Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2014 Axiomatics AB1 Building an effective API security framework using ABAC Webinar: October 15, 2014.

Published byOphelia Ferguson Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2014 Axiomatics AB1 Building an effective API security framework using ABAC Webinar: October 15, 2014."— Presentation transcript:

1

2 © 2014 Axiomatics AB1 Building an effective API security framework using ABAC Webinar: October 15, 2014

3 © 2014 Axiomatics AB2 2:001:591:581:571:561:551:541:531:521:511:501:491:481:471:461:451:441:431:421:411:401:391:381:371:361:351:341:331:321:311:301:291:281:271:261:251:241:231:221:211:201:191:181:171:161:151:141:131:121:111:101:091:081:071:061:051:041:031:021:011:000:590:580:570:560:550:540:530:520:510:500:490:480:470:460:450:440:430:420:410:400:390:380:370:360:350:340:330:320:310:300:290:280:270:260:250:240:230:220:210:200:190:180:170:160:150:140:130:120:110:100:090:080:070:060:050:040:030:020:01 NOW Count-down for webinar start: Webinar: October 15, 2014 Building an effective API security framework using ABAC

4 Guidelines © 2014 Axiomatics AB3 You are muted centrally The webinar is recorded Slides available for download Q&A at the end

5 Today’s speakers © 2014 Axiomatics AB4 Alex Gudanis Principal Solutions Architect Advancive Technology Solutions David Brossard VP Customer Relations Axiomatics

6 5 Agenda © 2014 Axiomatics AB  API Security Framework  Demo  Q&A

7 © 2014 Axiomatics AB6 Who is Axiomatics? Leading provider of ABAC - Attribute Based Access Control Global deployments 200M+ users 100s of apps Product and Innovation leader

8 © 2014 Axiomatics AB7 2009 US Federal CIO Council – (FICAM) Roadmap and Implementation Plan v1.0 advocates ABAC 2011 FICAM v2.0: ABAC is recommended access control model for promoting information sharing between diverse and disparate organizations 2014 Gartner predicts: ”By 2020, 70% of all businesses will use ABAC as the dominant mechanism to protect critical assets, up from 5% today.” 2012 National Strategy for Info Sharing & Safeguarding included a Priority Objective to implement FICAM roadmap 2014 NIST Guide to ABAC SP 800-162 published 2014 KuppingerCole Leadership Compass on Dynamic Authorization ”Dynamic Authorization Management is arguably the most exciting area in identity and access management today.” ABAC Timeline

9 © 2014 Axiomatics AB8  A mode of externalized authorization  Authorization policies/rules are managed in a centralized service (deployment can be centralized/distributed/hybrid)  The Extensible Access Control Markup Language (XACML) is an example of an ABAC system  Policies utilize attributes to describe specific access rules, which is why it is called attribute based access control What is Attribute Based Access Control (ABAC)?

10 © 2014 Axiomatics AB9 Or put another way…

11 ABAC enables the Any-Depth Architecture © 2014 Axiomatics AB10 Axiomatics Data Access Filter Integration with Layer 7 API Gateway Spring Security Integration

12 © 2014 Axiomatics AB11 Who is Advancive? Pasadena, CA Bangalore, India  Established in May 2009  Headquartered in Southern California, with additional delivery center in Bangalore and serving clients globally  Consulting and systems integration firm with core competency in Identity & Access Management Solutions Design & Implementation  Serving clients in several key verticals, such as Financial, Healthcare, Telecom, High-Tech and Manufacturing

13 Case Study Overview Clinical Decision Support System offered as a service Provides data access APIs to a variety of clients, including electronic health information exchange (HIE) networks and mobile applications Main goal – ensure that all the necessary controls are provided to meet project security and compliance requirements Key requirement – provide a flexible attribute based authorization framework that can be reused across all layers of the application architecture © 2014 Axiomatics AB12

14 © 2014 Axiomatics AB13 Solution Architecture Overview

15 © 2014 Axiomatics AB14  Reusable authorization framework and policies are built around HL7 Security and Privacy Ontology Use Cases (http://wiki.hl7.org/index.php?title=Security_and_Privacy_Ontology)http://wiki.hl7.org/index.php?title=Security_and_Privacy_Ontology  Cover main areas of access control of an EHR system:  Access Control Based on Category of Action  Access Control Based on Category of Object  Access Control Based on Category of Structural Role  Access Control Based on Category of Functional Role  Access Control Based on Multiple Role Values Authorization Framework

16 © 2014 Axiomatics AB15  Controls access to an object based on the type of action to be performed on it  A primary physician can CREATE patient’s progress note  A physician can UPDATE patient’s progress note that he/she wrote themselves Access Control Based on Category of Action

17 © 2014 Axiomatics AB16  Controls access to an object based on the type of object it is  A primary physician can have full access to patient’s ASSESSMENT  A primary physician can not access patient’s PAYMENT HISTORY without additional authorization Access Control Based on Category of Object

