Protect your Applications and APIs with eXternalized Authorization


Published on

Modern infrastructures offer countless and ever increasing data access points. Managing their protection is often a difficult and time consuming task. Externalized authorization is therefore increasingly seen as an essential strategic goal for organizations that wish to streamline this process. You centralize access policies but enforce them wherever data is being accessed – inside applications, on the API level, in portals, ESBs, data access layers etc. In this webinar we discuss how to approach externalized authorization in a heterogeneous environment.

At the end of the webinar attendees will walk away with a better knowledge of:
- the concept of externalized authorization
- when externalizing is beneficial and possible
- key design considerations when externalizing authorization

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Feel free to ask questions via Twitter or GoToWebinar
  • Once upon a time, access control was about who you were. What mattered was your identity or perhaps your role or group.But today, access control should be more about what you represent, what you want to do, what you want to access, for which purpose, when, where, how, and why…Credits:Invisible: Andrew Cameron, from The Noun ProjectBox: Martin Karachorov, Wrench: John O'Sheaclock: Brandon Hopkins
  • Protect your Applications and APIs with eXternalized Authorization

    1. 1. Webinar: Protect your applications and APIs with eXternalized authorization
    2. 2. Webinar: Protect your applications and APIs with eXternalized authorization this webinar will start in:
    3. 3. Guidelines You are muted centrally The webinar is recorded Slides available for download Q&A at the end 3
    4. 4. Upcoming Webinars Best of Breed – Future-Proof your business with IdM 2.0 October 23rd Applying fine-grained authorization to Java MVC applications October 31st
    5. 5. Presenter
    6. 6. Developer Relationships Program  Aims to make it easier for developers to implement externalized authorization solutions  Aimed at developers, programmers, security architects, and system architects and more  Initiatives include:  Products optimized for developers  Tools to make development easier  Training and education  Community support Axiomatics
    7. 7. Twitter @axiomatics #XACML 7
    8. 8. eXternalized authorization
    9. 9. When authorization isn’t done right 150 000 New York City Health & Hospitals Corporation Releases Electronic Health Records Citi Exposes Details of 150,000 Individuals Who Went into Bankruptcy 1 700 000 6 000 000 Facebook’s Download Your Information releases too much information about your contacts 9
    10. 10. But we don’t like spending time on security Time spent developing an application 20% Business logic Security 80% * And no this isn’t PacMan Axiomatics 10
    11. 11. How do developers do it today? {in-app} {home-grown AuthZ service} {application frameworks} Axiomatics 11
    12. 12. In the olden days, authorization was about Who?
    13. 13. So how do you handle additional information? Context Location Relationship Classification Parent Delegation address Guardian IP Device Pattern Behavior Risk Clearance Employment Citizenship Time Intellectual Property Export Control Axiomatics 13
    14. 14. Authorization should really be about… Who? What? When? Where? Why? How? Credits: all icons from the Noun Project | Invisible: Andrew Cameron, | Box: Martin Karachorov | Wrench: John O'Shea | Clock: Brandon Hopkins 14
    15. 15. The way it works today – the black box challenge Information asset Okay, here you go … I want access to… if (user=bob) then… User Application 15
    16. 16. eXternalized Authorization Centrally managed policy: “PERMIT user with clearance X to read document classified as ….” “DENY access to classified document if…” Information asset PERMIT or DENY? I want… User Application Axiomatics 16
    17. 17. Why eXternalize Authorization
    18. 18. Why eXternalize Authorization? Share information Simplify infrastructure admin Complex AuthZ policies Compliance Security Why? Separate app and policy writers Solving complex authorization issues Axiomatics
    19. 19. Common Questions  Can all new COTS software be enabled for use with policy-driven externalized authorization?  How can we adapt legacy systems to call an external authorization service?  Are urgent security or compliance requirements the only reasons to externalize authorization?  What preparations must be made before you shift to centralized authorization policies?  Where and when can software components for enforcement of authorization policies be implemented? Axiomatics
    20. 20. Common Conclusions Externalized authorization offers maximum value if your organization:  Has complex authorization needs  Wishes to separate out implementation of application and authorization logic  Uses in-house developed/maintained applications  Develops/configures integrations and gateways Axiomatics
    21. 21. How to eXternalize Authorization
    22. 22. Any-Depth Authorization
    23. 23. Where to intercept access request YES Do you maintain app code? Call AuthZ service from your app Do you control the app server? Use a servlet filter App called via gateway? Enforce policies at gateway App invoked via service bus? Add AuthZ service on bus NO Axiomatics
    24. 24. Enforcing policy decisions Axiomatics
    25. 25. Use case for externalized AuthZ Business process supporting application Data store does not come with capabilities for externalized XACML authorization out-of-the-box If access permissions depend on the state of the calling workflow app, authorization must include external factors
    26. 26. Use case continued  Documentum is an enterprise level CM platform  Use case involved part of a larger process flow where access to document involved a check:  Is user requesting access a member of case to which the document belongs?      Involves attributes not available within Documentum Costly to implement PEP within Documentum Look for a better entry point: the web service Great place for interception: framework, code access PEP implemented in web service filter code Axiomatics
    27. 27. Catching an access request public class AxioDocumentCheck implements Filter{ @Override public void destroy() { } @Override public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException { HttpServletRequest httpReq = (HttpServletRequest)req; HttpSession session = httpReq.getSession(true); UserProfile userProfile = (UserProfile)session.getAttribute("com.client.securityrequest.validatesession.UserProfile"); String userId = userProfile.getWebId(); try { PDPConnection pdpConn = PDPConnectionFactory.getPDPConnection(""); Request request = new XacmlRequestBuilder(3) .addSubjectAttribute("username", userId). .addResourceAttribute(Constants.RESOURCE_ID, session.getAttribute("doc-id” )) .buildRequest(); SDKResponse response = pdpConn.evaluate(request); // Access the decision from SDKResponse if (response.getDecision() != 0){ System.out.println("User " + userId + " is not authorized to access this document"); httpReq.getRequestDispatcher("/notauthorized.html").forward(req, resp); } }catch (Exception e){ e.printStackTrace(); } @Override public void init(FilterConfig filterConfig) throws ServletException { } }
    28. 28. Questions? Contact us at © 2013 Axiomatics AB 28