lean and mean – authorization for kick-ass apis (jonas markström)
TRANSCRIPT
![Page 1: Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)](https://reader035.vdocuments.us/reader035/viewer/2022062822/588161371a28ab80508b5c63/html5/thumbnails/1.jpg)
Lean & Mean - Authorization for kick-ass APIs
Jonas MarkströmAPI Security Ninja
![Page 2: Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)](https://reader035.vdocuments.us/reader035/viewer/2022062822/588161371a28ab80508b5c63/html5/thumbnails/2.jpg)
© Axiomatics 2016 2
Feeling lonely?
![Page 3: Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)](https://reader035.vdocuments.us/reader035/viewer/2022062822/588161371a28ab80508b5c63/html5/thumbnails/3.jpg)
© Axiomatics 2016 3
Not one but many monoliths
![Page 4: Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)](https://reader035.vdocuments.us/reader035/viewer/2022062822/588161371a28ab80508b5c63/html5/thumbnails/4.jpg)
© Axiomatics 2016 4
Time to rethink the plumbing…
![Page 5: Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)](https://reader035.vdocuments.us/reader035/viewer/2022062822/588161371a28ab80508b5c63/html5/thumbnails/5.jpg)
© Axiomatics 2016 5
![Page 6: Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)](https://reader035.vdocuments.us/reader035/viewer/2022062822/588161371a28ab80508b5c63/html5/thumbnails/6.jpg)
© Axiomatics 2016 6
![Page 7: Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)](https://reader035.vdocuments.us/reader035/viewer/2022062822/588161371a28ab80508b5c63/html5/thumbnails/7.jpg)
© Axiomatics 2016 7
Feeling pretty happy?
![Page 8: Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)](https://reader035.vdocuments.us/reader035/viewer/2022062822/588161371a28ab80508b5c63/html5/thumbnails/8.jpg)
© Axiomatics 2016 8
A single entry into the kingdom
![Page 9: Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)](https://reader035.vdocuments.us/reader035/viewer/2022062822/588161371a28ab80508b5c63/html5/thumbnails/9.jpg)
© Axiomatics 2016 9
Open up to business
![Page 10: Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)](https://reader035.vdocuments.us/reader035/viewer/2022062822/588161371a28ab80508b5c63/html5/thumbnails/10.jpg)
© Axiomatics 2016 10
Before & After
⁃ From the monolith to... ⁃ The decoupled approach
Acme Enterprise
Firewall
Web Container
Processes Data
Acme Enterprise
Firewall
Web Container
Processes Data
API API
API Gateway
Third Party
API
![Page 11: Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)](https://reader035.vdocuments.us/reader035/viewer/2022062822/588161371a28ab80508b5c63/html5/thumbnails/11.jpg)
© Axiomatics 2016 11
Is your access control broken?
![Page 12: Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)](https://reader035.vdocuments.us/reader035/viewer/2022062822/588161371a28ab80508b5c63/html5/thumbnails/12.jpg)
© Axiomatics 2016 12
Who gets to decide?
![Page 13: Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)](https://reader035.vdocuments.us/reader035/viewer/2022062822/588161371a28ab80508b5c63/html5/thumbnails/13.jpg)
© Axiomatics 2016 13
Who gets to decide?
User API
I, Alice, want to view bank accounts
Can Alice view account #123?
Data
![Page 14: Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)](https://reader035.vdocuments.us/reader035/viewer/2022062822/588161371a28ab80508b5c63/html5/thumbnails/14.jpg)
© Axiomatics 2016 14
The Guardian Angel
![Page 15: Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)](https://reader035.vdocuments.us/reader035/viewer/2022062822/588161371a28ab80508b5c63/html5/thumbnails/15.jpg)
© Axiomatics 2016 15
Authorization as Infrastructure
User API
I, Alice, want to view bank accounts
Can Alice view account #123?
Data
API G
atew
ay
ABAC Authorization
Service
SQL
Prox
y
Which data can be
retrieved?
![Page 16: Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)](https://reader035.vdocuments.us/reader035/viewer/2022062822/588161371a28ab80508b5c63/html5/thumbnails/16.jpg)
© Axiomatics 2016 16
Did you say ABAC?
Externalized Centralized Policy Driven AttributeBased Standardized
![Page 17: Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)](https://reader035.vdocuments.us/reader035/viewer/2022062822/588161371a28ab80508b5c63/html5/thumbnails/17.jpg)
© Axiomatics 2016 17
Attributes are labels that describe anyone and anything
![Page 18: Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)](https://reader035.vdocuments.us/reader035/viewer/2022062822/588161371a28ab80508b5c63/html5/thumbnails/18.jpg)
© Axiomatics 2016 18
Attributes are Multi-Dimensional
Who What Where When Why How
![Page 19: Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)](https://reader035.vdocuments.us/reader035/viewer/2022062822/588161371a28ab80508b5c63/html5/thumbnails/19.jpg)
© Axiomatics 2016 19
Policies bring attributes
together to make it all
work
![Page 20: Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)](https://reader035.vdocuments.us/reader035/viewer/2022062822/588161371a28ab80508b5c63/html5/thumbnails/20.jpg)
© Axiomatics 2016 20
“Managers can view accounts in their region”
“Customers can create transfers up to $1,000”
“A user cannot approve a transfer they requested”
“Tellers can view transactions in their own region”
![Page 21: Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)](https://reader035.vdocuments.us/reader035/viewer/2022062822/588161371a28ab80508b5c63/html5/thumbnails/21.jpg)
© Axiomatics 2016 21
Policies that apply to a specific API or service
Policies that apply across the enterprise / API sets
Policies can be local or global
![Page 22: Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)](https://reader035.vdocuments.us/reader035/viewer/2022062822/588161371a28ab80508b5c63/html5/thumbnails/22.jpg)
© Axiomatics 2016 22
Use ABAC to implement... Time-based policies
“Deny access to the API outside
office hours”
![Page 23: Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)](https://reader035.vdocuments.us/reader035/viewer/2022062822/588161371a28ab80508b5c63/html5/thumbnails/23.jpg)
© Axiomatics 2016 23
Use ABAC to implement... Location-based policies
“Dutch Employees cannot view Singapore
client data”
![Page 24: Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)](https://reader035.vdocuments.us/reader035/viewer/2022062822/588161371a28ab80508b5c63/html5/thumbnails/24.jpg)
© Axiomatics 2016 24
Use ABAC to implement... Dynamic access control
“Managers can view accounts that are in the
same branch.”
![Page 25: Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)](https://reader035.vdocuments.us/reader035/viewer/2022062822/588161371a28ab80508b5c63/html5/thumbnails/25.jpg)
© Axiomatics 2016 25
Use ABAC to implement... Dynamic Segregation of Duty
“Employees cannot approve transactions
they initiate.”
![Page 26: Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)](https://reader035.vdocuments.us/reader035/viewer/2022062822/588161371a28ab80508b5c63/html5/thumbnails/26.jpg)
© Axiomatics 2016 26
Secure APIs start with ABAC...
Any APIAny Policy
Any Attribute