Your SlideShare is downloading. ×
0
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

CIS14: The Very Latest in Authorization Standards

350

Published on

Gerry Gebel, Axiomatics …

Gerry Gebel, Axiomatics
Update on the latest trends and happenings regarding authorization standards and commentary on projections on this topic for the coming year, including status of the JSON and REST profiles for XACML (it’s not just XML anymore), scenarios where OAuth and XACML can coexist, and what NIST’s published report on ABAC is all about.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
350
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
39
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. The  Very  Latest  in  Authorization   Standards  and  Trends   Cloud Identity Summit - 2014 Gerry Gebel Axiomatics gerry@axiomatics.com @ggebel © 2014 Axiomatics AB 1
  • 2. Preamble   Authorization v.Next Cloud Identity Summit 2014 © 2014 Axiomatics AB 2
  • 3. © 2014 Axiomatics AB 3
  • 4. © 2014 Axiomatics AB 4
  • 5. © 2014 Axiomatics AB 5 Having a policy language is a key differentiator for ABAC/XACML
  • 6. © 2014 Axiomatics AB 6 OAuth UMA JWT XACML Finding the right combination
  • 7. Agenda   §  Business trends that are influencing authorization requirements §  Externalized Authorization and ABAC §  Standards update §  JSON, REST, ALFA and more §  Prognostications Cloud Identity Summit 2014 © 2014 Axiomatics AB 7
  • 8. Business  Trends  &  AuthZ   Cloud Identity Summit 2014 © 2014 Axiomatics AB 8
  • 9. © 2014 Axiomatics AB 9
  • 10. © 2014 Axiomatics AB 10 Next generation information security = dynamic authorization = attribute based access control
  • 11. Legacy  access  controls  fail  in   dynamic  environments     © 2014 Axiomatics AB 11 ABAC  thrives  in  dynamic   environments
  • 12. © 2014 Axiomatics AB 12 Who WhatSensitive / business critical Information Grant or deny access based on the following attributes When Where Why How
  • 13. © 2014 Axiomatics AB 13 By 2020, 70 percent of enterprises will use ABAC as the dominant mechanism to protect critical assets, up from less than 5 percent today. “ ” Gartner Predicts, March 2014
  • 14. Externalized  Authorization     and  ABAC   Cloud Identity Summit 2014 © 2014 Axiomatics AB 14
  • 15. NIST  Special  Pub  800-­‐162  *   §  “[ABAC] flexibility provides the greatest breadth of subjects to access the greatest breadth of objects without specifying individual relationships between each subject and each object” © 2014 Axiomatics AB 15 * nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf
  • 16. Example  from  NIST  report   §  Nurse Practitioners in the Cardiology Department can View the Records of Heart Patients §  Variables in the policy language enable very efficient policy structures – reducing the maintenance load §  Management of heart patient records is part of the business application – not an IT function §  Multiple attributes must be available for policy evaluation – either as part of the access request or retrieved from an authoritative source © 2014 Axiomatics AB 16
  • 17. NIST  example  -­‐  expanded   §  Nurse Practitioners can View the Records of Patients in the same Department they are assigned to §  This rule can apply to all departments in the hospital §  Add a new department or change names of department and the rule does not change §  Rule compares department of the Nurse Practitioner to the department of the Patient §  Avoids the role explosion effect of RBAC models © 2014 Axiomatics AB 17
  • 18. Applying ABAC to every layer of your application ADAF © 2014 Axiomatics AB 18
  • 19. REST,  JSON,  &  ALFA   What’s new on the XACML standards front? © 2014 Axiomatics AB 19
  • 20. §  Profiles add functionality §  REST §  JSON §  Export Control §  IP Protection §  Hierarchal Resources §  Etc. What’s in the XACML standard XACML Reference Architecture Policy Language Request / Response Protocol © 2014 Axiomatics AB 20
  • 21. The Request/Response format •  Subject User id = Alice Role = Manager •  Action Action id = approve •  Resource Resource type = Purchase Order PO #= 12367 •  Environment Device Type = Laptop XACML Request Can Manager Alice approve Purchase Order 12367? XACML Response Yes, she can •  Result Decision: Permit Status: ok © 2014 Axiomatics AB 21
  • 22. XML encoding of an authZ request <xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml- ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml- ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" > </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">hello</xacml- ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">say</xacml- ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> </xacml-ctx:Request> Can Alice Say Hello? © 2014 Axiomatics AB 22
