attribute(based(access(control( - meetupfiles.meetup.com/18684561/axiomatics abac 101.pdfpolicies...
Post on 09-Jul-2020
4 Views
Preview:
TRANSCRIPT
Attribute Based Access Control What is it? What is the value? How is it implemented?
Milwaukee IAM meet up – September 17, 2015
Gartner IAM Summit, December 2014
“By 2020, 70% of all businesses will use attribute-based access control (ABAC) as the dominant mechanism to protect critical assets, up from <5% today.”
Gregg Kreizman, Gartner
“Roles Make Way for Other Attributes”
© 2015 Axiomatics AB
What is Attribute Based Access Control (ABAC)? § A mode of externalized authorization
§ Authorization policies/rules are managed in a centralized service (deployment can be centralized/distributed/hybrid)
§ Policies utilize attributes to describe specific access rules, which is why it is called attribute based access control
© 2015 Axiomatics AB
Reading material
§ NIST Guide to Attribute Based Access Control (ABAC) Definition and Considerations § nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.
800-162.pdf
© 2015 Axiomatics AB
Example from NIST report § “This flexibility [of ABAC] provides the greatest breadth of subjects to access
the greatest breadth of objects without specifying individual relationships between each subject and each object”
§ Nurse Practitioners in the Cardiology Department can View the Records of Heart Patients § Variables in the policy language enable very efficient policy structures – reducing the
maintenance load § Management of heart patient records is part of the business application – not an IT
function § Multiple attributes must be available for policy evaluation – either as part of the access
request or retrieved from source
© 2015 Axiomatics AB
NIST example -‐ expanded § Nurse Practitioners can View the Records of Patients in the same Department
they are assigned to § This rule can apply to all departments in the hospital § Add a new department or change names of department and the rule does not change § Rule compares department of the Nurse Practitioner to the department of the Patient § Avoids the role explosion effect of RBAC models
© 2015 Axiomatics AB
Corporate policy à access control Example:
§ "Project members may change project specification documents as long as the project is in the planning phase. Once the project is in a production phase, the project lead may change specifications if there has been a change control board decision authorizing the change.“
§ Subject attributes
§ Action attributes
§ Resource attributes
§ Environment attributes
© 2015 Axiomatics AB
ABAC takes multiple factors into account
§ Not just user roles….
§ But also attributes in the language of the business defining what information assets users try to access, their actions, the context and so on
§ Policies define precise access rules
WHO WHAT WHERE WHEN WHY HOW It’s not just about but also and
© 2015 Axiomatics AB
§ Risks are high – and the bottom line is in jeopardy § Data loss and leakage; Data theft and fraud § Damage to reputation § Loss of competitive advantage § Regulatory penalties § Financial impact
§ Industries across the Fortune 500 face data access control challenges daily
Data access control is a challenge across industries
© 2015 Axiomatics AB
Secure collaboration
…depends on efficient information sharing…
… which depends on precision in access controls.
© 2015 Axiomatics AB
Legacy access controls fail in dynamic environments
ABAC thrives in dynamic environments
© 2015 Axiomatics AB
Hundreds or thousands of If-clauses scattered all over your code
If the user is member of project X then … else …
If user is project lead
then … else …
If project X is in production phase
then … else … If project X change control board decision has been made then … else …
Examples of “internal” authorization
© 2015 Axiomatics AB
Policies
Attribute Sources
1. Access request is intercepted
2. A query is sent to the external authorization service
3. The authorization engine evaluates the relevant policies
4. It may also need to query external attribute sources for more info
5. The decision – PERMIT or DENY is returned and enforced
User: Bob Application
Can Bob access record #22 PERMIT/DENY
Authorization Service
Externalize the authorization
© 2015 Axiomatics AB
Policies
Attribute Sources
1. SQL statement is intercepted
2. A query is sent to the external authorization service
3. The authorization engine evaluates the relevant policies
4. It may also need to query external attribute sources for more info
5. The result: SQL statement is dynamically modified and only authorized data is returned to user
Application Data storage
User Bob wants to SELECT A,B from table T
SELECT A,B FROM TABLE T
WHERE…
Authorization Service
Filtered data
ABAC for Data-centric Authorization
© 2015 Axiomatics AB
Technical Activities for an ABAC Deployment § Policy authoring
§ Application integration
§ Attribute sourcing
Getting Started with ABAC
© 2015 Axiomatics AB
Non-‐technical considerations § Prioritizing which applications should be migrated to ABAC
§ Identifying stakeholders for the project
§ Where does the budget come from?
Getting Started with ABAC
© 2015 Axiomatics AB
Authorization scenario
Brokers can view the insurance policies of a customer if the broker is assigned to the customer
Role==broker
Action==view
Resource==insurance policy This is the relationship
userId == customer.assignedBroker
A user with the role == broker can do the action == view on resources of type == insurance policy if the user id == the customer’s assigned broker id.
Policy Authoring
© 2015 Axiomatics AB
Where do I get the attributes? § Policies and rules contain references to attributes
§ Access request messages are comprised of attributes from the user session
§ ABAC system can look up any additional attributes needed to complete policy evaluation process
© 2015 Axiomatics AB
Using virtualization to consolidate attribute sources
VDS
Directories
Databases Active Directory
Applications
© 2015 Axiomatics AB
ABAC at the presentation tier § Hide or reveal menu items, drop down lists, widgets, etc.
§ Activate/deactivate portal buttons
§ Implement with any application framework or programming language § Java, .NET, Ruby, Python, PHP, Spring, etc.
§ Utilize SDKs for SOAP/XML format for Java and .NET § Or REST/JSON for these and other programming languages
© 2015 Axiomatics AB
ABAC at the business / API tier
API Application
Client
Gateway acts as PEP
Licensing site
Licensing site
Licensing site
© 2015 Axiomatics AB
top related