CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements
-
Upload
cloudidsummit -
Category
Business
-
view
522 -
download
0
description
Transcript of CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements
Policy Enabled Access Control Mee#ng ”Need to Share” Business Requirements Gerry Gebel, President Axioma#cs Americas ggebel@axioma#cs.com @ggebel #cisNAPA
Se#ng the context
Opera0ng in a “need to share” world
#cisNAPA 2
! Think more about aBributes ! Business metadata and
! And less about en0tlements ! IT metadata
Objec0ves for this session
#cisNAPA 3
! Account managers can view/edit records of clients directly assigned to them
! Account managers can view records for all clients in their branch, except VIP clients
! Managers can view/edit records of clients assigned to their subordinates
Financial services
#cisNAPA 4
! Nurse Prac00oners in the Cardiology Department can View the Records of Heart Pa0ents
! Billing administrators can view non-‐medical data for pa0ents in the same state
! Emergency access is permiBed, but logged
Electronic health records
NIST ABAC 800-‐162 #cisNAPA 5
CRM
! Users can view customer cases for their LOB, country, region, role or if they created the case #
! Users with risk level != HIGH can approve cases ! For certain cases, e.g. Singapore, user must be domiciled in same country as the customer case
#cisNAPA 6
#cisNAPA
In the olden days, authoriza0on was about
Who?
7
Authoriza0on should really be about…
When? What? How? Where? Who? Why?
#cisNAPA 8
! ABributes ! Are sets of labels or proper0es ! Describe all aspects of en00es that must be considered for authoriza0on purposes
! ABribute Based Access Control (ABAC) ! Uses aBributes as building blocks
It’s all about the ABributes!
#cisNAPA 9
An Authoriza0on Service
De-coupled from
Applications
Standards-Compliant
Authoriza0on Service
Fine- Grained Context-Aware
Attribute-based Access Control Externalized
AuthZ
Policy-based Access Control
#cisNAPA 10
Need to Share vs. Perimeters
Does the perimeter maBer?
#cisNAPA 11
#cisNAPA 12
Source: hBp://bit.ly/U9l7wg
#cisNAPA 13
#cisNAPA 14
#cisNAPA 15
#cisNAPA 16
Source: www.arrayguard.com #cisNAPA 17
Implemen0ng the “need to share” model
Using aBributes, policies and standards
#cisNAPA 18
! eXtensible Access Control Markup Language ! An OASIS standard
! The de facto standard for fine-‐grained access control ! Current version: 3.0
! XACML defines ! A policy language ! A request / response scheme
! XML, SOAP, REST & JSON
! A reference architecture
The XACML Standard
#cisNAPA 19
The XACML Architecture
Manage Policy Administra;on Point
Decide Policy Decision Point
Support Policy Informa;on Point Policy Retrieval Point
Enforce Policy Enforcement Point
#cisNAPA 20
#cisNAPA
Authoriza0on in depth & at the right layer
21
XACML è Anywhere Authoriza0on Architecture
#cisNAPA 22
ABributes and Governance
Ensuring high fidelity aBributes
#cisNAPA 23
! See “garbage in, garbage out” principle ! Access policies rely on validity/assurance of aBribute values ! Some aBributes will be managed by aBribute governance solu0on – mostly IT data
! Other aBributes are managed by your business ac0vi0es – client data, research data, health records, etc.
The Importance of ABribute Governance
#cisNAPA 24
! Governance tools keep track of “privilege gran0ng aBributes” ! Enhances repor0ng and aBesta0on
! Governance tools expose risk scores ! Has the user’s access been cer0fied on schedule? ! Does the user have a high risk profile?
! Authoriza0on system can incorporate risk data ! If $riskScore > $threshold Then DENY access
Governance – Authoriza0on possibili0es
#cisNAPA 25
In Summary
#cisNAPA 26
! Securely enable new and exis0ng business models ! Easier to manage applica0ons
! Decouple authoriza0on from applica0on – easier to implement changes to the system
! More secure applica0ons ! Consistently enforce policies across heterogeneous plasorms and systems at the level of granularity required
! Achieve audit and regulatory compliance ! Declara0ve policy language makes audi0ng and cer0fying applica0on access a straighsorward process
#cisNAPA
Benefits of Data Governance
27
Ques0ons? Contact us at [email protected]