© 2014 Axiomatics AB 1

Runtime ABAC Systems – Where are they Applicable?

How to Achieve ABAC Today – July 2014

Gerry GebelAxiomaticsgerry@axiomatics.com@ggebel

© 2014 Axiomatics AB 2

Agenda Business trends that are influencing authorization requirements

Externalized Authorization and ABAC

Standards update, if time permits JSON, REST, & ALFA

How to Achieve ABAC Today

© 2014 Axiomatics AB 3

Business Trends & AuthZ

How to Achieve ABAC Today

© 2014 Axiomatics AB 4

The information map has been completely redrawn and it’s not finished yet

© 2014 Axiomatics AB 5

© 2014 Axiomatics AB 6

Next generation information security

= dynamic authorization

= attribute based access control

© 2014 Axiomatics AB 7

Who

What Sensitive /business critical Information

Grant or deny access based on the following attributes

When

Where

Why

How

Legacy access controls fail in dynamic environments

© 2014 Axiomatics AB 8

ABAC thrives in dynamic environments

FROM: Internal controls, matrix and manual checklists

Application A Application B Application C

COMPLIANCEConforming with privacy regulation?

………………

………………

………………

RISK MGMTSegregation of duties checked?

………………

………………

………………

ISO 27000 ISMSClassification of data & access control policies implemented?

………………

………………

………………

TO: Centrally maintained policies consistently enforced across applications

© 2014 Axiomatics AB 9

Switch to effective & efficient access control policies

Authorization service

© 2014 Axiomatics AB 10

Externalized Authorization and ABAC

How to Achieve ABAC Today

© 2014 Axiomatics AB 11

Implementation Phases

Access policies: how are they authored/managed?

The attributes: where do they come from?

Application integration: how does ABAC connect with the application?

© 2014 Axiomatics AB 12

ABAC access policies

Choose the right tool for the audience Business analysts

Systems administrators

Application developers

© 2014 Axiomatics AB 13

Business Analysts

ABAC access policies

Natural Language Processing(XpressRules)

© 2014 Axiomatics AB 14

System Administrators

ABAC access policies

© 2014 Axiomatics AB 15

Application Developers

ABAC access policies

policy allowTransaction{target clause userRole=="manager" and

actionId=="approve" and resType=="transaction"apply firstApplicablerule allowIfLowRiskScore{

condition (transactionRiskScore < 5) && (transactionAmount <= userApprovalLimit)

permit}

}

ALFA* Eclipse Plug in

*Submitted to OASIS as XACML Profile

© 2014 Axiomatics AB 16

Attribute Sources

Attributes are contained in the access request message

Additional attributes are retrieved at runtime

17© 2014 Axiomatics AB

Attribute sources

Environment

Subject Action

Resource Environment

Action

Resource

Subject

XACML Request

© 2014 Axiomatics AB 18

Run time retrieval

Attribute sources

VDS

Directories

DatabasesActive Directory

Applications

© 2014 Axiomatics AB 19

Applying ABAC to every layer of your application

ADAF

© 2014 Axiomatics AB 20

ABAC at the presentation tier Hide or reveal menu items, drop down lists, widgets, etc.

Activate/deactivate portal buttons

Implement with any application framework or programming language Java, .NET, Ruby, Python, PHP, Spring, etc.

© 2014 Axiomatics AB 21

ABAC at the business / API tier

Web Services Server

Web Services

Client

Gateway acts as PEP

Licensing site

Licensing site

Licensing site

Note: optionally use Axiomatics PDP on the SecureSpan Gateway

Policies

Attribute Sources

1. SQL statement is intercepted

2. A query is sent to the external authorization service

3. The authorization engine evaluates the relevant policies

4. It may also need to query external attribute sources for more info

5. The result: SQL statement is dynamically modified and only authorized data is returned to user

Application Data storage

User Bob wants to SELECT * from table T

SELECT A,B FROM TABLE T

WHERE…

AuthorizationService

Filtereddata

ABAC at the Database tier

© 2014 Axiomatics AB

© 2014 Axiomatics AB 23

To Summarize The ABAC trend is underway, it’s time to get started with your plans

The technology is mature and ready to implement

This group of best-in-class vendors offers compelling integrations

…and a few more comments on standards, if time permits

© 2014 Axiomatics AB 24

REST, JSON, & ALFAWhat’s new on the standards front?

© 2014 Axiomatics AB 25

JSON encoding of an authZ request

{"subject":{"attribute":[{

"attributeId":"username","value":"alice"}]},

"resource":{"attribute":[{

"attributeId":"resource-id","value":"hello"}]},

"action":{"attribute":[{

"attributeId":"action-id","value":"say"}]}}

© 2014 Axiomatics AB 26

JSON vs. XML

Word count05

1015202530354045

XMLJSON

Char. Count0

200

400

600

800

1000

1200

1400

XMLJSON

Size of a XACML request

© 2014 Axiomatics AB 27

REST Profile

What’s new in the XACML standard

XML over HTTP

XML over HTTP

JSON over HTTP

JSON over HTTP

© 2014 Axiomatics AB 28

ALFA – Axiomatics Language for Authorization Domain Specific Language (DSL) that provides an abstraction over XACML

Pseudo language is similar to C# or Java

Author policies in Eclipse IDE, plug in automatically generates XACML

Axiomatics has committed to submit ALFA as an XACML profile

© 2014 Axiomatics AB 29

A policy example, in ALFA

policy allowTransaction{

target clause userRole=="manager" and actionId=="approve" and resType=="transaction"

apply firstApplicable

rule allowIfLowRiskScore{

condition (transactionRiskScore < 5) && (transactionAmount <= userApprovalLimit)

permit

}

}

Thank you for listening

Please save your questions for the vendor panel

Don’t miss out on these events! July 19th – July 23rd (Monterey, CA): Cloud Identity Summit

August 5th: Webinar: Why Your Organization Can’t Manage Without ABAC

December 2nd – December 4th (Las Vegas, NV): Gartner Identity & Access Management Summit North America

© 2014 Axiomatics AB 31

Upcoming events & webinars

More at www.axiomatics.com/events