Fine-Grained Authorization for
Cloud-based Services
David Brossard
Axiomatics
@davidjbrossard - @axiomatics
© 2012, Axioma...
3 strategies to extend authorization to the Cloud
We’re in London, we definitely need this strategy
What it means for
cust...
Access control or authorization (AuthZ)
Who can do what?
“The authorization function determines whether
a particular entit...
Heard enough about SSO, federation and SAML?
Authentication: Hi, I prove who I say I am
One-off process
Focus: user’s iden...
The issue with
Authorization today
The black box challenge
© 2012, Axiomatics AB 5
System growth leads to AuthZ challenges
App
App
App
Cost
Brittleness
Static
Risk
Lack of visibility
Lack of audit
Violatio...
What happens to my data?
Who can access which information?
How do I comply with (what the auditor will ask
for)
Regulation...
Export Control
Know the user (citizenship, location, affiliation)
Know the end use (end location, purpose of use)
Example:...
Fine-grained authorization
to the rescue
Attribute-based access control
XACML
© 2012, Axiomatics AB 9
Authorization is nearly always about
Who?
Identity + role (+ group)
© 2012, Axiomatics AB 10
Credits: all icons from the N...
Authorization should really be about…
When?What? How?Where?Who? Why?
© 2012, Axiomatics AB 11
Credits: all icons from the ...
eXtensible Access Control Markup Language
OASIS standard
XACML is expressed as
A specification document (a PDF) and
An XML...
© 2012, Axiomatics AB
Refresher: the XACML architecture
Decide
Policy Decision Point
Manage
Policy Administration Point
Su...
© 2012, Axiomatics AB 14
XACML  Transparent & Externalized AuthZ
Centrally managed policy:
”PERMIT user with clearance X ...
XACML  Anywhere AuthZ & Architecture
Datacenter
App A
Service
A
Service
D
Service
E
Service
M
Service
O
SaaS SaaS
© 2012,...
Fine-grained Authorization
for the Cloud
Three strategies for externalized
authorization in the cloud
© 2012, Axiomatics A...
A SaaS provider should offer
Functional APIs (their core business)
Non-functional (Security) APIs
Let customers push their...
SaaS provider
Option #1 – Architecture
Central IT:
Company A
SaaS Admin delegates rights to manage access control provided...
Pros
Consistent access control
Fine-grained
Risk-aware
Future-proof
SaaS vendor benefit
multi-tenancy
Cons
Not many SaaS v...
If you can restrict access to SaaS applications
from within the corporate network…
All access to SaaS apps could be made t...
Option #2 – Architecture
SaaS App #1
SaaS App #2
SaaS App #3
VPN
© 2012, Axiomatics AB 21
Pros
Workaround current SaaS
limitations
Easy to deploy
Available today
Cons
No direct access to SaaS app
Forces users to ...
What if the provider is reluctant to adopt XACML?
“If the application won’t go to XACML then XACML
will go to the applicat...
SaaS provider
Option #3 – Architecture
Central IT:
Company A
Convert XACML policies to the native
format expected by the S...
Pros
Feasible today
Viable solution
Extends the customer’s
XACML-based authorization
system’s reach
Cons
Possible loss of ...
Cloud requires eXtensible Authorization
Fine-grained
Externalized
Traditional approaches
#1: tell your SaaS provider to ad...
Questions?
Contact us at
info@axiomatics.com
Upcoming SlideShare
Loading in...5
×

Fine grained access control for cloud-based services

568

Published on

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
568
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
28
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Fine grained access control for cloud-based services

