© 2014 axiomatics ab1 building an effective api security framework using abac webinar: october 15,...
TRANSCRIPT
© 2014 Axiomatics AB 1
Building an effective API security framework using ABAC
Webinar: October 15, 2014
© 2014 Axiomatics AB 2
2:001:591:581:571:561:551:541:531:521:511:501:491:481:471:461:451:441:431:421:411:401:391:381:371:361:351:341:331:321:311:301:291:281:271:261:251:241:231:221:211:201:191:181:171:161:151:141:131:121:111:101:091:081:071:061:051:041:031:021:011:000:590:580:570:560:550:540:530:520:510:500:490:480:470:460:450:440:430:420:410:400:390:380:370:360:350:340:330:320:310:300:290:280:270:260:250:240:230:220:210:200:190:180:170:160:150:140:130:120:110:100:090:080:070:060:050:040:030:020:01NOWCount-down for webinar start:
Webinar: October 15, 2014
Building an effective API security framework using ABAC
© 2014 Axiomatics AB 3
Guidelines
You are muted centrally
The webinar is recorded
Slides available for
download
Q&A at the end
© 2014 Axiomatics AB 4
Today’s speakers
Alex GudanisPrincipal Solutions ArchitectAdvancive Technology Solutions
David BrossardVP Customer Relations Axiomatics
© 2014 Axiomatics AB 5
Agenda
API Security Framework
Demo
Q&A
© 2014 Axiomatics AB 6
Who is Axiomatics?Leading provider of ABAC - Attribute Based Access Control
Global deployments
200M+ users
100s of apps
Product and Innovation leader
© 2014 Axiomatics AB 7
2009US Federal CIO Council –(FICAM) Roadmap and Implementation Plan v1.0advocates ABAC
2011FICAM v2.0:ABAC is recommended access control model for promoting information sharing between diverseand disparate organizations
2014Gartner predicts:”By 2020, 70% of all businesses will use ABAC as the dominant mechanism to protectcritical assets,up from 5% today.”
2012National Strategy for Info Sharing & Safeguarding included a Priority Objective to implement FICAM roadmap
2014NIST Guide to ABACSP 800-162 published
2014KuppingerColeLeadership Compasson Dynamic Authorization
”Dynamic Authorization Management is arguably the most exciting area in identity and access management today.”
ABAC Timeline
© 2014 Axiomatics AB 8
A mode of externalized authorization
Authorization policies/rules are managed in a centralized service (deployment can be centralized/distributed/hybrid)
The Extensible Access Control Markup Language (XACML) is an example of an ABAC system
Policies utilize attributes to describe specific access rules, which is why it is called attribute based access control
What is Attribute Based Access Control (ABAC)?
© 2014 Axiomatics AB 9
Or put another way…
ABAC enables the Any-Depth Architecture
© 2014 Axiomatics AB 10
Axiomatics Data Access Filter
Integration with Layer 7 API
Gateway
Spring Security Integration
© 2014 Axiomatics AB 11
Who is Advancive?
