More Related Content Similar to Top Ten Reasons Why Developers Don't Adopt ABAC (20) Top Ten Reasons Why Developers Don't Adopt ABAC1. TopTen Reasons Why Developers
Don’t Adopt ABAC
IRM Summit – Phoenix – June 2014
Gerry Gebel
Axiomatics
gerry@axiomatics.com
@ggebel
© 2014 Axiomatics AB 1
5. What is Attribute Based Access Control (ABAC)?
A mode of externalized authorization
Authorization policies/rules are managed in a centralized service (deployment
can be centralized/distributed/hybrid)
The Extensible Access Control Markup Language (XACML) is an example of an
ABAC system
Policies utilize attributes to describe specific access rules, which is why it is
called attribute based access control
© 2014 Axiomatics AB 5
9. Protecting credit card numbers,
financial data,
accounts,
etc.
© 2014 Axiomatics AB 9
The data protection problem
10. Information storage – global increase
© 2014 Axiomatics AB 10
The data protection problem
Based on: Hilbert and Lopez, 2011
86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07
300
250
200
150
100
50
0
~93% digital
~0,7% digital
DAC
MAC
RBAC
ABAC
Increasing access
control challenges
11. Legacy access control Attribute based access control
© 2014 Axiomatics AB 11
Legacy access controls fail in dynamic environments
12. Policy example – expanded from NIST* report
Nurse Practitioners can View the Records of Patients in the same
Department they are assigned to during shift hours
This rule can apply to all departments in the hospital
Add a new department or change names of department and the rule does not change
Rule compares department of the Nurse Practitioner to the department of the Patient
© 2014 Axiomatics AB 12
Subject attributes
Action attributes
Resource attributes
Environment * nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf
15. 1. “It will impact performance”
© 2014 Axiomatics AB 15
16. Response #1
There are many ways to scale or configure for maximum performance
Utilize caching of policies, attributes and decisions
Employ faster communication protocols, like Apache Thrift
Place the decision engine closer to the application it’s protecting
Embed the decision engine within the application to eliminate network hops
Use smart policy modeling to make evaluations more efficient
ABAC systems are proven in very large deployments
200+ million users
20,000 access requests per second
Your ABAC system should have many modes of operation to address many scenarios
© 2014 Axiomatics AB 16
18. Response #2
Fine, don’t use it… try JSON instead
Go from this:
© 2014 Axiomatics AB 18
<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-
ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">hello</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">say</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
</xacml-ctx:Request>
19. Response #2
To this:
© 2014 Axiomatics AB 19
{"subject":
{"attribute":[{
"attributeId":"username",
"value":"alice"}]},
"resource":
{"attribute":[{
"attributeId":"resource-id",
"value":"hello"}]},
"action":
{"attribute":[{
"attributeId":"action-id",
"value":"say"}]}} 0
200
400
600
800
1000
1200
1400
Char. Count
XML
JSON
20. 3. “It makes the system more complex”
© 2014 Axiomatics AB 20
21. Response #3
So you prefer to pollute your application code
with security stuff?
There are trade-offs to consider when outsourcing
functions to an external service
For the developer, the interface is very simple
Send a package of attributes to AuthZ service
Process the Permit/Deny response
© 2014 Axiomatics AB 21
REST
22. 4. “I can do it faster myself”
© 2014 Axiomatics AB 22
23. Response #4
IT lead time to set up authorization service can be time consuming
If you heavy weight processes for setting up new hardware, VM images, etc.
One time pain generates many returns for future projects
But few want to be the first mover
Option: bundle the authorization service with your application
Less reliance on IT services
All the necessary components are packaged with the application
© 2014 Axiomatics AB 23
24. 5. “I don’t care about enterprise issues”
© 2014 Axiomatics AB 24
,
25. Response #5
What are the results of this bad attitude?