18 © 2014 Axiomatics AB17  Controls access to an object based on the structural role assigned to the user requesting access. A structural role reflects a human or organizational category  A PHYSICIAN can read medical records of all patients  An ADMISSIONS CLERK doesn’t have access to patients’ medical records without additional authorization Access Control Based on Category of Structural Role

19 © 2014 Axiomatics AB18  Controls access to an object based on the functional role assigned to the user requesting access. Functional roles are bound to the performance of actions carried out by an entity. The period of functional role assignment can be limited to the privileged access time interval  An alternate privileged healthcare professional can read or update patient’s medical record, including sensitive medical information, while that patient’s primary physician is on vacation Access Control Based on Category of Functional Role

20 © 2014 Axiomatics AB19  Controls access to an object based on a user being assigned more than one role attribute value  A staff physician, i.e. a user that has the roles of both PHYSICIAN and HOSPITAL STAFF MEMBER, can update patient’s care plan Access Control Based on Multiple Role Values

21 © 2014 Axiomatics AB20 Process of Defining an Authorization Policy Analyze functional use case Develop natural language policies (NLP) Translate NLPs into executable policies and attributes using policy authoring tools

22 © 2014 Axiomatics AB21 Actors  Sam Jones – Patient at the Hospital  Dr. Bob – Physician at the Hospital, primary physician for Sam Jones  Dr. Dan – Physician at the Hospital, who also treats Sam Jones Example: Use Case

23 © 2014 Axiomatics AB22 Basic Scenario Dr. Bob examines Mr. Jones as part of an episode of care. Dr. Bob opens Mr. Jones’ medical record and reads his medical history. Dr. Bob notices a transcription error in a progress note he had made for Mr. Jones’ last hospital visit. Dr. Bob corrects the error and updates the progress note. Dr. Bob opens a new progress note, enters his observations of Mr. Jones’ condition and appends the results of a recent blood test to the progress note. Example: Use Case

24 © 2014 Axiomatics AB23 Post-Condition A progress note regarding a past visit Mr. Jones’ made to the hospital has been updated and a new progress note has been created and appended to. This updated progress note becomes a part of his medical record. Example: Use Case

25 © 2014 Axiomatics AB24 Alternative Scenario Dr. Bob examines Mr. Jones as part of an episode of care. Dr. Bob opens Mr. Jones’ medical record and reads his medical history. Dr. Bob notices a transcription error in a progress note Dr. Dan had made for Mr. Jones’ last hospital visit. Dr. Bob attempts to correct the error but is denied this privilege by the system. Example: Use Case

26 © 2014 Axiomatics AB25 Post-Condition The progress note regarding Mr. Jones’ last hospital visit remains unchanged. Example: Use Case

27 © 2014 Axiomatics AB26 Example: Natural Language Policies Policy ID Policy 1A primary physician can create and update a patient’s progress note 2A physician can update a patient’s progress note if he or she is the author of that progress note

28 © 2014 Axiomatics AB27 namespace user{ attribute role{ category = subjectCat id = "com.axiomatics.hl7.user.role" type = string } attribute requestorId{ category = subjectCat id = "com.axiomatics.hl7.user.requestorId" type = string } namespace action{ attribute action{ category = actionCat id = "com.axiomatics.hl7.action.id" type = string } Example: ALFA Policy

29 © 2014 Axiomatics AB28 namespace object{ attribute author{ category = resourceCat id = "com.axiomatics.hl7.object.author" type = string } namespace patient{ attribute primaryPhysician{ category = resourceCat id = "com.axiomatics.hl7.patient.primaryPhysician" type = string } Example: ALFA Policy

30 © 2014 Axiomatics AB29 policyset global{ apply firstApplicable progressNotes } policy progressNotes{ target clause objectType=="progress note" apply firstApplicable rule createNote{ target clause role=="physician" and action=="create" condition primaryPhysician==requestorId permit } rule updateNote{ target clause role=="physician" and action=="update" condition author==requestorId permit } Example: ALFA Policy

31 © 2014 Axiomatics AB30  REST style API using XML payload  Can also be implemented as a SOAP web service or REST/JSON API  HTTP POST to:  /HL7/patient/create/progressnote  /HL7/patient/update/progressnote 11 1001 1 A101 Patient is suffering from headache false 2013-12-01T00:00:00-08:00 Implementation: API specification

32 © 2014 Axiomatics AB31  Active Directory – hospital staff accounts along with their role information  Oracle Database – backend data tables for API implementation  ACTORS – hospital staff information  PATIENT – patient information  PATIENT_MEDICALHISTORY – patient medical records  PATIENT_PROGRESSNOTE – patient progress notes Implementation: Data Sources

33 © 2014 Axiomatics AB32  Public API definition  Request and schema validation, API threat protection  Request authorization via Axiomatics PDP  No XACML PEP as a pre-built component, but can be implemented as a reusable policy fragment, using out of the box HTTP request routing capability  Build XACML request from API request attributes and payload and analyze XACML response for authorization decision  Supplies a portion of required policy attributes, others are evaluated by Axiomatics policy server via Attribute Connectors Implementation: Layer 7 Configuration

