Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and standards

The
Very
Latest
in
Authorization

Standards
and
Trends

Twin Cities IAM Meetup – Spring 2014
Gerry Gebel
Axiomatics
gerry@axiomatics.com
@ggebel
© 2014 Axiomatics AB 1

Agenda

§  Business trends that are influencing authorization requirements
§  Externalized Authorization and ABAC
§  Standards update
§  JSON, REST, & ALFA
Twin Cities IAM Meetup

Business
Trends
&
AuthZ

Twin Cities IAM

Collaboration

…depends on efficient
information sharing…
… which depends on
precision in access controls…
Business challenge

Speed
in
business

transactions

delegation of powers…
… while losses due to fraud or
excessive risk taking are minimized…
Business challenge

Regulatory

compliance

IT governance …
…which in turn depends on correct
and verifiable authorizations …
Business challenge

Protecting
intellectual
property

§  Different types of users need access
to different types of data in
different phases of Product Life
Cycles
§  Organizations need to protect their
own IP
§  They also act as the custodians of
sensitive data from third parties
The data protection problem

Protecting
credit
card
numbers,

ﬁnancial
data,

accounts,

etc.


Information
storage
–
global
increase

Based on: Hilbert and Lopez, 2011
86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07
300
250
200
150
100
50
0
~93% digital
~0,7% digital
DAC
MAC
RBAC
ABAC
Increasing access
control challenges

Privacy

regulations

Data protection problem

Externalized
Authorization

and
ABAC

Twin Cities IAM

What
is
Attribute
Based
Access
Control
(ABAC)?

§  A mode of externalized authorization
§  Authorization policies/rules are managed in a centralized service (deployment
can be centralized/distributed/hybrid)
§  The Extensible Access Control Markup Language (XACML) is an example of an
ABAC system
§  Policies utilize attributes to describe specific access rules, which is why it is
called attribute based access control

The
ABAC
trend

14
2005
XACML version 2.0:
Concept production-ready
for enterprise needs.
2009
US Federal CIO Council –
(FICAM) Roadmap and
Implementation Plan v1.0
advocates ABAC
2006
Axiomatics founded.
First project: a nation-
wide eHealth service.
2011
FICAM v2.0:
ABAC recommended access control
model for promoting information
sharing between diverse and
disparate organizations.
2013
XACML version 3.0
2014
NIST Guide
on ABAC
2014
Gartner predicts:
”By 2020, 70% of all
businesses will use
ABAC as the dominant
mechanism to protect
critical assets,
up from 5% today.”
ABAC = Attribute Based Access Control
© 2014 Axiomatics AB

Example
from
NIST
report*

§  “This flexibility [of ABAC] provides the greatest breadth of subjects to access
the greatest breadth of objects without specifying individual relationships
between each subject and each object”
§  Nurse Practitioners in the Cardiology Department can View the Records of
Heart Patients
§  Variables in the policy language enable very efficient policy structures – reducing the
maintenance load
§  Management of heart patient records is part of the business application – not an IT
function
§  Multiple attributes must be available for policy evaluation – either as part of the access
request or retrieved from source
* nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf

NIST
example
-‐
expanded

§  Nurse Practitioners can View the Records of Patients in the same Department
they are assigned to
§  This rule can apply to all departments in the hospital
§  Add a new department or change names of department and the rule does not change
§  Rule compares department of the Nurse Practitioner to the department of the Patient
§  Avoids the role explosion effect of RBAC models

Why
are
we
seeing
this
shift
to
ABAC?

§  Todays’ business environment is more global, dynamic and collaborative
§  Users demand access to any data, from any device, at any time
§  First generation access models cannot cope in a “need to share” world

Legacy access control Attribute based access control
Legacy
access
controls
fail
in
dynamic
environments

Business challenge

ABAC
takes
multiple
factors
into
account

§  Not just user roles….
§  But also attributes in the language of the business defining what information
assets users try to access, their actions, the context and so on
§  Policies define precise access rules
Attribute Based Access Control (ABAC)
WHO WHAT WHERE WHEN WHY HOW
It’s not
just about
but also and

Applying ABAC to every layer of your application
ADAF

REST,
JSON,
&
ALFA

What’s new on the standards front?