  • 23. JSON encoding of an authZ request {"subject": {"attribute":[{ "attributeId":"username", "value":"alice"}]}, "resource": {"attribute":[{ "attributeId":"resource-id", "value":"hello"}]}, "action": {"attribute":[{ "attributeId":"action-id", "value":"say"}]}} © 2014 Axiomatics AB 23
  • 24. JSON vs. XML 0 10 20 30 40 50 Word count XML JSON 0 200 400 600 800 1000 1200 1400 Char. Count XML JSON Size of a XACML request © 2014 Axiomatics AB 24
  • 25. REST  Profile   XML over HTTP XML over HTTP JSON over HTTP JSON over HTTP © 2014 Axiomatics AB 25
  • 26. ALFA  –  Abbreviated  Language  for  Authorization   §  Domain Specific Language (DSL) that provides an abstraction over XACML §  Pseudo language is similar to C# or Java §  Author policies in Eclipse IDE, plug in automatically generates XACML © 2014 Axiomatics AB 26 Axiomatics has committed to submit ALFA as an XACML profile
  • 27. A policy example, in English /** * A manager can approve a transaction if their approval limit is greater than * the transaction amount and if the risk is less than 5 */ Let’s take a look at this policy in XACML and ALFA © 2014 Axiomatics AB 27
  • 28. A policy example, in XACML (1) <?xml version="1.0" encoding="UTF-8"?> <!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).> <xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="http://axiomatics.com/alfa/identifier/policing.principles.allowTransaction" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"> <xacml3:Description>Let a manager approve a transaction if their approval limit is greater than the transaction amount and if the risk is less than 5</xacml3:Description> <xacml3:PolicyDefaults> <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion> </xacml3:PolicyDefaults> <xacml3:Target> <xacml3:AnyOf> <xacml3:AllOf> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="userRole" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false" /> </xacml3:Match> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">approve</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" MustBePresent="false" /> © 2014 Axiomatics AB 28
  • 29. A policy example, in XACML (2) </xacml3:Match> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">transaction</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="resourceType" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> </xacml3:Match> </xacml3:AllOf> </xacml3:AnyOf> </xacml3:Target> <xacml3:Rule Effect="Permit" RuleId="http://axiomatics.com/alfa/identifier/policing.principles.allowTransaction.allowIfLowRiskScore"> <xacml3:Description /> <xacml3:Target /> <xacml3:Condition> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:double-greater-than"/> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#double">5.0</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="transactionRiskScore" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> © 2014 Axiomatics AB 29
  • 30. A policy example, in XACML (3) </xacml3:Apply> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any"> <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:double-less-than-or-equal"/> <xacml3:AttributeDesignator AttributeId="transactionAmount" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> <xacml3:AttributeDesignator AttributeId="userApprovalLimit" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false" /> </xacml3:Apply> </xacml3:Apply> </xacml3:Condition> </xacml3:Rule> </xacml3:Policy> © 2014 Axiomatics AB 30
  • 31. A policy example, in ALFA policy allowTransaction{ target clause userRole=="manager" and actionId=="approve" and resType=="transaction" apply firstApplicable rule allowIfLowRiskScore{ condition (transactionRiskScore < 5) && (transactionAmount <= userApprovalLimit) permit } } © 2014 Axiomatics AB 31
  • 32. OAuth  &  XACML?   Further  simplification  of  XACML?   Prognostications © 2014 Axiomatics AB 32
  • 33. How  can  OAuth  and  XACML  complement  each  other?   §  OAuth: popular authZ mechanism for API security and consumer scenarios §  Missing from OAuth: declarative policy language © 2014 Axiomatics AB 33 §  XACML policies were used to control scopes for OAuth tokens What  if?  
  • 34. Easy  consumption  of  JWT  tokens  for  advanced  authorization   via  XACML-­‐based  service   © 2014 Axiomatics AB 34 {"subject": {"attribute":[{ "attributeId":"username", "value":"alice"}]}, "resource": {"attribute":[{ "attributeId":"resource-id", "value":"hello"}]}, "action": {"attribute":[{ "attributeId":"action-id", "value":"say"}]}} JWT
  • 35. On  the  further  simplification  of  XACML     §  REST and JSON profiles greatly simplify the developer experience §  See David Brossard’s workshop material from Sunday §  But what about the policy language? © 2014 Axiomatics AB 35
  • 36. © 2014 Axiomatics AB 36 SCIM + XACML
  • 37. Questions?   Thank you for listening

×