34 © 2014 Axiomatics AB33  Additional authorization checks can be performed on the app layer as well  Can be the same set of policies or a more fine-grained subset  For Java applications, a good fit would be to implement XACML PEP as a custom PermissionEvaluator within Spring Security framework  Decouples authorization from application logic, which provides for reuse and consistent enforcement  Allows for declarative security using annotations in the method definition, such as: @PreAuthorize("hasPermission(#progressnote,'progress note', 'create')") Authorization on the App Layer

35 © 2014 Axiomatics AB34  We can effectively use ABAC, XACML and Axiomatics to build API security frameworks  Axiomatics policy server can be integrated with a variety of platforms, including API gateways, such as Layer 7  Decouple authorization logic from API implementation  Provide consistent policy enforcement across multiple APIs and layers of application architecture Summary

36 © 2014 Axiomatics AB35 Questions? Thank you for listening

37 © 2014 Axiomatics AB36 Headquarters 201 South Lake Avenue | Suite 703 | Pasadena, CA 91101 | www.advancivetech.comwww.advancivetech.com Art Poghosyan, Managing Director E: artyom.poghosyan@advancivetech.comartyom.poghosyan@advancivetech.com T: 213.915.4142 Alex Gudanis, Principal Solutions Architect/CTO E: alex.gudanis@advancivetech.comalex.gudanis@advancivetech.com T: 714.388.5565 Sameer Hiremath, Director (India Operations) E: sameer.hiremath@advancivetech.comsameer.hiremath@advancivetech.com T: 9180 4216239 Advancive Key Contacts

38 Don’t miss out on these webinars!  Oct 30: ABAC: ready, steady, go!ABAC: ready, steady, go!  Nov 30: Securing data is a four letter wordSecuring data is a four letter word © 2014 Axiomatics AB37 Upcoming events & webinars Register on www.axiomatics.com/eventswww.axiomatics.com/events

Download ppt "© 2014 Axiomatics AB1 Building an effective API security framework using ABAC Webinar: October 15, 2014."

Similar presentations

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.
OneBridge Mobile Data Suite Product Positioning. Target Plays IT-driven enterprise mobility initiatives Extensive support for integration into existing.

OneBridge Mobile Data Suite Product Positioning. Target Plays IT-driven enterprise mobility initiatives Extensive support for integration into existing.
Security Infrastructure and National Patient Summary Mats Hagner. Project Manager Carelink AB

Security Infrastructure and National Patient Summary Mats Hagner. Project Manager Carelink AB
Microsoft ® System Center Configuration Manager 2007 R3 and Forefront ® Endpoint Protection Infrastructure Planning and Design Published: October 2008.

Microsoft ® System Center Configuration Manager 2007 R3 and Forefront ® Endpoint Protection Infrastructure Planning and Design Published: October 2008.
EHR Governance in South Western Ontario eHealth 2013 Glenn Lanteigne CIO South West and Waterloo Wellington LHIN and SWO Cluster Lead May 29, 2013 Tweet.

EHR Governance in South Western Ontario eHealth 2013 Glenn Lanteigne CIO South West and Waterloo Wellington LHIN and SWO Cluster Lead May 29, 2013 Tweet.
A Successful RHIO Implementation

A Successful RHIO Implementation
Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.

Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.
Massachusetts: Transforming the Healthcare Economy John D. Halamka MD CIO, Harvard Medical School and Beth Israel Deaconess Medical Center.

Massachusetts: Transforming the Healthcare Economy John D. Halamka MD CIO, Harvard Medical School and Beth Israel Deaconess Medical Center.
1 Introduction to XML. XML eXtensible implies that users define tag content Markup implies it is a coded document Language implies it is a metalanguage.

1 Introduction to XML. XML eXtensible implies that users define tag content Markup implies it is a coded document Language implies it is a metalanguage.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.

Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.
SOA with Progress Philipp Walther Consultant. © 2007 Progress Software Corporation2 Agenda  SOA  Enterprise Service Bus (ESB)  The Progress SOA Portfolio.

SOA with Progress Philipp Walther Consultant. © 2007 Progress Software Corporation2 Agenda  SOA  Enterprise Service Bus (ESB)  The Progress SOA Portfolio.
A Primer on Healthcare Information Exchange John D. Halamka MD CIO, Harvard Medical School and Beth Israel Deaconess Medical Center.

A Primer on Healthcare Information Exchange John D. Halamka MD CIO, Harvard Medical School and Beth Israel Deaconess Medical Center.
Copyright 2012 Delmar, a part of Cengage Learning. All Rights Reserved. Chapter 13 Health Information Systems and Strategy.

Copyright 2012 Delmar, a part of Cengage Learning. All Rights Reserved. Chapter 13 Health Information Systems and Strategy.
Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.

Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
Control environment and control activities. Day II Session III and IV.

Control environment and control activities. Day II Session III and IV.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.

XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.

Similar presentations

Ads by Google