SlideShare a Scribd company logo

CIS13: Externalized Authorization from the Developer’s Perspective

CloudIDSummit
CloudIDSummit

David Brossard, Product Manager, Axiomatics Application development trends often collide with security best practices, leaving enterprises with a patchwork mix of authorization schemes that are difficult and expensive to operate, modify and certify for compliance. This session will explore the latest trends in authorization and describe standards-based mechanisms to protect APIs, web services, data resources and more. Included in the discussion will be the interaction between XACML, OAuth, REST and JSON.

TechnologyBusiness
1 of 40
Download to read offline
XACML  for  Developers   Updates,  New  Tools,  &  Pa:erns  for   the  Eager  #IAM  Developer   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   1  
eXtensible  Access  Control  Markup  Language   2   What  is  XACML?   Not  guacamole   De  facto  standard   Defined  at  OASIS   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
One  of  the  several  standards  in  the  #IAM  family   XACML  in  the  IAM  spectrum   SAML   SPML   LDAP   RBAC   ABAC…   SCIM   OpenID   Oauth   WS-­‐*   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   3  
In  a  web  3.0  world  where   it’s  about  small  apps   and  your  data…   Why  XACML?   Quick,  call  the  plumber:   1-­‐800-­‐GO-­‐XACML   it’s  Ime  to  get  leaks   under  control   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   4  
What’s  A:ribute-­‐based   Access  Control?   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   5  
#CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   In  the  olden  days,  authorizaIon  was  about   Who?   6  
AuthorizaIon  should  really  be  about…   When?  What?   How?  Where?  Who?   Why?   7  #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
A  car  retail  company  has  a  web  applicaIon  that   users  can  access  to  create,  view,  and  approve   purchase  orders,  in  accordance  with  policy  rules     8   Example  Scenario:  Managing  Purchase  Orders   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
A:ributes   Resource   a>ributes   Resource  type   PO  amount   PO  loca2on   PO  creator   PO  Status   Subject   a>ributes   Iden2ty   Department   Loca2on   Approval  limit   Role   AcBon   a>ributes   Ac2on  type   Environment   a>ributes   Device  type   IP  address   Time  of  day   Profile  designed  by  Sven  Gabriel  from  The  Noun  Project   Invisible  designed  by  Andrew  Cameron  from  The  Noun  Project   Wrench  designed  by  John  O’Shea  from  The  Noun  Project   Clock  designed  by  Brandon  Hopkins  from  The  Noun  Project   PO  Id   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   9  
A  simple  rule   Anyone  in  the  purchasing  department         can  create  purchase  orders   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   10  
A  manager  in  the  purchasing  department  can     approve      purchase  orders     §  up  to  their  approval  limit   §  if  and  only  if  the  PO  locaIon  and  the      manager  locaIon  are  the  same   §  if  and  only  if  the  manager    is  not  the  PO  creator     11   A  richer  rule   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
XACML  101  –  The  Basics   12  #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
13   What  does  XACML  contain?   XACML   Reference   Architecture   Policy   Language   Request  /   Response   Protocol   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
XACML  Architecture    &  Flow   14   Decide   Policy  Decision  Point   Manage   Policy  AdministraBon  Point   Support   Policy  InformaBon  Point   Policy  Retrieval  Point   Enforce   Policy  Enforcement  Point   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   Access   Document  #123   Access   Document  #123   Can  Alice  access   Document  #123?   Yes,  Permit   Load  XACML   policies   Retrieve  user   role,  clearance   and  document   classificaIon  
15   What  does  XACML  contain?   XACML   Reference   Architecture   Policy   Language   Request  /   Response   Protocol   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
"   3  structural  elements   " PolicySet   "   Policy   "   Rule   "   Root:  either  of  PolicySet  or  Policy   " PolicySets  contain  any  number  of  PolicySets  &   Policies   "   Policies  contain  Rules   "   Rules  contain  an  Effect:  Permit  /  Deny   "   Combining  Algorithms   16   Language  Elements  of  XACML   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
Root  Policy   Set   PolicySet   Policy   Rule   Effect=Permit   Rule   Effect  =  Deny   PolicySet   Policy   Rule   Effect  =   Permit   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   17   Sample  XACML  Policy  
18   Language  Structure:  Russian  dolls   " PolicySet,  Policy  &  Rule   can  contain   "   Targets   "   ObligaIons   "   Advice   "   Rules  can  contain   "   CondiIons   Policy  Set   Policy   Rule   Effect=Permit   Target   Target   Target   ObligaIon   ObligaIon   ObligaIon   CondiIon   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
19   What  does  XACML  contain?   XACML   Reference   Architecture   Policy   Language   Request  /   Response   Protocol   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
•  Subject   User  id  =  Alice   Role  =  Manager   •  AcIon   AcIon  id  =  approve   •  Resource   Resource  type  =  Purchase  Order   PO  #=  12367   •  Environment   Device  Type  =    Laptop   20   Structure  of  a  XACML  Request  /  Response   XACML  Request   XACML  Response   Can  Manager  Alice  approve   Purchase  Order  12367?   Yes,  she  can   •  Result   Decision:  Permit   Status:  ok   The  core  XACML  specificaIon  does  not   define  any  specific  transport  /   communicaIon  protocol:   -­‐ Developers  can  choose  their  own.   -­‐ The  SAML  profile  defines  a  binding  to  send  requests/ responses  over  SAML  asserIons   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
So  what’s  in  it  for  the   developer?   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   21  
