Presentation is loading. Please wait.

Presentation is loading. Please wait.

Finn Frisch  Access Management for the Cloud.

Published byLucas Wilfred Hawkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Finn Frisch  Access Management for the Cloud."— Presentation transcript:

1 Finn Frisch  Access Management for the Cloud

2 About Axiomatics 2 Focus area
Externalized authorization Standardization of externalized authorization (XACML) Swedish Institute of Computer Science (SICS) Spin-Off R&D since 2000 Company Axiomatics founded in 2006 OASIS XACML Technical Committee Membership Member since 2005 Editorial responsibilities Products enable externalized authorization 2

3 Identity and Access Management (IAM) Landscapes
What about the cloud? 3

4 Core Identity and Access Management (IAM)
AAA (or AAAA): Administration of users Authentication Authorization Accounting (auditing) “The authorization function determines whether a particular entity is authorized to perform a given activity, typically inherited from authentication when logging on to an application or service.” 4

5 Technology Change Impacting Data Custody
Component- based Service-Oriented Architectures (SOA) Web apps Multi-tiered apps Client-/Server Mainframe systems Monolithic 1990 2000 2010 Mainframes PC revolution Outsourcing Cloud 5

6 From Technoloy-Driven to Business-Driven IAM
Business-oriented IAM implementing business rules IAM Service-oriented Enterprise role management IdM centralizes admin governance AAA centralized on mainframe LDAP for Admin and AuthN AAA per application Technology-driven 1990 2000 2010 Mainframes PC revolution Outsourcing Cloud 6

7 Current state of AAA Administration of users Centralized management
AAA (or AAAA): Administration of users Centralized management Authentication Centralized management Authorization Embedded in applications – no transparency Accounting (auditing) Managed through complex reporting Authorization hard-coded into the code of individual applications Business rules must be translated into countless application-specific configurations Verification of compliance requires elaborate data mining Effectiveness and efficiency of internal controls? 7

8 Authorization Authentication
  Note! Authorization Authentication 8

9 Authorization Concepts
Resource-Centric vs. User-Centric The Inherent Flaws of Role Based Access Control (RBAC) 9

10 Resource-Centric Access Control Concepts
Access control lists (ACL) Descretionary access control (DAC) Resource owner can set permissions Mandatory access control (MAC) Security policy overrules ACLs 10

11 User-Centric Access Control Concepts
Categorize based on similar needs Groups Roles 11

12 Two Dimensions: Users + Resources
Information assets Doc 1 Doc 2 Doc 3 Doc 4 Alice X Bob Dave Sue Joe Eve Oscar 12

13 Role Modeling on Two Dimensions
Users Information assets Doc 1 Doc 2 Doc 3 Doc 4 Alice X Bob Dave Sue Joe Eve Oscar Finding commonalities 13

14 Three Dimensions: Users + Resources + Actions
Information assets Doc 1 Doc 2 Doc 3 Doc 4 Alice RW R Bob RWD Dave Approve Sue AC+RWD Joe Eve AC Oscar ALL Finding commonalities 14

15 Four Dimensions: Users + Resources + Actions + Context
Information assets Doc 1 Doc 2 Doc 3 Doc 4 Alice RW R Bob RWD1 R1 Dave Approve2 RWD Sue AC3+RWD 1. During normal working hours 2. Only in user’s own department 3. Requires strong authentication Finding commonalities? 15

16 Segregation of Duties (SoD) – A Problem Caused by RBAC?
16

17 Role Management P P Role 1 P SoD violation Role 2 P P P 17
A never-ending Sudoku… P Role 1 P P SoD violation Role 2 P P P 17

18 Conclusion Assigning static permissions – directly or via roles, with discretionary or mandatory ACL models – is not sustainable! 18

19 Beyond Roles – Attribute Based Access Control (ABAC)
The XACML Standard 19

20 The Black Box Challenge
Information asset Okay, here you go … I want… if (user=bob) then... User Application 20

21 Externalizing AuthZ to Overcome the Black Box Challenge
Centrally managed policy: ”Managers may … provided ….” AuthZ service query Information asset PERMIT or DENY? I want… User 21

