David Brossard, Product Manager, Axiomatics
Application development trends often collide with security best practices, leaving enterprises with a patchwork mix of authorization schemes that are difficult and expensive to operate, modify and certify for compliance. This session will explore the latest trends in authorization and describe standards-based mechanisms to protect APIs, web services, data resources and more. Included in the discussion will be the interaction between XACML, OAuth, REST and JSON.
CIS13: Externalized Authorization from the Developer’s Perspective
1. XACML
for
Developers
Updates,
New
Tools,
&
Pa:erns
for
the
Eager
#IAM
Developer
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
1
2. eXtensible
Access
Control
Markup
Language
2
What
is
XACML?
Not
guacamole
De
facto
standard
Defined
at
OASIS
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
3. One
of
the
several
standards
in
the
#IAM
family
XACML
in
the
IAM
spectrum
SAML
SPML
LDAP
RBAC
ABAC…
SCIM
OpenID
Oauth
WS-‐*
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
3
4. In
a
web
3.0
world
where
it’s
about
small
apps
and
your
data…
Why
XACML?
Quick,
call
the
plumber:
1-‐800-‐GO-‐XACML
it’s
Ime
to
get
leaks
under
control
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
4
7. AuthorizaIon
should
really
be
about…
When?
What?
How?
Where?
Who?
Why?
7
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
8. A
car
retail
company
has
a
web
applicaIon
that
users
can
access
to
create,
view,
and
approve
purchase
orders,
in
accordance
with
policy
rules
8
Example
Scenario:
Managing
Purchase
Orders
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
9. A:ributes
Resource
a>ributes
Resource
type
PO
amount
PO
loca2on
PO
creator
PO
Status
Subject
a>ributes
Iden2ty
Department
Loca2on
Approval
limit
Role
AcBon
a>ributes
Ac2on
type
Environment
a>ributes
Device
type
IP
address
Time
of
day
Profile
designed
by
Sven
Gabriel
from
The
Noun
Project
Invisible
designed
by
Andrew
Cameron
from
The
Noun
Project
Wrench
designed
by
John
O’Shea
from
The
Noun
Project
Clock
designed
by
Brandon
Hopkins
from
The
Noun
Project
PO
Id
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
9
10. A
simple
rule
Anyone
in
the
purchasing
department
can
create
purchase
orders
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
10
11. A
manager
in
the
purchasing
department
can
approve
purchase
orders
§ up
to
their
approval
limit
§ if
and
only
if
the
PO
locaIon
and
the
manager
locaIon
are
the
same
§ if
and
only
if
the
manager
is
not
the
PO
creator
11
A
richer
rule
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
13. 13
What
does
XACML
contain?
XACML
Reference
Architecture
Policy
Language
Request
/
Response
Protocol
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
14. XACML
Architecture
&
Flow
14
Decide
Policy
Decision
Point
Manage
Policy
AdministraBon
Point
Support
Policy
InformaBon
Point
Policy
Retrieval
Point
Enforce
Policy
Enforcement
Point
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
Access
Document
#123
Access
Document
#123
Can
Alice
access
Document
#123?
Yes,
Permit
Load
XACML
policies
Retrieve
user
role,
clearance
and
document
classificaIon
15. 15
What
does
XACML
contain?
XACML
Reference
Architecture
Policy
Language
Request
/
Response
Protocol
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
16. " 3
structural
elements
" PolicySet
" Policy
" Rule
" Root:
either
of
PolicySet
or
Policy
" PolicySets
contain
any
number
of
PolicySets
&
Policies
" Policies
contain
Rules
" Rules
contain
an
Effect:
Permit
/
Deny
" Combining
Algorithms
16
Language
Elements
of
XACML
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
19. 19
What
does
XACML
contain?
XACML
Reference
Architecture
Policy
Language
Request
/
Response
Protocol
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
20. • Subject
User
id
=
Alice
Role
=
Manager
• AcIon
AcIon
id
=
approve
• Resource
Resource
type
=
Purchase
Order
PO
#=
12367
• Environment
Device
Type
=
Laptop
20
Structure
of
a
XACML
Request
/
Response
XACML
Request
XACML
Response
Can
Manager
Alice
approve
Purchase
Order
12367?