#1  A  single  authorizaIon  model  &  framework   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   22  
#CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   23   #1.a  working  across  all  layers  
#1.b  and  across  different  technology  stacks   Java   C   ObjecIve-­‐C   C++   C#   PHP   Python   (Visual)  Basic   Perl   Ruby   JavaScript   Visual  Basic  .NET   Lisp   Pascal   Delphi/Object  Pascal   Share  of  programming  languages  (Feb  2013)   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   24  
#2  A  rich  language  to  express  many  scenarios   ACLs   RBAC   Whitelists   SegregaBon-­‐of-­‐Duty   RelaBon-­‐based   Trust  ElevaBon   Device-­‐based   Break  the  glass   Privacy  protecBon   ABAC   Rich  business  flows   Data  redacBon   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   25  
"  The  REST  profile  of  XACML   "  OASIS  XACML  profile   "  Designed  by  Remon  Sinnema  of  EMC2   #3  Developer-­‐friendly  APIs   XML  over  HTTP   XML  over  HTTP   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   26   JSON  over  HTTP   JSON  over  HTTP  
#3.  Developer-­‐friendly  APIs  (cont’d)   Drop  the…   Use  curl,  Perl,  and  Python  with  the  REST  API   curl  -­‐X  POST  -­‐H  'Content-­‐type:text/xml'  -­‐T  xacml-­‐request.xml  h:p://foo:8443/asm-­‐pdp/pdp   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   27  
"  Use  the  JSON  profile  of  XACML   "  Idea   "  Remove  the  verbose  aspects  of  XACML   "  Focus  on  the  key  points   "  Make  a  request  easy  to  read   #4  Simplified  request/response   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   28  
#4  Sample  XACML  Before  JSON  (cont’d)   <xacml-­‐ctx:Request  ReturnPolicyIdList="true"  CombinedDecision="false"  xmlns:xacml-­‐ctx="urn:oasis:names:tc:xacml: 3.0:core:schema:wd-­‐17">        <xacml-­‐ctx:A:ributes  Category="urn:oasis:names:tc:xacml:1.0:subject-­‐category:access-­‐subject"  >              <xacml-­‐ctx:A:ribute  A:ributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-­‐id"  IncludeInResult="true">                    <xacml-­‐ctx:A:ributeValue  DataType="h:p://www.w3.org/2001/XMLSchema#string">Alice</xacml-­‐ ctx:A:ributeValue>              </xacml-­‐ctx:A:ribute>        </xacml-­‐ctx:A:ributes>        <xacml-­‐ctx:A:ributes  Category="urn:oasis:names:tc:xacml:3.0:a:ribute-­‐category:environment"  >        </xacml-­‐ctx:A:ributes>        <xacml-­‐ctx:A:ributes  Category="urn:oasis:names:tc:xacml:3.0:a:ribute-­‐category:resource"  >              <xacml-­‐ctx:A:ribute  A:ributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-­‐id"  IncludeInResult="true">                    <xacml-­‐ctx:A:ributeValue  DataType="h:p://www.w3.org/2001/XMLSchema#string">hello</xacml-­‐ ctx:A:ributeValue>              </xacml-­‐ctx:A:ribute>        </xacml-­‐ctx:A:ributes>        <xacml-­‐ctx:A:ributes  Category="urn:oasis:names:tc:xacml:3.0:a:ribute-­‐category:acIon"  >              <xacml-­‐ctx:A:ribute  A:ributeId="urn:oasis:names:tc:xacml:1.0:acIon:acIon-­‐id"  IncludeInResult="true">                    <xacml-­‐ctx:A:ributeValue  DataType="h:p://www.w3.org/2001/XMLSchema#string">say</xacml-­‐ctx:A:ributeValue>              </xacml-­‐ctx:A:ribute>        </xacml-­‐ctx:A:ributes>   </xacml-­‐ctx:Request>   Can  Alice   Say   Hello?   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   29  
#4  Sample  XACML  using  JSON  (cont’d)   {"subject":    {"a:ribute":[{      "a:ributeId":"username",      "value":"alice"}]},   "resource":    {"a:ribute":[{      "a:ributeId":"resource-­‐id",      "value":"hello"}]},   "acIon":    {"a:ribute":[{      "a:ributeId":"acIon-­‐id",      "value":"say"}]}}   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   30  
#4  JSON  &  XML  Side-­‐by-­‐side  comparison   0   10   20   30   40   50   Word  count   XML   JSON   0   200   400   600   800   1000   1200   1400   Char.  Count   XML   JSON   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   31   Size  of  a  XACML  request  
"  Natural  language  authoring   "  AxiomaIcs  Language  for  AuthorizaIon  (ALFA)   "  Research  iniIaIve  from  TSSG   "  And  many  more  coming…   #5  Easy  authoring  tools   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   32  
Provide  the  right  tools  for   Easy  Authoring   Of  XACML  policies   #5  AxiomaIcs  Language  For  AuthZ  (cont’d)   Plugs  into  Eclipse  IDE   High-­‐level  syntax   Auto-­‐complete   AutomaBc  TranslaBon  to  XACML  3.0   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   33  
Wrapping  up   Benefits  for  the  developer   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   34  
"  One  consistent  authorizaIon  model   "  Many  different  applicaIons   "  Decide  once,  enforce  everywhere   Benefits  of  using  XACML  #1   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   35  
"  Adios  endless  if,  else  statements   "  Hello  simple  if(authorized())   Benefits  of  using  XACML  #2   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   36   0   5000   10000   15000   20000   25000   30000   10   20   30   40   50   60   70   80   90   100   110   120   130   140   150   160   170   Developer  Happiness  Increase   Number  of  if  /  else   statements  terminated   Developer   Happiness   Index  
"  Security  potholes  are  a  thing  of  the  past   "  XACML  is  the  concrete  that  fills  in  the  cracks  in   your  authorizaIon  wall   Benefits  of  using  XACML  #3   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   37  
"  Let  developers  do  what  they  know  best   "  Offload  audiIng,  info  security  to  security   architects  &  auditors  by  externalizing   authorizaIon   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   38   Benefits  of  using  XACML  #4   Happy  developer   Happy  auditor  
#CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   39   Next  steps?   Download  XACML  SDK   Download  ALFA  plugin   Download  Eclipse   Code  in  your  favorite  language  
QuesIons?   Contact  us  at     info@axiomaIcs.com  Q&A  

