1 / 34

Finn Frisch  Access Management for the Cloud

Finn Frisch  Access Management for the Cloud. About Axiomatics. Focus area Externalized authorization Standardization of externalized authorization (XACML) Swedish Institute of Computer Science (SICS) Spin-Off R&D since 2000 Company Axiomatics founded in 2006

belle
Download Presentation

Finn Frisch  Access Management for the Cloud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Finn Frisch  Access Management for the Cloud

  2. About Axiomatics • Focus area • Externalized authorization • Standardization of externalized authorization (XACML) • Swedish Institute of Computer Science (SICS) Spin-Off • R&D since 2000 • Company Axiomatics founded in 2006 • OASIS XACML Technical Committee Membership • Member since 2005 • Editorial responsibilities • Products enable externalized authorization 2

  3. Identity and Access Management (IAM) Landscapes Whatabout the cloud? 3

  4. Core Identity and Access Management (IAM) • AAA (or AAAA): • Administration of users • Authentication • Authorization • Accounting (auditing) • “The authorization function determines whether a particular entity is authorized to perform a given activity, typically inherited from authentication when logging on to an application or service.” 4

  5. Technology Change Impacting Data Custody Component- based Service-OrientedArchitectures (SOA) Web apps Multi-tieredapps Client-/Server Mainframe systems Monolithic 1990 2000 2010 Mainframes PC revolution Outsourcing Cloud 5

  6. From Technoloy-Driven to Business-Driven IAM Business-oriented IAM implementing business rules IAM Service-oriented Enterprise rolemanagement IdMcentralizesadmingovernance AAA centralized on mainframe LDAP for Admin and AuthN AAA per application Technology-driven 1990 2000 2010 Mainframes PC revolution Outsourcing Cloud 6

  7. Current state of AAA • AAA (or AAAA): • Administration of users Centralized management • Authentication Centralized management • Authorization Embedded in applications – no transparency • Accounting (auditing) Managed through complex reporting • Authorization hard-coded into the code of individual applications • Business rules must be translated into countless application-specific configurations • Verification of compliance requires elaborate data mining • Effectiveness and efficiency of internal controls? 7

  8. Note! Authorization Authentication ≠ 8

  9. Authorization Concepts Resource-Centric vs. User-Centric The Inherent Flaws of Role Based Access Control (RBAC) 9

  10. Resource-Centric Access Control Concepts • Access control lists (ACL) • Descretionary access control (DAC)Resourceownercan set permissions • Mandatory access control (MAC)Security policy overrulesACLs 10

  11. User-Centric Access Control Concepts • Categorizebased on similarneeds • Groups • Roles 11

  12. Two Dimensions: Users + Resources 12

  13. Role Modeling on Two Dimensions Finding commonalities 13

  14. Three Dimensions: Users + Resources + Actions Finding commonalities 14

  15. Four Dimensions: Users + Resources + Actions + Context 1. During normal workinghours 2. Only in user’sowndepartment 3. Requires strong authentication Finding commonalities? 15

  16. Segregation of Duties (SoD) – A Problem Caused by RBAC? 16

  17. Role Management A never-ending Sudoku… P P Role 1 P SoD violation P Role 2 P P 17

  18. Conclusion Assigning static permissions – directly or via roles, with discretionary or mandatory ACL models – is not sustainable! 18

  19. Beyond Roles – Attribute Based Access Control (ABAC) The XACML Standard 19

  20. The Black Box Challenge Information asset Okay, hereyou go … I want… if (user=bob) then... User Application 20

  21. Externalizing AuthZ to Overcome the Black Box Challenge Centrally managed policy: ”Managers may … provided ….” AuthZ service Information asset PERMIT or DENY? I want… AuthZ query User 21

  22. The eXtensible Access Control Markup Language (XACML) • Standardizing: • A referencearchitecture • A query/responseprotocol • A policy language 22

  23. Attribute Based Access Control (ABAC) 23

  24. Federation and Attribute Based Access Control (ABAC)for the Cloud The IAM (R)evolution 24

  25. SAML and XACML IdentityProvider AuthN service Policy Decision Point SAML token AuthZ service I want… 1. AuthN PERMIT/DENY 2. AuthZ User Service Provider 25

  26. Cloud scenarios* * Scenario examplesbased on Gartner analyst Ian Glazer’s presentation at Catalyst 2012 26

  27. Login via Federation 1. I want… AuthN 4. I want… Service Provider 3. AuthN token… 2. AuthN? IdP LDAP Corporatenetwork 27

  28. Federation – User Attributes used by Service Provider 1. I want… AuthN 4. I want to seemy salesterritories… 3. AuthN token with attributesdefininguser’s salesterritories … Service Provider 2. AuthN? IdP LDAP Corporatenetwork 28

  29. Federation + ABAC – The IAM (R)evolution 1. I want… 1. AuthN 2. PEP 4. I want … Service Provider 2. AuthN? 3. AuthN token IdP 5. AuthZ? PDP 6. Permit / Deny LDAP Corporatenetwork 29

  30. Benefits • Governance: Authorization subject to policy-based decisions controlled and updated based on business requirements. No rules in application code. • Fine-grained: Authorization becomes context-aware and precise. Examples: • “Permit LOB managers to approve purchase orders requested by their subordinates provided the total amount of POs approved so far does not exceed budget limits.” • “Deny approval of PO if vendor is not on white list.” • “Deny users to approve POs they created themselves.” • “Deny approval of POs on the last Friday of every month when budget balance is recalculated.” • Flexibility through decoupling: Componentized architecture allows many different deployment strategies 30

  31. Value Proposition • A top-down approach to governance. Corporate access rules are maintained at a central point but enforced locally within each single information system. • Risk intelligence. Key risk indicators can be used as parameters to control access as context-aware policies are enforced at run-time. • Cost reductions. No need to maintain authorization schemes in each single application. Savings throughout entire application life-cycle. • Enabling new business. Reduced time-to-market for new services. Faster adaptation to new risks and conditions. Enabling collaboration across previously isolated domains. 31

  32. A New IAM Landscape In the cloud oron the ground 32

  33. New Audit Challenges • How do we know that activated policies properly reflect corresponding business rules? • Are privilege-giving attributes maintained in an acceptable manner? • Access is dynamically granted based on • a) Policies and • b) state of attributes at the time of request How can we maintain an audit trail of both policies and attributes? 33

  34. Questions? finn.frisch@axiomatics.com 34

More Related