Do you have a business case for Attribute Based Access Control (ABAC)?


Published on

This is the slide deck from an Axiomatics webinar held on April 3, 2014. To see the webinar recording itself, visit the webinar section on the Axiomatics home page. There you will also find the questions and answers section - there were a few interesting discussions at the end of the session.

Published in: Software

Do you have a business case for Attribute Based Access Control (ABAC)?

  1. 1. © 2014 Axiomatics AB 1 Do you have a business case for Attribute Based Access Control (ABAC)? Webinar: April 3, 2014
  2. 2. © 2014 Axiomatics AB 2 Do you have a business case for Attribute Based Access Control (ABAC)? Count-down for webinar start: Webinar: April 3, 2014
  3. 3. Guidelines © 2014 Axiomatics AB 3 You are muted centrally The webinar is recorded Slides available for download Q&A at the end
  4. 4. Today’s speakers © 2014 Axiomatics AB 4 Finn FrischGerry Gebel
  5. 5. @axiomatics #XACML © 2014 Axiomatics AB 5 Twitter
  6. 6. 6 Introduction Overview and preamble © 2014 Axiomatics AB  Business drivers – why organizations invested in ABAC  Business challenges – what problems they solved  Business values – what benefits they gained
  7. 7. TheABAC trend 7 2005 XACML version 2.0: Concept production-ready for enterprise needs. 2009 US Federal CIO Council – (FICAM) Roadmap and Implementation Plan v1.0 advocates ABAC 2006 Axiomatics founded. First project: a nation- wide eHealth service. 2011 FICAM v2.0: ABAC recommended access control model for promoting information sharing between diverse and disparate organizations. 2013 XACML version 3.0 2014 NIST Guide on ABAC 2014 Gartner predicts: ”By 2020, 70% of all businesses will use ABAC as the dominant mechanism to protect critical assets, up from 5% today.” ABAC = Attribute Based Access Control © 2014 Axiomatics AB Introduction
  8. 8. What is Attribute Based Access Control (ABAC)?  A mode of externalized authorization  Authorization policies/rules are managed in a centralized service (deployment can be centralized/distributed/hybrid)  The Extensible Access Control Markup Language (XACML) is an example of an ABAC system  Policies utilize attributes to describe specific access rules, which is why it is called attribute based access control © 2014 Axiomatics AB 8 Introduction
  9. 9. Example from NIST report  “This flexibility [of ABAC] provides the greatest breadth of subjects to access the greatest breadth of objects without specifying individual relationships between each subject and each object”  Nurse Practitioners in the Cardiology Department can View the Records of Heart Patients  Variables in the policy language enable very efficient policy structures – reducing the maintenance load  Management of heart patient records is part of the business application – not an IT function  Multiple attributes must be available for policy evaluation – either as part of the access request or retrieved from source © 2014 Axiomatics AB 9 Introduction
  10. 10. NIST example - expanded  Nurse Practitioners can View the Records of Patients in the same Department they are assigned to  This rule can apply to all departments in the hospital  Add a new department or change names of department and the rule does not change  Rule compares department of the Nurse Practitioner to the department of the Patient  Avoids the role explosion effect of RBAC models © 2014 Axiomatics AB 10 Introduction
  11. 11. Why are we seeing this shift to ABAC?  Todays‟ business environment is more global, dynamic and collaborative  First generation access models cannot cope in a “need to share” world  Users demand access to any data, from any device, at any time © 2014 Axiomatics AB 11 Introduction
  12. 12. Why organizations invest in ABAC technology © 2014 Axiomatics AB 12 Consolidated infrastructure Enhanced security Business enabler Compliance Expose data and APIs to customers and partners Write once, Enforce everywhere Consistent authorization enforcement across applications Implement legal frameworks Business drivers
  13. 13. Attribute Based Access Control (ABAC) objectives  Get competitive advantage and create new revenue streams  Minimize the risk of fraud with dynamic, real-time access control  Meet global regulatory and privacy requirements  Cut time to market and streamline internal development © 2014 Axiomatics AB 13 Business drivers
  14. 14. © 2014 Axiomatics AB 14 Collaboration …depends on efficient information sharing… … which depends on precision in access controls… Business challenge
  15. 15. Legacy access control Attribute based access control © 2014 Axiomatics AB 15 Legacy access controls fail in dynamic environments Business challenge