Recommended

The Swisscom APi journey
The Swisscom APi journeyThe Swisscom APi journey
The Swisscom APi journeyKay Lummitsch - Digital Journeyman
 
CIS14: Global Trends in BYOID
CIS14: Global Trends in BYOIDCIS14: Global Trends in BYOID
CIS14: Global Trends in BYOIDCloudIDSummit
 
CIS13: Gateway to the Enterprise: Supporting SSO in Mobile Apps
CIS13: Gateway to the Enterprise: Supporting SSO in Mobile AppsCIS13: Gateway to the Enterprise: Supporting SSO in Mobile Apps
CIS13: Gateway to the Enterprise: Supporting SSO in Mobile AppsCloudIDSummit
 
CIS14: Identifying Things (and Things Identifying Us)
CIS14: Identifying Things (and Things Identifying Us)CIS14: Identifying Things (and Things Identifying Us)
CIS14: Identifying Things (and Things Identifying Us)CloudIDSummit
 
CIS13: Big Data Platform Vendor’s Perspective: Insights from the Bleeding Edge
CIS13: Big Data Platform Vendor’s Perspective: Insights from the Bleeding EdgeCIS13: Big Data Platform Vendor’s Perspective: Insights from the Bleeding Edge
CIS13: Big Data Platform Vendor’s Perspective: Insights from the Bleeding EdgeCloudIDSummit
 
CIS13: Big Data Analytics Vendor Perspective: Insights from the Bleeding Edge
CIS13: Big Data Analytics Vendor Perspective: Insights from the Bleeding EdgeCIS13: Big Data Analytics Vendor Perspective: Insights from the Bleeding Edge
CIS13: Big Data Analytics Vendor Perspective: Insights from the Bleeding EdgeCloudIDSummit
 
CIS14: Double Trouble—Managing Growth
CIS14: Double Trouble—Managing GrowthCIS14: Double Trouble—Managing Growth
CIS14: Double Trouble—Managing GrowthCloudIDSummit
 
CIS14: Identity Therapy: Surviving the Explosion of Users, Access and Identities
CIS14: Identity Therapy: Surviving the Explosion of Users, Access and IdentitiesCIS14: Identity Therapy: Surviving the Explosion of Users, Access and Identities
CIS14: Identity Therapy: Surviving the Explosion of Users, Access and IdentitiesCloudIDSummit
 

Recommended

The Swisscom APi journey
The Swisscom APi journeyThe Swisscom APi journey
The Swisscom APi journeyKay Lummitsch - Digital Journeyman
 
CIS14: Global Trends in BYOID
CIS14: Global Trends in BYOIDCIS14: Global Trends in BYOID
CIS14: Global Trends in BYOIDCloudIDSummit
 
CIS13: Gateway to the Enterprise: Supporting SSO in Mobile Apps
CIS13: Gateway to the Enterprise: Supporting SSO in Mobile AppsCIS13: Gateway to the Enterprise: Supporting SSO in Mobile Apps
CIS13: Gateway to the Enterprise: Supporting SSO in Mobile AppsCloudIDSummit
 
CIS14: Identifying Things (and Things Identifying Us)
CIS14: Identifying Things (and Things Identifying Us)CIS14: Identifying Things (and Things Identifying Us)
CIS14: Identifying Things (and Things Identifying Us)CloudIDSummit
 
CIS13: Big Data Platform Vendor’s Perspective: Insights from the Bleeding Edge
CIS13: Big Data Platform Vendor’s Perspective: Insights from the Bleeding EdgeCIS13: Big Data Platform Vendor’s Perspective: Insights from the Bleeding Edge
CIS13: Big Data Platform Vendor’s Perspective: Insights from the Bleeding EdgeCloudIDSummit
 
