![Page 1: Fine grained access control for cloud-based services using ABAC and XACML](https://reader036.vdocuments.us/reader036/viewer/2022062405/5585dc6cd8b42a7c428b4d47/html5/thumbnails/1.jpg)
© 2012, Axiomatics AB 1
Fine-Grained Authorization for Cloud-based Services
David BrossardAxiomatics
@davidjbrossard - @axiomatics
![Page 2: Fine grained access control for cloud-based services using ABAC and XACML](https://reader036.vdocuments.us/reader036/viewer/2022062405/5585dc6cd8b42a7c428b4d47/html5/thumbnails/2.jpg)
© 2012, Axiomatics AB 2
3 strategies to extend authorization to the CloudWe’re in London, we definitely need this strategy
What it means forcustomersSaaS providers
What you will learn
![Page 3: Fine grained access control for cloud-based services using ABAC and XACML](https://reader036.vdocuments.us/reader036/viewer/2022062405/5585dc6cd8b42a7c428b4d47/html5/thumbnails/3.jpg)
© 2012, Axiomatics AB 3
Access control or authorization (AuthZ)Who can do what?“The authorization function determines whether a particular entity is authorized to perform a given activity, typically inherited from authentication when logging on to an application or service.”
What’s authorization?
![Page 4: Fine grained access control for cloud-based services using ABAC and XACML](https://reader036.vdocuments.us/reader036/viewer/2022062405/5585dc6cd8b42a7c428b4d47/html5/thumbnails/4.jpg)
© 2012, Axiomatics AB 4
Heard enough about SSO, federation and SAML?Authentication: Hi, I prove who I say I am
One-off processFocus: user’s identity and the proof of identityStandards: OpenID, OAUTH, SAML…
Authorization: Hi, can I transfer this amount?From code-driven to policy-drivenStandard: XACML
Authorization comes after Authentication
![Page 5: Fine grained access control for cloud-based services using ABAC and XACML](https://reader036.vdocuments.us/reader036/viewer/2022062405/5585dc6cd8b42a7c428b4d47/html5/thumbnails/5.jpg)
© 2012, Axiomatics AB 5
The issue with Authorization today
The black box challenge
![Page 6: Fine grained access control for cloud-based services using ABAC and XACML](https://reader036.vdocuments.us/reader036/viewer/2022062405/5585dc6cd8b42a7c428b4d47/html5/thumbnails/6.jpg)
© 2012, Axiomatics AB 6
System growth leads to AuthZ challenges
App
App
App
Cost
Brittleness
Static
Risk
Lack of visibility
Lack of audit
Violation of SoD
SaaS
SaaS
SaaS
![Page 7: Fine grained access control for cloud-based services using ABAC and XACML](https://reader036.vdocuments.us/reader036/viewer/2022062405/5585dc6cd8b42a7c428b4d47/html5/thumbnails/7.jpg)
© 2012, Axiomatics AB 7
What happens to my data?Who can access which information?How do I comply with (what the auditor will ask for)
Regulations? E.g. Export Control
Contractual obligations?
Going to the cloud doesn’t make it easierDo I need a different approach for cloud?
The Authorization Challenge
![Page 8: Fine grained access control for cloud-based services using ABAC and XACML](https://reader036.vdocuments.us/reader036/viewer/2022062405/5585dc6cd8b42a7c428b4d47/html5/thumbnails/8.jpg)
© 2012, Axiomatics AB 8
Export ControlKnow the user (citizenship, location, affiliation)Know the end use (end location, purpose of use)
Example: Manufacturing in the cloud
![Page 9: Fine grained access control for cloud-based services using ABAC and XACML](https://reader036.vdocuments.us/reader036/viewer/2022062405/5585dc6cd8b42a7c428b4d47/html5/thumbnails/9.jpg)
© 2012, Axiomatics AB 9
Fine-grained authorization to the rescue
Attribute-based access controlXACML
![Page 10: Fine grained access control for cloud-based services using ABAC and XACML](https://reader036.vdocuments.us/reader036/viewer/2022062405/5585dc6cd8b42a7c428b4d47/html5/thumbnails/10.jpg)
© 2012, Axiomatics AB 10
Authorization is nearly always about
Who?
