Your SlideShare is downloading. ×
  • Like
CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements


Gerry Gebel, President, Axiomatics Americas …

Gerry Gebel, President, Axiomatics Americas
The most important, sensitive and valuable information your organization manages is exactly what your partners, customers and internal teams require access to. How do you implement this need-to-share business model without disclosing too much data and running afoul of laws, regulations or internal business rules? This session will describe how access policies and attributes are combined to provide a flexible and effective authorization solution.

Published in Business , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Policy  Enabled  Access  Control   Mee#ng  ”Need  to  Share”  Business  Requirements     Gerry  Gebel,  President  Axioma#cs  Americas   @ggebel     #cisNAPA  
  • 2. Se#ng  the  context   Opera0ng  in  a  “need  to  share”  world   #cisNAPA   2  
  • 3. !  Think  more  about  aBributes   !  Business  metadata     and     !  And  less  about  en0tlements   !  IT  metadata   Objec0ves  for  this  session   #cisNAPA   3  
  • 4. !  Account  managers  can  view/edit  records  of   clients  directly  assigned  to  them   !  Account  managers  can  view  records  for  all   clients  in  their  branch,  except  VIP  clients   !  Managers  can  view/edit   records  of  clients     assigned  to  their   subordinates   Financial  services   #cisNAPA   4  
  • 5. !  Nurse  Prac00oners  in  the  Cardiology   Department  can  View  the  Records  of  Heart   Pa0ents   !  Billing  administrators  can  view  non-­‐medical  data   for  pa0ents  in  the   same  state   !  Emergency  access   is  permiBed,  but   logged   Electronic  health  records   NIST  ABAC  800-­‐162   #cisNAPA   5  
  • 6. CRM   !  Users  can  view  customer  cases  for  their  LOB,   country,  region,  role  or  if  they  created  the  case  #   !  Users  with  risk  level  !=  HIGH  can  approve  cases   !  For  certain  cases,  e.g.  Singapore,  user  must  be   domiciled  in  same  country   as  the  customer  case   #cisNAPA   6  
  • 7. #cisNAPA   In  the  olden  days,  authoriza0on  was  about   Who?   7  
  • 8. Authoriza0on  should  really  be  about…   When?  What?   How?  Where?  Who?   Why?   #cisNAPA   8  
  • 9. !  ABributes   !  Are  sets  of  labels  or  proper0es   !  Describe  all  aspects  of  en00es  that  must  be   considered  for  authoriza0on  purposes     !  ABribute  Based  Access  Control  (ABAC)   !  Uses  aBributes  as  building  blocks   It’s  all  about  the  ABributes!   #cisNAPA   9  
  • 10. An  Authoriza0on  Service   De-coupled from Applications Standards- Compliant Authoriza0on  Service   Fine- Grained Context-Aware Attribute-based Access Control Externalized AuthZ Policy-based Access Control #cisNAPA   10  
  • 11. Need  to  Share  vs.   Perimeters   Does  the  perimeter  maBer?   #cisNAPA   11  
  • 12. #cisNAPA   12  
  • 13. Source:  hBp://   #cisNAPA   13  
  • 14. #cisNAPA   14  
  • 15. #cisNAPA   15  
  • 16. #cisNAPA   16  
  • 17. Source:   #cisNAPA   17  
  • 18. Implemen0ng  the  “need   to  share”  model   Using  aBributes,  policies  and   standards   #cisNAPA   18  
  • 19. !   eXtensible  Access  Control  Markup  Language   !   An  OASIS  standard   !   The  de  facto  standard  for  fine-­‐grained  access  control   !   Current  version:  3.0   !   XACML  defines   !   A  policy  language   !   A  request  /  response  scheme   !   XML,  SOAP,  REST  &  JSON   !   A  reference  architecture   The  XACML  Standard   #cisNAPA   19  
  • 20. The  XACML  Architecture   Manage   Policy  Administra;on  Point   Decide   Policy  Decision  Point   Support   Policy  Informa;on  Point   Policy  Retrieval  Point   Enforce   Policy  Enforcement  Point   #cisNAPA   20  
  • 21. #cisNAPA   Authoriza0on  in  depth  &  at  the  right  layer   21  
  • 22. XACML  è  Anywhere  Authoriza0on  Architecture   #cisNAPA   22  
  • 23. ABributes  and  Governance   Ensuring  high  fidelity  aBributes   #cisNAPA   23  
  • 24. !  See  “garbage  in,  garbage  out”  principle   !  Access  policies  rely  on  validity/assurance  of   aBribute  values   !  Some  aBributes  will  be  managed  by  aBribute   governance  solu0on  –  mostly  IT  data   !  Other  aBributes  are  managed  by  your  business   ac0vi0es  –  client  data,  research  data,  health  records,   etc.   The  Importance  of  ABribute  Governance   #cisNAPA   24  
  • 25. !  Governance  tools  keep  track  of  “privilege   gran0ng  aBributes”   !  Enhances  repor0ng  and  aBesta0on   !  Governance  tools  expose  risk  scores   !  Has  the  user’s  access  been  cer0fied  on  schedule?   !  Does  the  user  have  a  high  risk  profile?   !  Authoriza0on  system  can  incorporate  risk  data     !  If  $riskScore  >  $threshold  Then  DENY  access   Governance  –  Authoriza0on  possibili0es   #cisNAPA   25  
  • 26. In  Summary   #cisNAPA   26  
  • 27. !   Securely  enable  new  and  exis0ng  business  models   !   Easier  to  manage  applica0ons   !   Decouple  authoriza0on  from  applica0on  –  easier  to   implement  changes  to  the  system   !   More  secure  applica0ons   !   Consistently  enforce  policies  across  heterogeneous   plasorms  and  systems  at  the  level  of  granularity  required   !   Achieve  audit  and  regulatory  compliance   !   Declara0ve  policy  language  makes  audi0ng  and  cer0fying   applica0on  access  a  straighsorward  process   #cisNAPA   Benefits  of  Data  Governance   27  
  • 28. Ques0ons?   Contact  us  at