CIS13: Big Data Analytics Vendor Perspective: Insights from the Bleeding Edge
CIS13: Big Data Analytics Vendor Perspective: Insights from the Bleeding EdgeCIS13: Big Data Analytics Vendor Perspective: Insights from the Bleeding Edge
CIS13: Big Data Analytics Vendor Perspective: Insights from the Bleeding EdgeCloudIDSummit
 
CIS14: Double Trouble—Managing Growth
CIS14: Double Trouble—Managing GrowthCIS14: Double Trouble—Managing Growth
CIS14: Double Trouble—Managing GrowthCloudIDSummit
 
CIS14: Identity Therapy: Surviving the Explosion of Users, Access and Identities
CIS14: Identity Therapy: Surviving the Explosion of Users, Access and IdentitiesCIS14: Identity Therapy: Surviving the Explosion of Users, Access and Identities
CIS14: Identity Therapy: Surviving the Explosion of Users, Access and IdentitiesCloudIDSummit
 
CIS14: From Card to Mobile—Evolving Identity Credentials
CIS14: From Card to Mobile—Evolving Identity CredentialsCIS14: From Card to Mobile—Evolving Identity Credentials
CIS14: From Card to Mobile—Evolving Identity CredentialsCloudIDSummit
 
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User RecognitionCIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User RecognitionCloudIDSummit
 
CIS14: Why Federated Access Needs a Federated Identity
CIS14: Why Federated Access Needs a Federated IdentityCIS14: Why Federated Access Needs a Federated Identity
CIS14: Why Federated Access Needs a Federated IdentityCloudIDSummit
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
 
CIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity ServiceCIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity ServiceCloudIDSummit
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...CloudIDSummit
 
CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?
CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?
CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?CloudIDSummit
 
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jainCIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jainCloudIDSummit
 
CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2...
CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2...CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2...
CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2...CloudIDSummit
 
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...David Brossard
 
NoSQL matters in Catchoom Recognition Service
NoSQL matters in Catchoom Recognition ServiceNoSQL matters in Catchoom Recognition Service
NoSQL matters in Catchoom Recognition ServiceCatchoom
 
Leveraging a distributed architecture to your advantage
Leveraging a distributed architecture to your advantageLeveraging a distributed architecture to your advantage
Leveraging a distributed architecture to your advantageMichelangelo van Dam
 
New Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQLNew Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQLconfluent
 
GPSWKS401_Designing a Cloud Enterprise Data Warehouse
GPSWKS401_Designing a Cloud Enterprise Data WarehouseGPSWKS401_Designing a Cloud Enterprise Data Warehouse
GPSWKS401_Designing a Cloud Enterprise Data WarehouseAmazon Web Services
 
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018Kelley Robinson
 
Accion Labs - Rackspace - How can cloud help you?
Accion Labs - Rackspace - How can cloud help you?Accion Labs - Rackspace - How can cloud help you?
Accion Labs - Rackspace - How can cloud help you?Accion Labs, Inc.
 
The Role of Blockchain in Enterprise Commerce and Product Content Management
The Role of Blockchain in Enterprise Commerce and Product Content ManagementThe Role of Blockchain in Enterprise Commerce and Product Content Management
The Role of Blockchain in Enterprise Commerce and Product Content ManagementSAP Customer Experience
 
Hadoop and the Relational Database: The Best of Both Worlds
Hadoop and the Relational Database: The Best of Both WorldsHadoop and the Relational Database: The Best of Both Worlds
Hadoop and the Relational Database: The Best of Both WorldsInside Analysis
 
Leveraging the Power of the Cloud for Your Business to Grow: Nate Taylor at S...
Leveraging the Power of the Cloud for Your Business to Grow: Nate Taylor at S...Leveraging the Power of the Cloud for Your Business to Grow: Nate Taylor at S...
Leveraging the Power of the Cloud for Your Business to Grow: Nate Taylor at S...smecchk
 
DeveloperWeek 2014
DeveloperWeek 2014DeveloperWeek 2014
DeveloperWeek 2014tonytcampbell
 
Adobe Ask the AEM Community Expert Session Oct 2016
Adobe Ask the AEM Community Expert Session Oct 2016Adobe Ask the AEM Community Expert Session Oct 2016
Adobe Ask the AEM Community Expert Session Oct 2016AdobeMarketingCloud
 

More Related Content

Viewers also liked

CIS14: From Card to Mobile—Evolving Identity Credentials
CIS14: From Card to Mobile—Evolving Identity CredentialsCIS14: From Card to Mobile—Evolving Identity Credentials
CIS14: From Card to Mobile—Evolving Identity CredentialsCloudIDSummit
 
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User RecognitionCIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User RecognitionCloudIDSummit
 
CIS14: Why Federated Access Needs a Federated Identity
CIS14: Why Federated Access Needs a Federated IdentityCIS14: Why Federated Access Needs a Federated Identity
CIS14: Why Federated Access Needs a Federated IdentityCloudIDSummit
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
 
CIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity ServiceCIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity ServiceCloudIDSummit
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...CloudIDSummit
 
CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?
CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?
CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?CloudIDSummit
 
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jainCIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jainCloudIDSummit
 
CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2...
CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2...CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2...
CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2...CloudIDSummit
 

Viewers also liked (10)

CIS14: From Card to Mobile—Evolving Identity Credentials
CIS14: From Card to Mobile—Evolving Identity CredentialsCIS14: From Card to Mobile—Evolving Identity Credentials
CIS14: From Card to Mobile—Evolving Identity Credentials
 
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User RecognitionCIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
 
CIS14: Why Federated Access Needs a Federated Identity
CIS14: Why Federated Access Needs a Federated IdentityCIS14: Why Federated Access Needs a Federated Identity
CIS14: Why Federated Access Needs a Federated Identity
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
 
CIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity ServiceCIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity Service
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
 
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
 
CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?
CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?
CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?
 
