cis 2015- understanding & managing discretionary access: the tao of entitlement management-...
Post on 29-Jul-2015
40 Views
Preview:
TRANSCRIPT
Understanding & Managing Discretionary Access The TAO of Entitlement Management
Darran Rolls CTO, SailPoint Technologies
Today’s Agenda • Discretionary Access
- Definition - Application
• The Spectrum of Authorization - Static Models - Dynamic Models - Blended Models
• Striking the Right Balance - What Fits Best Where? - Some General Best Practices…
Discretionary Access Scale
Approval Based - Static Model Based - Dynamic
Access Control Decisions Discretionary Access Scale
Discretionary Access Scale
Approval Based - Static Model Based - Dynamic
Access Control Decisions Fully Resolvable Policy Based
Discretionary Access Scale
Approval Based - Static Model Based - Dynamic
Access Control Decisions Partial of Full Human Interaction
Discretionary Access Scale
Approval Based - Static Model Based - Dynamic
Access Control Decisions Balance of Both
“An application access security mechanism, controlled by an external late binding decision
making process”
www.darranrolls.com
Dynamic Models ABAC - Entitlements & Context
PIP Attribute Provider
VDS
PDP System
System
Target
Target
PEP
PEP
Environment Attributes +
Rules…
Dynamic Models ABAC - Entitlements & Context
PIP Attribute Provider
VDS
PDP System
System
Target
Target
PEP
PEP
Entitlement Giving
Attributes…
Environment Attributes +
Rules…
Entitlement Giving Attributes Creating High Fidelity Attributes…
High Fidelity Attributes provide assurance that controls and
governance are in place to appropriately manage Entitlement Giving Attributes…
Dynamic Models ABAC - Entitlements & Context
PIP Attribute Provider
VDS
PDP System
System
Target
Target
PEP
PEP
Environment Attributes +
Policies…
Policy Review &
Attestation…
Policy Review & Attestation Maintaining Integrity…
Policy Controls provide assurance that once developed and deployed,
access policy rules can be considered articles of access attestation with lifecycle controls & audit
Dynamic Models ABAC - Entitlements & Context
PIP Attribute Provider
VDS
PDP System
System
Target
Target
PEP
PEP
Attributes…
Policies…
Governance Visibility… Review…
Change Control… Audit…
Governance for the Process… Managing Attributes & Policies
Visibility • Collection
• Categorization • Analytics
Review • Approvals
• Certification • Policy checks…
Change • Delegated Admin
• Change Detection
• Change Approval
Audit • Reporting
• Activity • Review
Attribute Integrity Reliability Index
“An application access security mechanism that mixes static & dynamic
methods in the end-to-end process.”
www.darranrolls.com
Just-in-Time Token Authorization with Governance-based Provisioning
Attribute Integrity Reliability Index
top related