  1. 1. Fine-Grained Authorization for Cloud-based Services David Brossard Axiomatics @davidjbrossard - @axiomatics © 2012, Axiomatics AB 1
  2. 2. 3 strategies to extend authorization to the Cloud We’re in London, we definitely need this strategy What it means for customers SaaS providers What you will learn © 2012, Axiomatics AB 2
  3. 3. Access control or authorization (AuthZ) Who can do what? “The authorization function determines whether a particular entity is authorized to perform a given activity, typically inherited from authentication when logging on to an application or service.” What’s authorization? © 2012, Axiomatics AB 3
  4. 4. Heard enough about SSO, federation and SAML? Authentication: Hi, I prove who I say I am One-off process Focus: user’s identity and the proof of identity Standards: OpenID, OAUTH, SAML… Authorization: Hi, can I transfer this amount? From code-driven to policy-driven Standard: XACML Authorization comes after Authentication © 2012, Axiomatics AB 4
  5. 5. The issue with Authorization today The black box challenge © 2012, Axiomatics AB 5
  6. 6. System growth leads to AuthZ challenges App App App Cost Brittleness Static Risk Lack of visibility Lack of audit Violation of SoD SaaS SaaS SaaS © 2012, Axiomatics AB 6
  7. 7. What happens to my data? Who can access which information? How do I comply with (what the auditor will ask for) Regulations? E.g. Export Control Contractual obligations? Going to the cloud doesn’t make it easier Do I need a different approach for cloud? The Authorization Challenge © 2012, Axiomatics AB 7
  8. 8. Export Control Know the user (citizenship, location, affiliation) Know the end use (end location, purpose of use) Example: Manufacturing in the cloud © 2012, Axiomatics AB 8
  9. 9. Fine-grained authorization to the rescue Attribute-based access control XACML © 2012, Axiomatics AB 9
  10. 10. Authorization is nearly always about Who? Identity + role (+ group) © 2012, Axiomatics AB 10 Credits: all icons from the Noun Project | Invisible: Andrew Cameron
  11. 11. Authorization should really be about… When?What? How?Where?Who? Why? © 2012, Axiomatics AB 11 Credits: all icons from the Noun Project | Invisible: Andrew Cameron, | Box: Martin Karachorov | Wrench: John O'Shea | Clock: Brandon Hopkins
  12. 12. eXtensible Access Control Markup Language OASIS standard XACML is expressed as A specification document (a PDF) and An XML schema Policy-based & attribute-based language Implement authorization based on object relations Only employees of a given plant can see technical data linked to items assigned to the plant © 2012, Axiomatics AB 12 Behold XACML, the standard for ABAC
  13. 13. © 2012, Axiomatics AB Refresher: the XACML architecture Decide Policy Decision Point Manage Policy Administration Point Support Policy Information Point Policy Retrieval Point Enforce Policy Enforcement Point 13
  14. 14. © 2012, Axiomatics AB 14 XACML  Transparent & Externalized AuthZ Centrally managed policy: ”PERMIT user with clearance X to read document classified as ….” “DENY access to classified document if…” User Application Information asset I want… PERMIT or DENY? PERMIT or DENY?
  15. 15. XACML  Anywhere AuthZ & Architecture Datacenter App A Service A Service D Service E Service M Service O SaaS SaaS © 2012, Axiomatics AB 15 Private Cloud
  16. 16. Fine-grained Authorization for the Cloud Three strategies for externalized authorization in the cloud © 2012, Axiomatics AB 16
  17. 17. A SaaS provider should offer Functional APIs (their core business) Non-functional (Security) APIs Let customers push their own XACML policies Apply the administrative delegation profile http://docs.oasis-open.org/xacml/3.0/xacml-3.0- administration-v1-spec-en.html Option #1 – tell your provider to adopt XACML © 2012, Axiomatics AB 17
  18. 18. SaaS provider Option #1 – Architecture Central IT: Company A SaaS Admin delegates rights to manage access control provided to customer A. The rights are restricted to only the applications and resources provided to this particular customer’s users. Customer A’s admin can manage access for their staff on its own by providing XACML policies and attributes Customer A users use the SaaS application 18© 2012, Axiomatics AB App#1 App#2 App#3 FunctionalAPI XACML Mgmt API 1. 2. 3.
  19. 19. Pros Consistent access control Fine-grained Risk-aware Future-proof SaaS vendor benefit multi-tenancy Cons Not many SaaS vendors support XACML today Option #1 – Pros & Cons © 2012, Axiomatics AB 19
  20. 20. If you can restrict access to SaaS applications from within the corporate network… All access to SaaS apps could be made to tunnel through a proxy Option #2 – Proxy your cloud connections © 2012, Axiomatics AB 20
  21. 21. Option #2 – Architecture SaaS App #1 SaaS App #2 SaaS App #3 VPN © 2012, Axiomatics AB 21
  22. 22. Pros Workaround current SaaS limitations Easy to deploy Available today Cons No direct access to SaaS app Forces users to go via VPN Access may not be as fine grained as Option #1 Lack of visibility into the SaaS data Option #2 – Pros & Cons © 2012, Axiomatics AB 22
  23. 23. What if the provider is reluctant to adopt XACML? “If the application won’t go to XACML then XACML will go to the application” Eve Maler, Forrester You still get Centrally managed authorization Standards-based (XACML) Approach Convert from XACML to expected SaaS format Push via SaaS management APIs Option #3 – Policy Provisioning based on XACML © 2012, Axiomatics AB 23
  24. 24. SaaS provider Option #3 – Architecture Central IT: Company A Convert XACML policies to the native format expected by the SaaS provider Customer A users use the SaaS application App#1 App#2 App#3 FunctionalAPI Native API © 2012, Axiomatics AB 24 Authorization constraints / permissions in the format expected by the SaaS provider
  25. 25. Pros Feasible today Viable solution Extends the customer’s XACML-based authorization system’s reach Cons Possible loss of XACML richness in access control Loss of dynamic nature Option #3 – Pros & Cons © 2012, Axiomatics AB 25
  26. 26. Cloud requires eXtensible Authorization Fine-grained Externalized Traditional approaches #1: tell your SaaS provider to adopt XACML. #2: proxy your cloud connections. Extended approach #3: Policy Provisioning based on XACML Also works for business apps (SharePoint, Windows) To summarize © 2012, Axiomatics AB 26
  27. 27. Questions? Contact us at info@axiomatics.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×