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jainCIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
 
CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2...
CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2...CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2...
CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2...
 

Similar to CIS13: Externalized Authorization from the Developer’s Perspective

XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...David Brossard
 
NoSQL matters in Catchoom Recognition Service
NoSQL matters in Catchoom Recognition ServiceNoSQL matters in Catchoom Recognition Service
NoSQL matters in Catchoom Recognition ServiceCatchoom
 
Leveraging a distributed architecture to your advantage
Leveraging a distributed architecture to your advantageLeveraging a distributed architecture to your advantage
Leveraging a distributed architecture to your advantageMichelangelo van Dam
 
New Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQLNew Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQLconfluent
 
GPSWKS401_Designing a Cloud Enterprise Data Warehouse
GPSWKS401_Designing a Cloud Enterprise Data WarehouseGPSWKS401_Designing a Cloud Enterprise Data Warehouse
GPSWKS401_Designing a Cloud Enterprise Data WarehouseAmazon Web Services
 
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018Kelley Robinson
 
Accion Labs - Rackspace - How can cloud help you?
Accion Labs - Rackspace - How can cloud help you?Accion Labs - Rackspace - How can cloud help you?
Accion Labs - Rackspace - How can cloud help you?Accion Labs, Inc.
 
The Role of Blockchain in Enterprise Commerce and Product Content Management
The Role of Blockchain in Enterprise Commerce and Product Content ManagementThe Role of Blockchain in Enterprise Commerce and Product Content Management
The Role of Blockchain in Enterprise Commerce and Product Content ManagementSAP Customer Experience
 
Hadoop and the Relational Database: The Best of Both Worlds
Hadoop and the Relational Database: The Best of Both WorldsHadoop and the Relational Database: The Best of Both Worlds
Hadoop and the Relational Database: The Best of Both WorldsInside Analysis
 
Leveraging the Power of the Cloud for Your Business to Grow: Nate Taylor at S...
Leveraging the Power of the Cloud for Your Business to Grow: Nate Taylor at S...Leveraging the Power of the Cloud for Your Business to Grow: Nate Taylor at S...
Leveraging the Power of the Cloud for Your Business to Grow: Nate Taylor at S...smecchk
 
Adobe Ask the AEM Community Expert Session Oct 2016
Adobe Ask the AEM Community Expert Session Oct 2016Adobe Ask the AEM Community Expert Session Oct 2016
Adobe Ask the AEM Community Expert Session Oct 2016AdobeMarketingCloud
 
RightScale Roadtrip - Accelerate to Cloud
RightScale Roadtrip - Accelerate to CloudRightScale Roadtrip - Accelerate to Cloud
RightScale Roadtrip - Accelerate to CloudRightScale
 
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNoSuchCon
 
Amx202 l Building Your CA Service Management Solution on AWS
Amx202 l Building Your CA Service Management Solution on AWSAmx202 l Building Your CA Service Management Solution on AWS
Amx202 l Building Your CA Service Management Solution on AWSBrian Poissant
 
Oracle database 12c_and_DevOps
Oracle database 12c_and_DevOpsOracle database 12c_and_DevOps
Oracle database 12c_and_DevOpsMaria Colgan
 
Cranking It Up - SuiteWorld 2017
Cranking It Up - SuiteWorld 2017Cranking It Up - SuiteWorld 2017
Cranking It Up - SuiteWorld 2017Diego Cardozo
 
Framing the Argument: How to Scale Faster with NoSQL
Framing the Argument: How to Scale Faster with NoSQLFraming the Argument: How to Scale Faster with NoSQL
Framing the Argument: How to Scale Faster with NoSQLInside Analysis
 
Case Study: O2/Telefonica Transitions From CA eHealth® to CA Performance Mana...
Case Study: O2/Telefonica Transitions From CA eHealth® to CA Performance Mana...Case Study: O2/Telefonica Transitions From CA eHealth® to CA Performance Mana...
Case Study: O2/Telefonica Transitions From CA eHealth® to CA Performance Mana...CA Technologies
 
Building real-time applications with Amazon ElastiCache - ADB204 - Anaheim AW...
Building real-time applications with Amazon ElastiCache - ADB204 - Anaheim AW...Building real-time applications with Amazon ElastiCache - ADB204 - Anaheim AW...
Building real-time applications with Amazon ElastiCache - ADB204 - Anaheim AW...Amazon Web Services
 

Similar to CIS13: Externalized Authorization from the Developer’s Perspective (20)

XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
 
NoSQL matters in Catchoom Recognition Service
NoSQL matters in Catchoom Recognition ServiceNoSQL matters in Catchoom Recognition Service
NoSQL matters in Catchoom Recognition Service
 
Leveraging a distributed architecture to your advantage
Leveraging a distributed architecture to your advantageLeveraging a distributed architecture to your advantage
Leveraging a distributed architecture to your advantage
 
New Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQLNew Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQL
 
GPSWKS401_Designing a Cloud Enterprise Data Warehouse
GPSWKS401_Designing a Cloud Enterprise Data WarehouseGPSWKS401_Designing a Cloud Enterprise Data Warehouse
GPSWKS401_Designing a Cloud Enterprise Data Warehouse
 
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
 
Accion Labs - Rackspace - How can cloud help you?
Accion Labs - Rackspace - How can cloud help you?Accion Labs - Rackspace - How can cloud help you?
Accion Labs - Rackspace - How can cloud help you?
 