Identity + role (+ group)
Role-based
Access
Control
Credits: all icons from the Noun Project | Invisible: Andrew Cameron
![Page 11: Fine grained access control for cloud-based services using ABAC and XACML](https://reader036.vdocuments.us/reader036/viewer/2022062405/5585dc6cd8b42a7c428b4d47/html5/thumbnails/11.jpg)
© 2012, Axiomatics AB 11
Authorization should really be about…
When?What? How?Where?Who? Why?
Attribute-
based
Access
Control
Credits: all icons from the Noun Project | Invisible: Andrew Cameron, | Box: Martin Karachorov | Wrench: John O'Shea | Clock: Brandon Hopkins
![Page 12: Fine grained access control for cloud-based services using ABAC and XACML](https://reader036.vdocuments.us/reader036/viewer/2022062405/5585dc6cd8b42a7c428b4d47/html5/thumbnails/12.jpg)
© 2012, Axiomatics AB 12
eXtensible Access Control Markup LanguageOASIS standardXACML is expressed as
A specification document (a PDF) andAn XML schema
Policy-based & attribute-based languageImplement authorization based on object relationsOnly employees of a given plant can see technical data linked to items assigned to the plant
Behold XACML, the standard for ABAC
![Page 13: Fine grained access control for cloud-based services using ABAC and XACML](https://reader036.vdocuments.us/reader036/viewer/2022062405/5585dc6cd8b42a7c428b4d47/html5/thumbnails/13.jpg)
© 2012, Axiomatics AB 13
Refresher: the XACML architecture
DecidePolicy Decision Point
ManagePolicy Administration Point
SupportPolicy Information PointPolicy Retrieval Point
EnforcePolicy Enforcement Point
![Page 14: Fine grained access control for cloud-based services using ABAC and XACML](https://reader036.vdocuments.us/reader036/viewer/2022062405/5585dc6cd8b42a7c428b4d47/html5/thumbnails/14.jpg)
© 2012, Axiomatics AB 14
XACML Transparent & Externalized AuthZCentrally managed policy: ”PERMIT user with clearance X to read document classified as ….”“DENY access to classified document if…”
User Application
Informationasset
I want…
PERMITorDENY?
PERMITorDENY?
![Page 15: Fine grained access control for cloud-based services using ABAC and XACML](https://reader036.vdocuments.us/reader036/viewer/2022062405/5585dc6cd8b42a7c428b4d47/html5/thumbnails/15.jpg)
© 2012, Axiomatics AB 15
XACML Anywhere AuthZ & Architecture
Datacenter
App AService A
Service D
Service E
Service M
Service O
SaaS SaaSPrivate Cloud
![Page 16: Fine grained access control for cloud-based services using ABAC and XACML](https://reader036.vdocuments.us/reader036/viewer/2022062405/5585dc6cd8b42a7c428b4d47/html5/thumbnails/16.jpg)
© 2012, Axiomatics AB 16
Fine-grained Authorization for the Cloud
Three strategies for externalized authorization in the cloud
![Page 17: Fine grained access control for cloud-based services using ABAC and XACML](https://reader036.vdocuments.us/reader036/viewer/2022062405/5585dc6cd8b42a7c428b4d47/html5/thumbnails/17.jpg)
© 2012, Axiomatics AB 17
A SaaS provider should offerFunctional APIs (their core business)Non-functional (Security) APIs
Let customers push their own XACML policiesApply the administrative delegation profile
http://docs.oasis-open.org/xacml/3.0/xacml-3.0-administration-v1-spec-en.html
Option #1 – tell your provider to adopt XACML
![Page 18: Fine grained access control for cloud-based services using ABAC and XACML](https://reader036.vdocuments.us/reader036/viewer/2022062405/5585dc6cd8b42a7c428b4d47/html5/thumbnails/18.jpg)
SaaS provider
Option #1 – Architecture
Central IT:Company A
SaaS Admin delegates rights to manage access control provided to customer A. The rights are restricted to only the applications and resources provided to this particular customer’s users.
Customer A’s admin can manage access for their staff on its own by providing XACML policies and attributes
Customer A users use the SaaS application
18© 2012, Axiomatics AB
App#1
App#2
App#3
Func
tiona
l API
XACML Mgmt
API
1.
2.
3.
