490 likes | 601 Views
Federate Access Policy, Not Identity. Alan H. Karp Hewlett-Packard Laboratories 04/21/09 | Session ID: ESS-106 Session Classification: Advanced. Get Ready to Turn Your Brain Inside Out. Alan H. Karp Hewlett-Packard Laboratories 04/21/09 | Session ID: ESS-106 Session Classification: Advanced.
E N D
Federate Access Policy, Not Identity Alan H. KarpHewlett-Packard Laboratories04/21/09 | Session ID: ESS-106 Session Classification: Advanced
Get Ready to Turn Your Brain Inside Out Alan H. KarpHewlett-Packard Laboratories04/21/09 | Session ID: ESS-106 Session Classification: Advanced
An Actual Response HP Labs Security Expert November 2006: “I don’t get it.” January 2007: “I don’t get it.” February 2007: “I don’t get it.” March 2007: “Why would you do it any other way?” February 2008: “Why is this so hard for people to get?”
US Joint Forces Command exercise 2009 Included as part of the experiment California HHS Privacy Board Part of proposed solution in December 2008 draft NY State e-government initiative Being evaluated Still working on HP Not the official strategy, Yet Adoption
Identification: Know who to hold responsible Authentication: What properties user proves Authorization: What rights come with a proof Access decision: Honor request or not Access Control Process Unix Identification: set up user account Authentication: lets a process use that account Authorization: add an entry in the ACL Access decision: Check the ACL
Where and When You can choose when and where you authenticate and authorize
Federating Identities Federation Use Case Federating Access Policy FAccM, not FIdM Agenda
Web Service Principal Attribute Service Policy Decision Service Policy Mgmt Service Key Mgmt Service CA DoD SIPRNet Certs CANES Use Case Forecast Weather SAML / SOAP SAML / SOAP Mars Portal Web Service Security Handler (inbound) Security Handler (outbound) Security Handler (inbound) Security Handler (outbound) Portlets WS Client Security Handler End User CES SDK CES SDK API to Core Services CES SDK Identity Dir Server Security CES … • Roles • Credentials • Policy Authorization Dir Server Admin Console
Service Composition HP Alice Carol Bob Backup Copy
Create the service and identify manager Advertise service Specify Policy for Local Users Potential user finds service Exchange policy data with trusted partners Propagate policy data for indirect sharing Verify access rights of request Process updates to policy data Shut down the service Service Life Cycle
Create the Service HP Service Manager Carol Bob Service Manager Service Manager Alice Copy Backup Services usually managed by organization.
Advertise Service HP Service Manager Bob Carol Service Manager Service Manager Alice Copy Backup UDDI
Specify Policy for Local Users HP Service Manager Carol Bob Service Manager Service Manager Alice ACL ACL Copy Backup Local users either known to need access or request access after discovering service.
Potential User Finds Service HP Service Manager Bob Carol Service Manager Service Manager Alice Copy Backup UDDI
Exchange Policy with Partners HP Service Manager MOU Policy Carol Bob Service Manager MOU Policy Service Manager Alice ACL ACL Copy Backup Organizations negotiate terms of contract and exchange usage policies.
Exchange Policy with Partners HP Service Manager Alice Carol Bob Service Manager Service Manager Backup Alice ACL ACL Copy Backup
Verify Access Rights on Request HP Service Manager Carol Bob Service Manager Service Manager Alice backup(foo) ACL ACL Copy Backup
Propagate Policy for Indirect Sharing HP Service Manager Copy: read foo Carol ACL Bob Service Manager Service Manager Alice: read bar Alice ACL ACL Copy Backup How does HP decide if the request to add Copy is legitimate?
Verify Access Rights on Request HP Service Manager Carol Bob Service Manager Service Manager Alice ACL ACL Copy Backup copy(foo,bar) In the general case, Carol might need Alice’s authentication.
Verify Access Rights on Request HP Service Manager Carol ACL Bob Service Manager Service Manager read(foo) Alice ACL ACL Copy Backup
Verify Access Rights on Request HP Service Manager Carol Bob Service Manager Service Manager Alice ACL ACL read(bar) Copy Backup
Propagate Policy Changes HP Service Manager Revoke Alice Carol ACL Bob Service Manager Service Manager Revoke Alice Alice ACL ACL Copy Backup Alice just lost her access to the backup copy, and what about Carol’s permission to read foo?
Shutdown the Service HP Service Manager Carol ACL Bob Service Manager Service Manager Alice ACL ACL What happens to access rules if the name of the service is reused?
Need uniform authentication mechanism Alice authenticates to HP and Bob Alice’s identity in Carol’s ACL No trust relationship between Carol and Alice (or HP) Need some mechanism to specify policy Bob and Carol must act to revoke Alice Exposes HP’s internal organization Violate Least Privilege or lose functionality Summary of FIdM Approach
Create the Service <saml:Authorization> Pu2: backup </saml:Authorization> Signed Pr1 <saml:Authorization> Pu4: copy </saml:Authorization> Signed Pr3 HP Service Manager Carol Bob Service Manager Service Manager Alice Copy Backup Authorization is issued to a public key and valid if signed by corresponding private key.