Yes,
she
can
• Result
Decision:
Permit
Status:
ok
The
core
XACML
specificaIon
does
not
define
any
specific
transport
/
communicaIon
protocol:
-‐ Developers
can
choose
their
own.
-‐ The
SAML
profile
defines
a
binding
to
send
requests/
responses
over
SAML
asserIons
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
21. So
what’s
in
it
for
the
developer?
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
21
22. #1
A
single
authorizaIon
model
&
framework
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
22
24. #1.b
and
across
different
technology
stacks
Java
C
ObjecIve-‐C
C++
C#
PHP
Python
(Visual)
Basic
Perl
Ruby
JavaScript
Visual
Basic
.NET
Lisp
Pascal
Delphi/Object
Pascal
Share
of
programming
languages
(Feb
2013)
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
24
25. #2
A
rich
language
to
express
many
scenarios
ACLs
RBAC
Whitelists
SegregaBon-‐of-‐Duty
RelaBon-‐based
Trust
ElevaBon
Device-‐based
Break
the
glass
Privacy
protecBon
ABAC
Rich
business
flows
Data
redacBon
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
25
26. " The
REST
profile
of
XACML
" OASIS
XACML
profile
" Designed
by
Remon
Sinnema
of
EMC2
#3
Developer-‐friendly
APIs
XML
over
HTTP
XML
over
HTTP
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
26
JSON
over
HTTP
JSON
over
HTTP
27. #3.
Developer-‐friendly
APIs
(cont’d)
Drop
the…
Use
curl,
Perl,
and
Python
with
the
REST
API
curl
-‐X
POST
-‐H
'Content-‐type:text/xml'
-‐T
xacml-‐request.xml
h:p://foo:8443/asm-‐pdp/pdp
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
27
28. " Use
the
JSON
profile
of
XACML
" Idea
" Remove
the
verbose
aspects
of
XACML
" Focus
on
the
key
points
" Make
a
request
easy
to
read
#4
Simplified
request/response
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
28
31. #4
JSON
&
XML
Side-‐by-‐side
comparison
0
10
20
30
40
50
Word
count
XML
JSON
0
200
400
600
800
1000
1200
1400
Char.
Count
XML
JSON
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
31
Size
of
a
XACML
request
32. " Natural
language
authoring
" AxiomaIcs
Language
for
AuthorizaIon
(ALFA)
" Research
iniIaIve
from
TSSG
" And
many
more
coming…
#5
Easy
authoring
tools
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
32
33. Provide
the
right
tools
for
Easy
Authoring
Of
XACML
policies
#5
AxiomaIcs
Language
For
AuthZ
(cont’d)
Plugs
into
Eclipse
IDE
High-‐level
syntax
Auto-‐complete
AutomaBc
TranslaBon
to
XACML
3.0
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
33
34. Wrapping
up
Benefits
for
the
developer
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
34
35. " One
consistent
authorizaIon
model
" Many
different
applicaIons
" Decide
once,
enforce
everywhere
Benefits
of
using
XACML
#1
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
35
36. " Adios
endless
if,
else
statements
" Hello
simple
if(authorized())
Benefits
of
using
XACML
#2
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
36
0
5000
10000
15000
20000
25000
30000
10
20
30
40
50
60
70
80
90
100
110
120
130
140
150
160
170
Developer
Happiness
Increase
Number
of
if
/
else
statements
terminated
Developer
Happiness
Index
37. " Security
potholes
are
a
thing
of
the
past
" XACML
is
the
concrete
that
fills
in
the
cracks
in
your
authorizaIon
wall
Benefits
of
using
XACML
#3
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
37
38. " Let
developers
do
what
they
know
best
" Offload
audiIng,
info
security
to
security
architects
&
auditors
by
externalizing
authorizaIon
#CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
38
Benefits
of
using
XACML
#4
Happy
developer
Happy
auditor
39. #CISNapa
-‐
@davidjbrossard
-‐
@axiomaIcs
39
Next
steps?
Download
XACML
SDK
Download
ALFA
plugin
Download
Eclipse
Code
in
your
favorite
language