The Role of Blockchain in Enterprise Commerce and Product Content Management
The Role of Blockchain in Enterprise Commerce and Product Content ManagementThe Role of Blockchain in Enterprise Commerce and Product Content Management
The Role of Blockchain in Enterprise Commerce and Product Content Management
 
Hadoop and the Relational Database: The Best of Both Worlds
Hadoop and the Relational Database: The Best of Both WorldsHadoop and the Relational Database: The Best of Both Worlds
Hadoop and the Relational Database: The Best of Both Worlds
 
Leveraging the Power of the Cloud for Your Business to Grow: Nate Taylor at S...
Leveraging the Power of the Cloud for Your Business to Grow: Nate Taylor at S...Leveraging the Power of the Cloud for Your Business to Grow: Nate Taylor at S...
Leveraging the Power of the Cloud for Your Business to Grow: Nate Taylor at S...
 
DeveloperWeek 2014
DeveloperWeek 2014DeveloperWeek 2014
DeveloperWeek 2014
 
Adobe Ask the AEM Community Expert Session Oct 2016
Adobe Ask the AEM Community Expert Session Oct 2016Adobe Ask the AEM Community Expert Session Oct 2016
Adobe Ask the AEM Community Expert Session Oct 2016
 
RightScale Roadtrip - Accelerate to Cloud
RightScale Roadtrip - Accelerate to CloudRightScale Roadtrip - Accelerate to Cloud
RightScale Roadtrip - Accelerate to Cloud
 
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
 
Amx202 l Building Your CA Service Management Solution on AWS
Amx202 l Building Your CA Service Management Solution on AWSAmx202 l Building Your CA Service Management Solution on AWS
Amx202 l Building Your CA Service Management Solution on AWS
 
Oracle database 12c_and_DevOps
Oracle database 12c_and_DevOpsOracle database 12c_and_DevOps
Oracle database 12c_and_DevOps
 
Cranking It Up - SuiteWorld 2017
Cranking It Up - SuiteWorld 2017Cranking It Up - SuiteWorld 2017
Cranking It Up - SuiteWorld 2017
 
Framing the Argument: How to Scale Faster with NoSQL
Framing the Argument: How to Scale Faster with NoSQLFraming the Argument: How to Scale Faster with NoSQL
Framing the Argument: How to Scale Faster with NoSQL
 
Case Study: O2/Telefonica Transitions From CA eHealth® to CA Performance Mana...
Case Study: O2/Telefonica Transitions From CA eHealth® to CA Performance Mana...Case Study: O2/Telefonica Transitions From CA eHealth® to CA Performance Mana...
Case Study: O2/Telefonica Transitions From CA eHealth® to CA Performance Mana...
 
Building real-time applications with Amazon ElastiCache - ADB204 - Anaheim AW...
Building real-time applications with Amazon ElastiCache - ADB204 - Anaheim AW...Building real-time applications with Amazon ElastiCache - ADB204 - Anaheim AW...
Building real-time applications with Amazon ElastiCache - ADB204 - Anaheim AW...
 

More from CloudIDSummit

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content HighlightsCloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016CloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCloudIDSummit
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...CloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCloudIDSummit
 

More from CloudIDSummit (20)

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content Highlights
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean Deuby
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of Things
 

Recently uploaded

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 

Recently uploaded (20)

