Finn Frisch  Access Management for the Cloud

About Axiomatics 2 Focus area Externalized authorization Standardization of externalized authorization (XACML) Swedish Institute of Computer Science (SICS) Spin-Off R&D since 2000 Company Axiomatics founded in 2006 OASIS XACML Technical Committee Membership Member since 2005 Editorial responsibilities Products enable externalized authorization 2

Identity and Access Management (IAM) Landscapes What about the cloud? 3

Core Identity and Access Management (IAM) AAA (or AAAA): Administration of users Authentication Authorization Accounting (auditing) “The authorization function determines whether a particular entity is authorized to perform a given activity, typically inherited from authentication when logging on to an application or service.” 4

Technology Change Impacting Data Custody Component- based Service-Oriented Architectures (SOA) Web apps Multi-tiered apps Client-/Server Mainframe systems Monolithic 1990 2000 2010 Mainframes PC revolution Outsourcing Cloud 5

From Technoloy-Driven to Business-Driven IAM Business-oriented IAM implementing business rules IAM Service-oriented Enterprise role management IdM centralizes admin governance AAA centralized on mainframe LDAP for Admin and AuthN AAA per application Technology-driven 1990 2000 2010 Mainframes PC revolution Outsourcing Cloud 6

Current state of AAA Administration of users Centralized management AAA (or AAAA): Administration of users Centralized management Authentication Centralized management Authorization Embedded in applications – no transparency Accounting (auditing) Managed through complex reporting Authorization hard-coded into the code of individual applications Business rules must be translated into countless application-specific configurations Verification of compliance requires elaborate data mining Effectiveness and efficiency of internal controls? 7

Authorization Authentication   Note! Authorization Authentication ≠ 8

Authorization Concepts Resource-Centric vs. User-Centric The Inherent Flaws of Role Based Access Control (RBAC) 9

Resource-Centric Access Control Concepts Access control lists (ACL) Descretionary access control (DAC) Resource owner can set permissions Mandatory access control (MAC) Security policy overrules ACLs 10

User-Centric Access Control Concepts Categorize based on similar needs Groups Roles 11

Two Dimensions: Users + Resources Information assets Doc 1 Doc 2 Doc 3 Doc 4 Alice X Bob Dave Sue Joe Eve Oscar 12

Role Modeling on Two Dimensions Users Information assets Doc 1 Doc 2 Doc 3 Doc 4 Alice X Bob Dave Sue Joe Eve Oscar Finding commonalities 13

Three Dimensions: Users + Resources + Actions Information assets Doc 1 Doc 2 Doc 3 Doc 4 Alice RW R Bob RWD Dave Approve Sue AC+RWD Joe Eve AC Oscar ALL Finding commonalities 14

Four Dimensions: Users + Resources + Actions + Context Information assets Doc 1 Doc 2 Doc 3 Doc 4 Alice RW R Bob RWD1 R1 Dave Approve2 RWD Sue AC3+RWD 1. During normal working hours 2. Only in user’s own department 3. Requires strong authentication Finding commonalities? 15

Segregation of Duties (SoD) – A Problem Caused by RBAC? 16

Role Management P P Role 1 P SoD violation Role 2 P P P 17 A never-ending Sudoku… P Role 1 P P SoD violation Role 2 P P P 17

Conclusion Assigning static permissions – directly or via roles, with discretionary or mandatory ACL models – is not sustainable! 18

Beyond Roles – Attribute Based Access Control (ABAC) The XACML Standard 19

The Black Box Challenge Information asset Okay, here you go … I want… if (user=bob) then... User Application 20

Externalizing AuthZ to Overcome the Black Box Challenge Centrally managed policy: ”Managers may … provided ….” AuthZ service query Information asset PERMIT or DENY? I want… User 21

The eXtensible Access Control Markup Language (XACML) Standardizing: A reference architecture A query/response protocol A policy language 22

Attribute Based Access Control (ABAC) Subject Action Resource Environment A user … … wants to do something … … with an information asset … … in a given context Examples (claims administration in insurance company): A claims administrator… …wants to register a … … a new claim on behalf of client A… … via a secure channel and after authentication with smart card An adjuster… …wants to approve payments of … … claim payment … …from his office computer during regular business hours A manager wants to … … assign a claim… …to himself as claim adjuster… … at 2 o’clock at night from a hotel lounge in Bogota on the day a payment is due… 23

Federation and Attribute Based Access Control (ABAC) for the Cloud The IAM (R)evolution 24

SAML and XACML Identity Provider AuthN service Policy Decision Point token AuthZ service I want… 1. AuthN PERMIT/ DENY 2. AuthZ User Service Provider 25

Cloud scenarios* 26 Federation and ABAC: Federation only: Service provider redirects to IdP IdP for AuthN and AuthZ Access control= login permitted yes/no Federation and token: IdP issues token with user attributes Application uses attributes in token to filter user data Access control= coarse-grained Federation and ABAC: Service provider queries Policy Decision Point about AuthZ Access control= fine-grained * Scenario examples based on Gartner analyst Ian Glazer’s presentation at Catalyst 2012 26

Login via Federation Service Provider IdP LDAP Corporate network 27 1. I want… AuthN 4. I want… Service Provider 3. AuthN token… 2. AuthN? IdP LDAP Corporate network 27

Federation – User Attributes used by Service Provider 1. I want… AuthN 4. I want to see my sales territories… 3. AuthN token with attributes defining user’s sales territories … Service Provider 2. AuthN? IdP LDAP Corporate network 28

Federation + ABAC – The IAM (R)evolution 1. I want… 1. AuthN 2. PEP 4. I want … Service Provider 2. AuthN? 3. AuthN token IdP 5. AuthZ? PDP LDAP 6. Permit / Deny Corporate network 29

  Benefits Governance: Authorization subject to policy-based decisions controlled and updated based on business requirements. No rules in application code. Fine-grained: Authorization becomes context-aware and precise. Examples: “Permit LOB managers to approve purchase orders requested by their subordinates provided the total amount of POs approved so far does not exceed budget limits.” “Deny approval of PO if vendor is not on white list.” “Deny users to approve POs they created themselves.” “Deny approval of POs on the last Friday of every month when budget balance is recalculated.” Flexibility through decoupling: Componentized architecture allows many different deployment strategies 30

  Value Proposition A top-down approach to governance. Corporate access rules are maintained at a central point but enforced locally within each single information system. Risk intelligence. Key risk indicators can be used as parameters to control access as context-aware policies are enforced at run-time. Cost reductions. No need to maintain authorization schemes in each single application. Savings throughout entire application life-cycle. Enabling new business. Reduced time-to-market for new services. Faster adaptation to new risks and conditions. Enabling collaboration across previously isolated domains. 31

  A New IAM Landscape In the cloud or on the ground 32

  New Audit Challenges How do we know that activated policies properly reflect corresponding business rules? Are privilege-giving attributes maintained in an acceptable manner? Access is dynamically granted based on a) Policies and b) state of attributes at the time of request How can we maintain an audit trail of both policies and attributes? 33

  Questions? finn.frisch@axiomatics.com 34