22 The eXtensible Access Control Markup Language (XACML)
Standardizing: A reference architecture A query/response protocol A policy language 22

23 Attribute Based Access Control (ABAC)
Subject Action Resource Environment A user … … wants to do something … … with an information asset … … in a given context Examples (claims administration in insurance company): A claims administrator… …wants to register a … … a new claim on behalf of client A… … via a secure channel and after authentication with smart card An adjuster… …wants to approve payments of … … claim payment … …from his office computer during regular business hours A manager wants to … … assign a claim… …to himself as claim adjuster… … at 2 o’clock at night from a hotel lounge in Bogota on the day a payment is due… 23

24 Federation and Attribute Based Access Control (ABAC) for the Cloud
The IAM (R)evolution 24

25 SAML and XACML Identity Provider AuthN service Policy Decision Point
token AuthZ service I want… 1. AuthN PERMIT/ DENY 2. AuthZ User Service Provider 25

26 Cloud scenarios* 26 Federation and ABAC:
Federation only: Service provider redirects to IdP IdP for AuthN and AuthZ Access control= login permitted yes/no Federation and token: IdP issues token with user attributes Application uses attributes in token to filter user data Access control= coarse-grained Federation and ABAC: Service provider queries Policy Decision Point about AuthZ Access control= fine-grained * Scenario examples based on Gartner analyst Ian Glazer’s presentation at Catalyst 2012 26

27 Login via Federation Service Provider IdP LDAP Corporate network 27
1. I want… AuthN 4. I want… Service Provider 3. AuthN token… 2. AuthN? IdP LDAP Corporate network 27

28 Federation – User Attributes used by Service Provider
1. I want… AuthN 4. I want to see my sales territories… 3. AuthN token with attributes defining user’s sales territories Service Provider 2. AuthN? IdP LDAP Corporate network 28

29 Federation + ABAC – The IAM (R)evolution
1. I want… 1. AuthN 2. PEP 4. I want … Service Provider 2. AuthN? 3. AuthN token IdP 5. AuthZ? PDP LDAP 6. Permit / Deny Corporate network 29

30   Benefits Governance: Authorization subject to policy-based decisions controlled and updated based on business requirements. No rules in application code. Fine-grained: Authorization becomes context-aware and precise. Examples: “Permit LOB managers to approve purchase orders requested by their subordinates provided the total amount of POs approved so far does not exceed budget limits.” “Deny approval of PO if vendor is not on white list.” “Deny users to approve POs they created themselves.” “Deny approval of POs on the last Friday of every month when budget balance is recalculated.” Flexibility through decoupling: Componentized architecture allows many different deployment strategies 30

31   Value Proposition A top-down approach to governance. Corporate access rules are maintained at a central point but enforced locally within each single information system. Risk intelligence. Key risk indicators can be used as parameters to control access as context-aware policies are enforced at run-time. Cost reductions. No need to maintain authorization schemes in each single application. Savings throughout entire application life-cycle. Enabling new business. Reduced time-to-market for new services. Faster adaptation to new risks and conditions. Enabling collaboration across previously isolated domains. 31

32   A New IAM Landscape In the cloud or on the ground 32

33   New Audit Challenges How do we know that activated policies properly reflect corresponding business rules? Are privilege-giving attributes maintained in an acceptable manner? Access is dynamically granted based on a) Policies and b) state of attributes at the time of request How can we maintain an audit trail of both policies and attributes? 33

34   Questions? 34

Download ppt "Finn Frisch  Access Management for the Cloud."

Similar presentations

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics
NRL Security Architecture: A Web Services-Based Solution

NRL Security Architecture: A Web Services-Based Solution
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.

Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager

16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Understanding Active Directory

Understanding Active Directory
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

Similar presentations

Ads by Google