Pasadena, CA
Bangalore, India
Established in May 2009
Headquartered in Southern California, with additional delivery center in Bangalore and serving clients globally
Consulting and systems integration firm with core competency in Identity & Access Management Solutions Design & Implementation
Serving clients in several key verticals, such as Financial, Healthcare, Telecom, High-Tech and Manufacturing
Case Study Overview• Clinical Decision Support System offered as a service
• Provides data access APIs to a variety of clients, including electronic health information exchange (HIE) networks and mobile applications
• Main goal – ensure that all the necessary controls are provided to meet project security and compliance requirements
• Key requirement – provide a flexible attribute based authorization framework that can be reused across all layers of the application architecture
© 2014 Axiomatics AB 12
© 2014 Axiomatics AB 13
Solution Architecture Overview
© 2014 Axiomatics AB 14
Reusable authorization framework and policies are built around HL7 Security and Privacy Ontology Use Cases (http://wiki.hl7.org/index.php?title=Security_and_Privacy_Ontology)
Cover main areas of access control of an EHR system: Access Control Based on Category of Action Access Control Based on Category of Object Access Control Based on Category of Structural Role Access Control Based on Category of Functional Role Access Control Based on Multiple Role Values
Authorization Framework
© 2014 Axiomatics AB 15
Controls access to an object based on the type of action to be performed on it
A primary physician can CREATE patient’s progress note
A physician can UPDATE patient’s progress note that he/she wrote themselves
Access Control Based on Category of Action
© 2014 Axiomatics AB 16
Controls access to an object based on the type of object it is
A primary physician can have full access to patient’s ASSESSMENT
A primary physician can not access patient’s PAYMENT HISTORY without additional authorization
Access Control Based on Category of Object
© 2014 Axiomatics AB 17
Controls access to an object based on the structural role assigned to the user requesting access. A structural role reflects a human or organizational category
A PHYSICIAN can read medical records of all patients
An ADMISSIONS CLERK doesn’t have access to patients’ medical records without additional authorization
Access Control Based on Category of Structural Role
© 2014 Axiomatics AB 18
Controls access to an object based on the functional role assigned to the user requesting access. Functional roles are bound to the performance of actions carried out by an entity. The period of functional role assignment can be limited to the privileged access time interval
An alternate privileged healthcare professional can read or update patient’s medical record, including sensitive medical information, while that patient’s primary physician is on vacation
Access Control Based on Category of Functional Role
© 2014 Axiomatics AB 19
Controls access to an object based on a user being assigned more than one role attribute value
A staff physician, i.e. a user that has the roles of both PHYSICIAN and HOSPITAL STAFF MEMBER, can update patient’s care plan
Access Control Based on Multiple Role Values
© 2014 Axiomatics AB 20
Process of Defining an Authorization Policy
Analyze functional use
case
Develop natural language policies
(NLP)
Translate NLPs into executable
policies and attributes using policy authoring
tools
© 2014 Axiomatics AB 21
Actors
Sam Jones – Patient at the Hospital
Dr. Bob – Physician at the Hospital, primary physician for Sam Jones
Dr. Dan – Physician at the Hospital, who also treats Sam Jones
Example: Use Case
© 2014 Axiomatics AB 22
Basic Scenario
Dr. Bob examines Mr. Jones as part of an episode of care. Dr. Bob opens Mr. Jones’ medical record and reads his medical history. Dr. Bob notices a transcription error in a progress note he had made for Mr. Jones’ last hospital visit. Dr. Bob corrects the error and updates the progress note. Dr. Bob opens a new progress note, enters his observations of Mr. Jones’ condition and appends the results of a recent blood test to the progress note.
Example: Use Case
© 2014 Axiomatics AB 23
Post-Condition
A progress note regarding a past visit Mr. Jones’ made to the hospital has been updated and a new progress note has been created and appended to. This updated progress note becomes a part of his medical record.
Example: Use Case
© 2014 Axiomatics AB 24
Alternative Scenario
Dr. Bob examines Mr. Jones as part of an episode of care. Dr. Bob opens Mr. Jones’ medical record and reads his medical history. Dr. Bob notices a transcription error in a progress note Dr. Dan had made for Mr. Jones’ last hospital visit. Dr. Bob attempts to correct the error but is denied this privilege by the system.
Example: Use Case
© 2014 Axiomatics AB 25
Post-Condition
The progress note regarding Mr. Jones’ last hospital visit remains unchanged.