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 

CIS13: Externalized Authorization from the Developer’s Perspective

  • 1. XACML  for  Developers   Updates,  New  Tools,  &  Pa:erns  for   the  Eager  #IAM  Developer   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   1  
  • 2. eXtensible  Access  Control  Markup  Language   2   What  is  XACML?   Not  guacamole   De  facto  standard   Defined  at  OASIS   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
  • 3. One  of  the  several  standards  in  the  #IAM  family   XACML  in  the  IAM  spectrum   SAML   SPML   LDAP   RBAC   ABAC…   SCIM   OpenID   Oauth   WS-­‐*   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   3  
  • 4. In  a  web  3.0  world  where   it’s  about  small  apps   and  your  data…   Why  XACML?   Quick,  call  the  plumber:   1-­‐800-­‐GO-­‐XACML   it’s  Ime  to  get  leaks   under  control   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   4  
  • 5. What’s  A:ribute-­‐based   Access  Control?   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   5  
  • 6. #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   In  the  olden  days,  authorizaIon  was  about   Who?   6  
  • 7. AuthorizaIon  should  really  be  about…   When?  What?   How?  Where?  Who?   Why?   7  #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
  • 8. A  car  retail  company  has  a  web  applicaIon  that   users  can  access  to  create,  view,  and  approve   purchase  orders,  in  accordance  with  policy  rules     8   Example  Scenario:  Managing  Purchase  Orders   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
  • 9. A:ributes   Resource   a>ributes   Resource  type   PO  amount   PO  loca2on   PO  creator   PO  Status   Subject   a>ributes   Iden2ty   Department   Loca2on   Approval  limit   Role   AcBon   a>ributes   Ac2on  type   Environment   a>ributes   Device  type   IP  address   Time  of  day   Profile  designed  by  Sven  Gabriel  from  The  Noun  Project   Invisible  designed  by  Andrew  Cameron  from  The  Noun  Project   Wrench  designed  by  John  O’Shea  from  The  Noun  Project   Clock  designed  by  Brandon  Hopkins  from  The  Noun  Project   PO  Id   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   9  
  • 10. A  simple  rule   Anyone  in  the  purchasing  department         can  create  purchase  orders   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   10  
  • 11. A  manager  in  the  purchasing  department  can     approve      purchase  orders     §  up  to  their  approval  limit   §  if  and  only  if  the  PO  locaIon  and  the      manager  locaIon  are  the  same   §  if  and  only  if  the  manager    is  not  the  PO  creator     11   A  richer  rule   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
  • 12. XACML  101  –  The  Basics   12  #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
  • 13. 13   What  does  XACML  contain?   XACML   Reference   Architecture   Policy   Language   Request  /   Response   Protocol   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
  • 14. XACML  Architecture    &  Flow   14   Decide   Policy  Decision  Point   Manage   Policy  AdministraBon  Point   Support   Policy  InformaBon  Point   Policy  Retrieval  Point   Enforce   Policy  Enforcement  Point   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   Access   Document  #123   Access   Document  #123   Can  Alice  access   Document  #123?   Yes,  Permit   Load  XACML   policies   Retrieve  user   role,  clearance   and  document   classificaIon  
  • 15. 15   What  does  XACML  contain?   XACML   Reference   Architecture   Policy   Language   Request  /   Response   Protocol   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
  • 16. "   3  structural  elements   " PolicySet   "   Policy   "   Rule   "   Root:  either  of  PolicySet  or  Policy   " PolicySets  contain  any  number  of  PolicySets  &   Policies   "   Policies  contain  Rules   "   Rules  contain  an  Effect:  Permit  /  Deny   "   Combining  Algorithms   16   Language  Elements  of  XACML   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
  • 17. Root  Policy   Set   PolicySet   Policy   Rule   Effect=Permit   Rule   Effect  =  Deny   PolicySet   Policy   Rule   Effect  =   Permit   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   17   Sample  XACML  Policy  
  • 18. 18   Language  Structure:  Russian  dolls   " PolicySet,  Policy  &  Rule   can  contain   "   Targets   "   ObligaIons   "   Advice   "   Rules  can  contain   "   CondiIons   Policy  Set   Policy   Rule   Effect=Permit   Target   Target   Target   ObligaIon   ObligaIon   ObligaIon   CondiIon   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
  • 19. 19   What  does  XACML  contain?   XACML   Reference   Architecture   Policy   Language   Request  /   Response   Protocol   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
  • 20. •  Subject   User  id  =  Alice   Role  =  Manager   •  AcIon   AcIon  id  =  approve   •  Resource   Resource  type  =  Purchase  Order   PO  #=  12367   •  Environment   Device  Type  =    Laptop   20   Structure  of  a  XACML  Request  /  Response   XACML  Request   XACML  Response   Can  Manager  Alice  approve   Purchase  Order  12367?   Yes,  she  can   •  Result   Decision:  Permit   Status:  ok   The  core  XACML  specificaIon  does  not   define  any  specific  transport  /   communicaIon  protocol:   -­‐ Developers  can  choose  their  own.   -­‐ The  SAML  profile  defines  a  binding  to  send  requests/ responses  over  SAML  asserIons   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
  • 21. So  what’s  in  it  for  the   developer?   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   21  
  • 22. #1  A  single  authorizaIon  model  &  framework   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   22  
  • 23. #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   23   #1.a  working  across  all  layers  