§  Profiles add functionality
§  REST
§  JSON
§  Export Control
§  IP Protection
§  Hierarchal Resources
§  Etc.
What’s in the XACML standard
XACML
Reference
Architecture
Policy
Language
Request /
Response
Protocol

The Request/Response format
•  Subject
User id = Alice
Role = Manager
•  Action
Action id = approve
•  Resource
Resource type = Purchase
Order
PO #= 12367
•  Environment
Device Type = Laptop
XACML Request XACML Response
Can Manager Alice approve
Purchase Order 12367? Yes, she can
•  Result
Decision: Permit
Status: ok
The core XACML specification does
not define any specific transport /
communication protocol:
- Developers can choose their own.

XML encoding of an authZ request
<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-
ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-
ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">hello</xacml-
ctx:AttributeValue>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">say</xacml-
ctx:AttributeValue>
</xacml-ctx:Request>
Can
Alice
Say
Hello?

JSON encoding of an authZ request
{"subject":
{"attribute":[{
"attributeId":"username",
"value":"alice"}]},
"resource":
{"attribute":[{
"attributeId":"resource-id",
"value":"hello"}]},
"action":
{"attribute":[{
"attributeId":"action-id",
"value":"say"}]}}

JSON vs. XML
0
10
20
30
40
50
Word count
XML
JSON
0
200
400
600
800
1000
1200
1400
Char. Count
XML
JSON
Size of a XACML request

REST
Proﬁle

What’s new in the XACML standard
XML over HTTP
XML over HTTP
JSON over HTTP
JSON over HTTP

ALFA
–
Axiomatics
Language
for
Authorization

§  Domain Specific Language (DSL) that provides an abstraction over XACML
§  Pseudo language is similar to C# or Java
§  Author policies in Eclipse IDE, plug in automatically generates XACML
Axiomatics has committed to submit ALFA as an XACML profile

A policy example, in English
/**
* A manager can approve a transaction if their approval limit is greater than
* the transaction amount and if the risk is less than 5
*/
Let’s take a look at this policy in XACML and ALFA

A policy example, in XACML (1)
<?xml version="1.0" encoding="UTF-8"?>
<!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).>
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="http://axiomatics.com/alfa/identifier/policing.principles.allowTransaction"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description>Let a manager approve a transaction if their approval limit is greater than
the transaction amount and if the risk is less than 5</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="userRole"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"
/>
</xacml3:Match>
DataType="http://www.w3.org/2001/XMLSchema#string">approve</xacml3:AttributeValue>
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
/>

</xacml3:Match>
DataType="http://www.w3.org/2001/XMLSchema#string">transaction</xacml3:AttributeValue>
AttributeId="resourceType"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Rule
Effect="Permit"
RuleId="http://axiomatics.com/alfa/identifier/policing.principles.allowTransaction.allowIfLowRiskScore">
<xacml3:Description />
<xacml3:Target />
<xacml3:Condition>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:double-greater-than"/>
DataType="http://www.w3.org/2001/XMLSchema#double">5.0</xacml3:AttributeValue>
AttributeId="transactionRiskScore"
DataType="http://www.w3.org/2001/XMLSchema#double"
/>

</xacml3:Apply>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
<xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:double-less-than-or-equal"/>
AttributeId="transactionAmount"
/>
AttributeId="userApprovalLimit"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
/>
</xacml3:Apply>
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
</xacml3:Policy>

A policy example, in ALFA
policy allowTransaction{
target clause userRole=="manager" and actionId=="approve" and
resType=="transaction"
apply firstApplicable
rule allowIfLowRiskScore{
condition (transactionRiskScore < 5) && (transactionAmount <=
userApprovalLimit)
permit
}
}

Questions?

Thank you for listening

Don’t
miss
out
on
these
events!

§  June 3rd – June 5th (Phoenix, AZ): Identity Relationship Management Summit
§  July 19th – July 23rd (Monterey, CA): Cloud Identity Summit
§  December 2nd – December 4th (Las Vegas, NV): Gartner Identity & Access
Management Summit North America
Upcoming events & webinars
More at https://axiomatics.com/events

Reading
materials

§  Axiomatics White Paper: The Business Case for Attribute Based Access Control
§  Axiomatics White Paper: Getting Started with ABAC
§  NIST paper on ABAC
§  nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf
References
Webinar
recordings
available

§  Get started now! Attribute Based Access Control (ABAC) for applications.
April 10, 2014
§  Protect business critical data with dynamic authorization for databases.
May 8, 2014

Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and standards

Recommended

Recommended

More Related Content

What's hot

What's hot (6)

Similar to Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and standards

Similar to Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and standards (20)

Recently uploaded

Recently uploaded (20)

Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and standards