Example: Use Case
© 2014 Axiomatics AB 26
Example: Natural Language Policies
Policy ID
Policy
1 A primary physician can create and update a patient’s progress note
2 A physician can update a patient’s progress note if he or she is the author of that progress note
© 2014 Axiomatics AB 27
namespace user{
attribute role{
category = subjectCat
id = "com.axiomatics.hl7.user.role"
type = string
}
attribute requestorId{
category = subjectCat
id = "com.axiomatics.hl7.user.requestorId"
type = string
}
}
namespace action{
attribute action{
category = actionCat
id = "com.axiomatics.hl7.action.id"
type = string
}
}
Example: ALFA Policy
© 2014 Axiomatics AB 28
namespace object{
attribute author{
category = resourceCat
id = "com.axiomatics.hl7.object.author"
type = string
}
}
namespace patient{
attribute primaryPhysician{
category = resourceCat
id = "com.axiomatics.hl7.patient.primaryPhysician"
type = string
}
}
Example: ALFA Policy
© 2014 Axiomatics AB 29
policyset global{
apply firstApplicable
progressNotes
}
policy progressNotes{
target clause objectType=="progress note"
apply firstApplicable
rule createNote{
target clause role=="physician" and action=="create"
condition primaryPhysician==requestorId
permit
}
rule updateNote{
target clause role=="physician" and action=="update"
condition author==requestorId
permit
}
}
Example: ALFA Policy
© 2014 Axiomatics AB 30
REST style API using XML payload
Can also be implemented as a SOAP web service or REST/JSON API
HTTP POST to: /HL7/patient/create/progressnote /HL7/patient/update/progressnote
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<progressNote>
<id>11</id>
<patentid>1001</patentid>
<patientRecordId>1</patientRecordId>
<physicianid>A101</physicianid>
<note>Patient is suffering from headache</note>
<sensitive>false</sensitive>
<visitedDate>2013-12-01T00:00:00-08:00</visitedDate>
</progressNote>
Implementation: API specification
© 2014 Axiomatics AB 31
Active Directory – hospital staff accounts along with their role information
Oracle Database – backend data tables for API implementation ACTORS – hospital staff information
PATIENT – patient information
PATIENT_MEDICALHISTORY – patient medical records
PATIENT_PROGRESSNOTE – patient progress notes
Implementation: Data Sources
© 2014 Axiomatics AB 32
Public API definition
Request and schema validation, API threat protection
Request authorization via Axiomatics PDP No XACML PEP as a pre-built component, but can be
implemented as a reusable policy fragment, using out of the box HTTP request routing capability
Build XACML request from API request attributes and payload and analyze XACML response for authorization decision
Supplies a portion of required policy attributes, others are evaluated by Axiomatics policy server via Attribute Connectors
Implementation: Layer 7 Configuration
© 2014 Axiomatics AB 33
Additional authorization checks can be performed on the app layer as well
Can be the same set of policies or a more fine-grained subset
For Java applications, a good fit would be to implement XACML PEP as a custom PermissionEvaluator within Spring Security framework Decouples authorization from application logic, which provides
for reuse and consistent enforcement Allows for declarative security using annotations in the method
definition, such as:@PreAuthorize("hasPermission(#progressnote,'progress note', 'create')")
Authorization on the App Layer
© 2014 Axiomatics AB 34
We can effectively use ABAC, XACML and Axiomatics to build API security frameworks
Axiomatics policy server can be integrated with a variety of platforms, including API gateways, such as Layer 7
Decouple authorization logic from API implementation
Provide consistent policy enforcement across multiple APIs and layers of application architecture
Summary
© 2014 Axiomatics AB 35
Questions?Thank you for listening
© 2014 Axiomatics AB 36
Headquarters201 South Lake Avenue | Suite 703 | Pasadena, CA 91101 | www.advancivetech.com
Art Poghosyan, Managing Director
T: 213.915.4142
Alex Gudanis, Principal Solutions Architect/CTO
T: 714.388.5565
Sameer Hiremath, Director (India Operations)
T: 9180 4216239
Advancive Key Contacts
© 2014 Axiomatics AB 37
Don’t miss out on these webinars!
Oct 30: ABAC: ready, steady, go!
Nov 30: Securing data is a four letter word
Upcoming events & webinars
Register on www.axiomatics.com/events