  • 24. #1.b  and  across  different  technology  stacks   Java   C   ObjecIve-­‐C   C++   C#   PHP   Python   (Visual)  Basic   Perl   Ruby   JavaScript   Visual  Basic  .NET   Lisp   Pascal   Delphi/Object  Pascal   Share  of  programming  languages  (Feb  2013)   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   24  
  • 25. #2  A  rich  language  to  express  many  scenarios   ACLs   RBAC   Whitelists   SegregaBon-­‐of-­‐Duty   RelaBon-­‐based   Trust  ElevaBon   Device-­‐based   Break  the  glass   Privacy  protecBon   ABAC   Rich  business  flows   Data  redacBon   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   25  
  • 26. "  The  REST  profile  of  XACML   "  OASIS  XACML  profile   "  Designed  by  Remon  Sinnema  of  EMC2   #3  Developer-­‐friendly  APIs   XML  over  HTTP   XML  over  HTTP   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   26   JSON  over  HTTP   JSON  over  HTTP  
  • 27. #3.  Developer-­‐friendly  APIs  (cont’d)   Drop  the…   Use  curl,  Perl,  and  Python  with  the  REST  API   curl  -­‐X  POST  -­‐H  'Content-­‐type:text/xml'  -­‐T  xacml-­‐request.xml  h:p://foo:8443/asm-­‐pdp/pdp   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   27  
  • 28. "  Use  the  JSON  profile  of  XACML   "  Idea   "  Remove  the  verbose  aspects  of  XACML   "  Focus  on  the  key  points   "  Make  a  request  easy  to  read   #4  Simplified  request/response   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   28  
  • 29. #4  Sample  XACML  Before  JSON  (cont’d)   <xacml-­‐ctx:Request  ReturnPolicyIdList="true"  CombinedDecision="false"  xmlns:xacml-­‐ctx="urn:oasis:names:tc:xacml: 3.0:core:schema:wd-­‐17">        <xacml-­‐ctx:A:ributes  Category="urn:oasis:names:tc:xacml:1.0:subject-­‐category:access-­‐subject"  >              <xacml-­‐ctx:A:ribute  A:ributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-­‐id"  IncludeInResult="true">                    <xacml-­‐ctx:A:ributeValue  DataType="h:p://www.w3.org/2001/XMLSchema#string">Alice</xacml-­‐ ctx:A:ributeValue>              </xacml-­‐ctx:A:ribute>        </xacml-­‐ctx:A:ributes>        <xacml-­‐ctx:A:ributes  Category="urn:oasis:names:tc:xacml:3.0:a:ribute-­‐category:environment"  >        </xacml-­‐ctx:A:ributes>        <xacml-­‐ctx:A:ributes  Category="urn:oasis:names:tc:xacml:3.0:a:ribute-­‐category:resource"  >              <xacml-­‐ctx:A:ribute  A:ributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-­‐id"  IncludeInResult="true">                    <xacml-­‐ctx:A:ributeValue  DataType="h:p://www.w3.org/2001/XMLSchema#string">hello</xacml-­‐ ctx:A:ributeValue>              </xacml-­‐ctx:A:ribute>        </xacml-­‐ctx:A:ributes>        <xacml-­‐ctx:A:ributes  Category="urn:oasis:names:tc:xacml:3.0:a:ribute-­‐category:acIon"  >              <xacml-­‐ctx:A:ribute  A:ributeId="urn:oasis:names:tc:xacml:1.0:acIon:acIon-­‐id"  IncludeInResult="true">                    <xacml-­‐ctx:A:ributeValue  DataType="h:p://www.w3.org/2001/XMLSchema#string">say</xacml-­‐ctx:A:ributeValue>              </xacml-­‐ctx:A:ribute>        </xacml-­‐ctx:A:ributes>   </xacml-­‐ctx:Request>   Can  Alice   Say   Hello?   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   29  
  • 30. #4  Sample  XACML  using  JSON  (cont’d)   {"subject":    {"a:ribute":[{      "a:ributeId":"username",      "value":"alice"}]},   "resource":    {"a:ribute":[{      "a:ributeId":"resource-­‐id",      "value":"hello"}]},   "acIon":    {"a:ribute":[{      "a:ributeId":"acIon-­‐id",      "value":"say"}]}}   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   30  
  • 31. #4  JSON  &  XML  Side-­‐by-­‐side  comparison   0   10   20   30   40   50   Word  count   XML   JSON   0   200   400   600   800   1000   1200   1400   Char.  Count   XML   JSON   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   31   Size  of  a  XACML  request  
  • 32. "  Natural  language  authoring   "  AxiomaIcs  Language  for  AuthorizaIon  (ALFA)   "  Research  iniIaIve  from  TSSG   "  And  many  more  coming…   #5  Easy  authoring  tools   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   32  
  • 33. Provide  the  right  tools  for   Easy  Authoring   Of  XACML  policies   #5  AxiomaIcs  Language  For  AuthZ  (cont’d)   Plugs  into  Eclipse  IDE   High-­‐level  syntax   Auto-­‐complete   AutomaBc  TranslaBon  to  XACML  3.0   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   33  
  • 34. Wrapping  up   Benefits  for  the  developer   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   34  
  • 35. "  One  consistent  authorizaIon  model   "  Many  different  applicaIons   "  Decide  once,  enforce  everywhere   Benefits  of  using  XACML  #1   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   35  
  • 36. "  Adios  endless  if,  else  statements   "  Hello  simple  if(authorized())   Benefits  of  using  XACML  #2   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   36   0   5000   10000   15000   20000   25000   30000   10   20   30   40   50   60   70   80   90   100   110   120   130   140   150   160   170   Developer  Happiness  Increase   Number  of  if  /  else   statements  terminated   Developer   Happiness   Index  
  • 37. "  Security  potholes  are  a  thing  of  the  past   "  XACML  is  the  concrete  that  fills  in  the  cracks  in   your  authorizaIon  wall   Benefits  of  using  XACML  #3   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   37  
  • 38. "  Let  developers  do  what  they  know  best   "  Offload  audiIng,  info  security  to  security   architects  &  auditors  by  externalizing   authorizaIon   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   38   Benefits  of  using  XACML  #4   Happy  developer   Happy  auditor  
  • 39. #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   39   Next  steps?   Download  XACML  SDK   Download  ALFA  plugin   Download  Eclipse   Code  in  your  favorite  language  
  • 40. QuesIons?   Contact  us  at     info@axiomaIcs.com  Q&A