![Page 19: Fine grained access control for cloud-based services using ABAC and XACML](https://reader036.vdocuments.us/reader036/viewer/2022062405/5585dc6cd8b42a7c428b4d47/html5/thumbnails/19.jpg)
© 2012, Axiomatics AB 19
ProsConsistent access controlFine-grainedRisk-awareFuture-proofSaaS vendor benefit
multi-tenancy
ConsNot many SaaS vendors support XACML today
Option #1 – Pros & Cons
![Page 20: Fine grained access control for cloud-based services using ABAC and XACML](https://reader036.vdocuments.us/reader036/viewer/2022062405/5585dc6cd8b42a7c428b4d47/html5/thumbnails/20.jpg)
© 2012, Axiomatics AB 20
If you can restrict access to SaaS applications from within the corporate network…All access to SaaS apps could be made to tunnel through a proxy
Option #2 – Proxy your cloud connections
![Page 21: Fine grained access control for cloud-based services using ABAC and XACML](https://reader036.vdocuments.us/reader036/viewer/2022062405/5585dc6cd8b42a7c428b4d47/html5/thumbnails/21.jpg)
© 2012, Axiomatics AB 21
Option #2 – Architecture
SaaS App #1
SaaS App #2
SaaS App #3
VPN
![Page 22: Fine grained access control for cloud-based services using ABAC and XACML](https://reader036.vdocuments.us/reader036/viewer/2022062405/5585dc6cd8b42a7c428b4d47/html5/thumbnails/22.jpg)
© 2012, Axiomatics AB 22
ProsWorkaround current SaaS limitationsEasy to deployAvailable today
ConsNo direct access to SaaS app
Forces users to go via VPN
Access may not be as fine grained as Option #1
Lack of visibility into the SaaS data
Option #2 – Pros & Cons
![Page 23: Fine grained access control for cloud-based services using ABAC and XACML](https://reader036.vdocuments.us/reader036/viewer/2022062405/5585dc6cd8b42a7c428b4d47/html5/thumbnails/23.jpg)
© 2012, Axiomatics AB 23
What if the provider is reluctant to adopt XACML?“If the application won’t go to XACML then XACML will go to the application”
Eve Maler, Forrester
You still getCentrally managed authorizationStandards-based (XACML)
ApproachConvert from XACML to expected SaaS formatPush via SaaS management APIs
Option #3 – Policy Provisioning based on XACML
![Page 24: Fine grained access control for cloud-based services using ABAC and XACML](https://reader036.vdocuments.us/reader036/viewer/2022062405/5585dc6cd8b42a7c428b4d47/html5/thumbnails/24.jpg)
© 2012, Axiomatics AB 24
SaaS provider
Option #3 – Architecture
Central IT:Company A
Convert XACML policies to the native format expected by the SaaS provider
Customer A users use the SaaS application
App#1
App#2
App#3
Func
tiona
l API
Native API
Authorization constraints / permissions in the format expected by the SaaS provider
![Page 25: Fine grained access control for cloud-based services using ABAC and XACML](https://reader036.vdocuments.us/reader036/viewer/2022062405/5585dc6cd8b42a7c428b4d47/html5/thumbnails/25.jpg)
© 2012, Axiomatics AB 25
ProsFeasible todayViable solutionExtends the customer’s XACML-based authorization system’s reach
ConsPossible loss of XACML richness in access controlLoss of dynamic nature
Option #3 – Pros & Cons
![Page 26: Fine grained access control for cloud-based services using ABAC and XACML](https://reader036.vdocuments.us/reader036/viewer/2022062405/5585dc6cd8b42a7c428b4d47/html5/thumbnails/26.jpg)
© 2012, Axiomatics AB 26
Cloud requires eXtensible AuthorizationFine-grainedExternalized
Traditional approaches#1: tell your SaaS provider to adopt XACML.#2: proxy your cloud connections.
Extended approach#3: Policy Provisioning based on XACMLAlso works for business apps (SharePoint, Windows)
To summarize
Every cloud has a XACML lining
![Page 27: Fine grained access control for cloud-based services using ABAC and XACML](https://reader036.vdocuments.us/reader036/viewer/2022062405/5585dc6cd8b42a7c428b4d47/html5/thumbnails/27.jpg)
Questions?Contact us at [email protected]