Create the Service <saml:Authorization> Bob: backup </saml:Authorization> Signed Backup <saml:Authorization> Carol: copy </saml:Authorization> Signed Copy HP Service Manager Carol Bob Service Manager Service Manager Alice Copy Backup For convenience, we’ll denote these keys with names, but these are self-signed certificates.
Advertise Service HP Service Manager Bob Carol Service Manager Service Manager Alice Copy Backup UDDI
Specify Policy for Local Users <saml:Authorization> localUser: copy </saml:Authorization> <Evidence>Carol: copy</> Signed Carol <saml:Authorization> localUser: backup </saml:Authorization> <Evidence>Bob: backup</> Signed Bob HP Service Manager Carol Alice Bob Service Manager Service Manager Copy Backup
Find Service HP Service Manager Bob Carol Service Manager Service Manager Alice Copy Backup UDDI
Exchange Policy with Partners <saml:Authorization> HP: backup </saml:Authorization> <Evidence>Bob: backup</> Signed Bob HP Service Manager MOU Policy Carol Alice Bob Service Manager MOU Policy Service Manager <saml:Authorization> Bob: copy </saml:Authorization> <Evidence>Carol: copy</> Signed Carol Copy Backup
Exchange Policy with Partners <saml:Authorization> Alice: backup </saml:Authorization> <Evidence>HP: backup <Evidence> Bob:backup</> Signed HP HP Service Manager Bob Carol Service Manager Service Manager Alice <saml:Authorization> Backup: copy </saml:Authorization> <Evidence>Bob: copy <Evidence>Carol:copy</> Signed Bob Copy Backup Purely local with FAccM
Verify Access HP <soap:header> Backup: read foo <Evidence>Alice: read foo</> <soap:body> <saml:Authorization> Alice: backup <Evidence>HP: backup</> </saml:Authorization> Signed Alice Service Manager Alice Bob Carol Service Manager Service Manager Root of trust is the private key of the backup service used in the initial authorization. Copy Backup
Verify Access HP Service Manager Alice Bob <soap:header> Copy read foo <Evidence>Backup: read foo</> <soap:body> <saml:Authorization> Backup: copy <Evidence>Bob: copy</> </saml:Authorization> “bar” Signed Backup Carol Service Manager Service Manager Copy Backup
Propagate Policy for Indirect Sharing HP Service Manager Carol Bob Service Manager Service Manager Alice Copy Backup Placeholder: Policy propagation is done by delegating rights during invocation.
Verify Access HP <soap:body> <saml:Authorization> Copy: read foo <Evidence>Backup: read foo</> </saml:Authorization> Signed Copy Service Manager Alice Bob Carol Service Manager Service Manager Copy Backup
Verify Access (Return Value) HP Service Manager <saml:Authorization> Alice: read bar <Evidence>Backup: read bar</> </saml:Authorization> Signed Backup Alice Bob Carol Service Manager Service Manager <saml:Authorization> Backup: read bar </saml:Authorization> Signed Copy Copy Backup
Verify Access (Return Value) HP Service Manager <soap:body> <saml:Authorization> Alice: read bar <Evidence>Backup: read bar</> </saml:Authorization> Signed Alice Alice Bob Carol Service Manager Service Manager Copy Backup
Propagate Policy Changes HP Service Manager Carol Bob Service Manager Service Manager Alice Revoke authz #A3FE8 Copy Backup Alice can revoke Bob’s right to foo after invocation returns, which revokes Copy’s access to foo.
Shutdown the Service HP Carol Bob Service Manager Service Manager Alice Forgetting the service’s private key invalidates all authorizations to it.
Don’t need to authenticate on use Request message contains authorizations Carol need not have heard of Alice or even HP Parameters become delegations Easier to enforce Least Privilege No trusted third party, e.g., CAs Service’s private key is root of trust Moves steps off the critical path Summary of FAccM Approach
Asked at the time and place of the service Must distribute identities Single userid/password, SSO, true federation Must get identities in place ahead of time But still need to express access policy Indirection leads to complications Often leads to violations of Least Privilege FIdM: Who are you?
If you don’t like the answer you’re getting, ask a better question.
Federate access policy directly Only authenticate your own people Authorize in user domain before request Use IdM to decide what rights to grant Verify authorization at time/place of service Fewer global agreements Easier to enforce Least Privilege FAccM: Is this request authorized?
Go home and ask “Why who?” Is it to make an access decision? Are you authenticating a partner’s employee? If so, ask instead “Is this request authorized?” Work with business partners Use contract as a means to swap authorizations Stop managing each other’s people Greater flexibility, better security, lower cost Pocket your savings Apply What You Learned
Questions? alan.karp@hp.com FAccM Si FIdM No