managing role explosion with attribute-based access control - webinar series - part 2

© 2005-2013 NextLabs Inc.

Managing Role Explosion with Attribute-based Access Control: “Attributes” is the new Role

Sandeep ChopraDirector of Product ManagementNextLabs, Inc.

© 2005-2013 NextLabs Inc. Slide 2

2-Part Series

Part 1 – More Roles than Employees Trends and drivers for role explosion, cost of role management Demonstrations of typical use cases that drive role explosion

Part 2 – “Attributes” is the new Role Basics of ABAC and how it can help reduce role explosion Demonstrations of typical use cases and how ABAC works.


Agenda

Presentation Review of Last Week Attribute Based Access Control Information Control Policies Use Cases Demonstration Examples

Question and Answers


Authorization Layers


Challenge – Exploding Access ComplexityCompanies have multiple access variables

• Multiple Export Jurisdictions (e.g. ITAR, EAR, BAFA)• Multiple IP Control Agreements (e.g. PIEA, NDA)• Multiple Applications and Systems (e.g. PLM, ERP, SCM)

Traditional role based access control (RBAC) explodes based on the number of variables

Number of Access Variables

Req

uire

d A

cces

s R

ules


What are my Data Authorization options?

Data Authorization Decision Map


ABAC: Integrating Identity, Content, and Context Attributes

Identity User Recipient Internal and External

Context Computer Network Location Channel/Application Connection Time

Content Data Type Metadata Custom Tags Data Content

Identity

ContentContext

“Who is using or sharing what data, how, why and with whom”


Attribute-Based Policies

Allow only US Engineers to access Project X Specifications from US Offices

SubjectLocation = US AND Department = Engineering

ResourceProject = Project X AND Type = Specification

EnvironmentNetwork Address = 192.168.*

Attribute-based rule retails Business intent.Provide fine-grain, data level control.


One Simple Role – Using ABAC

1 Simple Role

Polic

y us

ing

Attrib

utes

CRM

ECC

BW


Roles Vs. Attributes

97% less roles using Attributes

Scenario Derived Role Enabler Role ABAC

50 Functional roles & 5 Subsidiaries

300 total roles: 50 Functional

roles 5 derived

company code

35 derived Plants

56 roles: 50 Functional

roles 1 enabler

template – Company code

1 enabler roles for Plant

50 Functional roles

35 Plants under 5 subsidiaries

1840 Roles 50 x 35 =

1,750 1,750 + 5+

35 + 50 = 1840 Roles

1802 Roles 50 Functional

roles x 35 plants = 1,750

1750 + 50 + 2 = 1802

51 Authorizations 50 Functional

roles 1 NextLabs

policy

Benefit Baseline 5% less than Derived roles

97% less than Enabler Roles

or Derived Roles

1 Company

5 Subsidiaries

7 Plants/Subsidiary= 35 Plants


Key Characteristics of Attribute Based Policy

Finer grained, automated controls

Dynamic Enforcement

External Identity Attributes

External Resource Attributes


About NextLabsNextLabs Entitlement Manager is an SAP-Endorsed Business Solution

Policy-driven, information risk management software for Global 5000 enterprises. Help companies achieve safer and

more secure internal and external collaboration

Ensure proper access to applications and data

Facts Locations

HQ: San Mateo, CABoston, MAHangzhou, PRCMalaysiaSingapore

40+ Patent Portfolio Major go-to-market Partners: IBM, SAP,

HCL-AXON, Hitachi Consulting

“We allow companies to preserve confidentiality, prevent data loss and ensure compliance across more channels and more points with a single unified solution with unmatched user acceptance and total cost of ownership.”

- Keng Lim, Chairman and CEO

NextLabs Overview


Thank You!

Thank you for viewing a preview of Part 2 of our Managing Role Explosion with Attribute-Based Access Control webinar series.

To watch our complete recording, CLICK HERE.

In the remainder of this webinar, you will see typical use cases of Attribute Based Access Control and a Demo of how it works.

http://goo.gl/444pw2

managing role explosion with attribute-based access control - webinar series - part 2

Technology