  16. 16. Achievements made – return on investment (ROI)  Question: Before you went for Attribute Based Access Control (ABAC), how would you have approached the type of solution you now have built?  Answer: We wouldn‟t. It would simply not have been possible to build this type of service with the access control models we used before. © 2014 Axiomatics AB 16 ROI=ROI of new service which gives a competitive advantage Business values
  17. 17. ABAC enables secure information sharing Challenge: Collaboration Objective: Increase revenue © 2014 Axiomatics AB 17 Conclusion
  18. 18. © 2014 Axiomatics AB 18 Speed in business transactions …depends on efficient delegation of powers… … while losses due to fraud or excessive risk taking are minimized… Business challenge
  19. 19. The RBAC Sudoku © 2014 Axiomatics AB 19 Business challenge A B C
  20. 20. Using ABAC to overcome the RBAC weakness  Solution: To authorize a Service Entry and Release, enforce the following XACML rule:  PERMIT Service Entry and Release for users with Cost Center Signature Authority for Purchase Orders of their own Cost Centers providing they were not previously involved in the creation, editing or approval of the related Purchase Order or the corresponding Vendor or Service provider account.  Result: Multiple attributes combined [cost center, PO and Vendor approver etc.] – not just the role of the user – are considered to minimize the risk (in our example the risk of individuals releasing service entries for their own fraudulent purchase orders.) © 2014 Axiomatics AB 20 Business challenge
  21. 21. Achievements made – return on investment (ROI)  “Maintain separation of duties so that no one person has too much control”  “Reduce risks of data breaches, data leakage and identity theft”  “Prevent or limit unauthorized bank system access or use” © 2014 Axiomatics AB 21 Business values
  22. 22. ABAC enables delegation of powers for secure transactions Challenge: Speed in transactions Objective: Minimize loss © 2014 Axiomatics AB 22 Conclusion
  23. 23. © 2014 Axiomatics AB 23 Regulatory compliance …depends on efficient IT governance … …which in turn depends on correct and verifiable authorizations … Business challenge
  24. 24. © 2014 Axiomatics AB 24 Business challenge
  25. 25. Achievements made – return on investment (ROI) “[…] is a multi-national company and must comply with financial regulations in multiple jurisdictions. […] Application-external authorization must ensure applications at all times comply with changing and country specific regulations.” © 2014 Axiomatics AB 25 ROI=Avoiding fines, avoiding reputational damage Business values
  26. 26. ABAC auditably controls who has access to what, where, when, why and how Challenge: Compliance / Governance Objective: Avoiding fines / reputational damage © 2014 Axiomatics AB 26 Conclusion
  27. 27. © 2014 Axiomatics AB 27 Timely service delivery …depends on efficient software development… …and change management not causing delays Business challenge
  28. 28. Costly access control – expensive change management © 2014 Axiomatics AB 28 Business challenge
  29. 29. Legacy access control  Authorization checks repeated over and over in code: if (!User.IsInRole("Administrators")) { Msg.Text = “Acccess denied."; ListBox.Visible = false; return; }  Imagine more conditions: data classification, ListBox.DataSource, administrator‟s clearance level …. Attribute based access control  Write once, use many times – simply send an access request to the authorization service Req=BuildRequest(UserID,ListBox) if (!PDPPermit(Req)) …. © 2014 Axiomatics AB 29 Implementing authorization in applications Business challenge
  30. 30.  $312 billion: Estimated global expenditure on software debugging in 2012  52 %: Portion of total effort spent fixing „architecturally complex defects‟, which account for only 8% of all defects* ROI = reduced software development costs + improved quality + reduced time-to-market for new service Code maintenance – return on investment (ROI) © 2014 Axiomatics AB 30 * Scott Buchholz, director, Deloitte Consulting LLP and David Sisk, director, Deloitte Consulting LLP, “Technical debt reversal, Lowering the IT debt ceiling” in “Tech Trends 2014: Inspiring Disruption”, Business values
  31. 31. ABAC enables “write once, use many” patterns which reduces code complexity and release cycles Challenge: Software maintenance Objective:Time-to-market gains, cost reduction © 2014 Axiomatics AB 31 Conclusion
  32. 32. © 2014 Axiomatics AB 32 References Reading materials Upcoming webinars
  33. 33. Reading materials  Axiomatics White Paper: The Business Case for Attribute Based Access Control  Axiomatics White Paper: Getting Started with ABAC  NIST paper on ABAC  © 2014 Axiomatics AB 33 References Webinars  Get started now! Attribute Based Access Control (ABAC) for applications. April 10, 2014  Protect business critical data with dynamic authorization for databases. May 8, 2014
  34. 34. © 2014 Axiomatics AB 34 Questions? Thank you for listening