IT has to provision accounts and identity data to every application built this way (which
launched the comma into IAM legend status)
Legions of application managers now hate you because they have to manually review
stacks of permissions and roles from your app and everyone else that built apps the
same way
Congratulations, we now have 500 applications and 50,000 roles
© 2014 Axiomatics AB 25
26. 6. “My code is more flexible”
© 2014 Axiomatics AB 26
27. Response #6
You may be right, for a particular use case
But
How long did it take to code?
Is it adaptable to the next scenario?
How much effort is required to maintain your code?
© 2014 Axiomatics AB 27
28. 7. “I don’t know where the attributes are”
© 2014 Axiomatics AB 28
29. Response #7
No need to concern yourself
Just send the attributes available in the user session
Subject identifier
Resource identifier
Action
Role or group info
Device type
Authentication type
Etc.
The authorization service handles the rest, looking up additional attributes if necessary
© 2014 Axiomatics AB 29
30. 8. “What if the external service fails?”
© 2014 Axiomatics AB 30
31. Response #8
Practice good hygiene
Eliminate single points of failure
Understand failure modes and document processes for recovery
Implement change control processes, which permits roll back to known state
But these are tasks for the IT department, and it’s their specialty
© 2014 Axiomatics AB 31
32. 9. “Who will manage the policies, me?”
© 2014 Axiomatics AB 32
33. Response #9
If you insist, yes
Policies are easily created using ALFA shorthand syntax
Similar to C# or Java
Plug in for Eclipse
Submitted to OASIS for standardization
Or you can rely on business owner, security office or system administrators to
create and manage access policies
It’s another item off your plate
© 2014 Axiomatics AB 33
34. 10. “Isn’t ABAC just a new fad?”
© 2014 Axiomatics AB 34
Like, say, sock shots at conferences…
35. Response #10:The ABAC trend
35
2005
XACML version 2.0:
Concept production-ready
for enterprise needs.
2009
US Federal CIO Council –
(FICAM) Roadmap and
Implementation Plan v1.0
advocates ABAC
2006
Axiomatics founded.
First project: a nation-
wide eHealth service.
2011
FICAM v2.0:
ABAC recommended access control
model for promoting information
sharing between diverse and
disparate organizations.
2013
XACML version 3.0
2014
NIST Guide
on ABAC
2014
Gartner predicts:
”By 2020, 70% of all
businesses will use
ABAC as the dominant
mechanism to protect
critical assets,
up from 5% today.”
ABAC = Attribute Based Access Control
© 2014 Axiomatics AB
37. Summary
Touched on some issues of why developers resist ABAC
There are others….
Hopefully you’ve learned some ways to deal with objections
© 2014 Axiomatics AB 37
IRM Summit 2014
Editor's Notes Based on the Hilbert and Lopez assessment of global information storage over time, this graph shows how the sum total of stored information has increased in the time span 1986 to 2007. The interesting part is not only the overall increase but also how information increasingly is stored digitally. In 2007 97% of the assessment showed that some 93% of the information was stored in some kind of digital format – as opposed to less than 1% in 1986.
This vast increase in overall accumulation of stored data – and particularly the digital data – should be considered in our following discussions. Today’s topic is about the protecion of data – more precisely, access controls for the protection of data. This graph somewhat illustrates why the topic is becoming increasingly urgent. 2005 – XACML version 2.0: concept production-ready for enterprise needs
2006 – Axiomatics founded, first project a nation-wide eHealth service
2009 – US Federal CIO Council – Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Plan v1.0 advocates Attribute Based Access Control (ABAC)
2011 – FICAM v. 2.0: ABAC recommended access control model for promoting information sharing between diverse and disparate organizations
2012 – NIST Guide to Attribute Based Access Control (ABAC)
2013 – XACML version 3.0
2014 – Gartner predicts: By 2020, 70% of all businesses will use attribute based access control (ABAC) as the dominant mechanism to protect critical assets, up from 5% today.