+RWD R
Joe RW Approve
Eve AC AC
Oscar ALL ALL ALL ALL
Finding commonalities
Four Dimensions: Users + Resources + Actions + Context
15
Users Information assets Doc 1 Doc 2 Doc 3 Doc 4
Alice RW RBob RWD1 R1
Dave Approve2 RWDSue AC3+RWD R1. During normal working hours2. Only in user’s own department3. Requires strong authentication
Finding commonalities?
Assigning static permissions – directly or via roles, with discretionary or mandatory ACL models – is not sustainable!
18
Conclusion
The Black Box Challenge
20
User Application
Informationasset
I want…
Okay, here you go …
if (user=bob) then...
Externalizing AuthZ to Overcome the Black Box Challenge
21
Centrally managed policy: ”Managers may … provided ….”
User
Informationasset
I want…
PERMITorDENY?
AuthZservice
AuthZquery
The eXtensible Access Control Markup Language (XACML)
22
Standardizing:
1. A reference architecture
2. A query/response protocol
3. A policy language
Attribute Based Access Control (ABAC)
23
Subject Action Resource Environment
A user … … wants to do something …
… with an information asset …
… in a given context
Examples (claims administration in insurance company):
A claims administrator…
…wants to register a …
… a new claim on behalf of client A…
… via a secure channel and after authentication with smart card
An adjuster… …wants to approve payments of …
… claim payment … …from his office computer during regular business hours
A manager wants to …
… assign a claim… …to himself as claim adjuster…
… at 2 o’clock at night from a hotel lounge in Bogota on the day a payment is due…
SAML and XACML
25
User
I want…
AuthZservice
1. AuthN
AuthNservice
Identity Provider
Policy Decision Point
2. AuthZPERMIT/
DENY
SAMLtoken
Service Provider
Federation only:Service provider redirects to IdPIdP for AuthN and AuthZAccess control=login permitted yes/no
Federation and token:Service provider redirects to IdPIdP issues token with user attributesApplication uses attributes in token to filter user dataAccess control=coarse-grained
Federation and ABAC:Service provider redirects to IdPIdP issues token with user attributesService provider queries Policy Decision Point about AuthZAccess control=fine-grained
Cloud scenarios*
26
* Scenario examples based on Gartner analyst Ian Glazer’s presentation at Catalyst 2012
Login via Federation
27
1. I want…
AuthN
IdP
Service Provider
2. AuthN?
LDAP
Corporate network
3. AuthN token…
4. I want…
Federation – User Attributes used by Service Provider
28
1. I want…
AuthN
IdP
Service Provider
2. AuthN?
LDAP
Corporate network
3. AuthN tokenwith attributesdefining user’ssales territories…
4. I want to seemy sales territories…
Federation + ABAC – The IAM (R)evolution
29
1. I want…
IdP
Service Provider2. AuthN?
LDAP
Corporate network
3. AuthN token
4. I want …
1. AuthN
2. PEP
PDP
5. AuthZ?
6. Permit / Deny
• Governance: Authorization subject to policy-based decisions controlled and updated based on business requirements. No rules in application code.
• Fine-grained: Authorization becomes context-aware and precise. Examples:
– “Permit LOB managers to approve purchase orders requested by their subordinates provided the total amount of POs approved so far does not exceed budget limits.”
– “Deny approval of PO if vendor is not on white list.”
– “Deny users to approve POs they created themselves.”
– “Deny approval of POs on the last Friday of every month when budget balance is recalculated.”
• Flexibility through decoupling: Componentized architecture allows many different deployment strategies
Benefits
30
• A top-down approach to governance. Corporate access rules are maintained at a central point but enforced locally within each single information system.
• Risk intelligence. Key risk indicators can be used as parameters to control access as context-aware policies are enforced at run-time.
• Cost reductions. No need to maintain authorization schemes in each single application. Savings throughout entire application life-cycle.
• Enabling new business. Reduced time-to-market for new services. Faster adaptation to new risks and conditions. Enabling collaboration across previously isolated domains.
Value Proposition
31
• How do we know that activated policies properly reflect corresponding business rules?
• Are privilege-giving attributes maintained in an acceptable manner?
• Access is dynamically granted based on – a) Policies and – b) state of attributes at the time of request
How can we maintain an audit trail of both policies and attributes?
New Audit Challenges
33