Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Enabling ABAC on APIs

1,984 views

Published on

Published in: Software
  • Be the first to comment

Enabling ABAC on APIs

  1. 1. © 2015 Axiomatics - @axiomatics 1 Do you have an authorization challenge? Secure your sensitive data using the Axiomatics Policy Server / Axway API Gateway
  2. 2. © 2015 Axiomatics - @axiomatics 2 The value of information / data What is the protection of confidential data worth to your enterprise? What would your team be able build if there were no restrictions? How valuable is your data at rest? In motion? Find your golden eggs: which data deserves high protection?
  3. 3. © 2015 Axiomatics - @axiomatics 3 The traditional way to achieve access control Binary mechanisms: all or nothing Firewalls… Basic roles determine coarse-grained access Administrators have access to all Data is not digitized – security through ‘obscurity’
  4. 4. Axiomatics is the leading provider of fine-grained authorization solutions that help enterprises share their data securely. Axiomatics – Who We Are © 2015 Axiomatics - @axiomatics 4 (sharing securely is the true caring)
  5. 5. © 2015 Axiomatics - @axiomatics 5 We allow you to permit or deny access to data based on multiple factors can access information information can they access can they access information can they access information from , from which device or via which API can they access information , for what reason can they access information Who What When Where How Why Axiomatics – What We Do
  6. 6. © 2015 Axiomatics - @axiomatics 6 Business Drivers Secure Collaboration Regulatory Compliance and Governance New business & consumer mobile-driven interactions Time-to-market & Consolidation
  7. 7. The Authorization challenge Externalizing, Centralizing, and Standardizing Authorization © 2015 Axiomatics - @axiomatics 7
  8. 8. © 2015 Axiomatics - @axiomatics 8 It’s a mess
  9. 9. © 2015 Axiomatics - @axiomatics 9 And it’s not getting any better B2B B-2-cloud-B Organization YOrganization X
  10. 10. Enhance your access control  Externalized  Access control is externalized from the business logic  Centralized  Access control policies are maintained centrally  Standardized  Access control policies use XACML, the eXtensible Access Control Markup Language  Flexible  ABAC is flexible – it can be applied to APIs, databases, and more  Dynamic  Access decisions are made dynamically at runtime  Context-based / Risk-based © 2015 Axiomatics - @axiomatics 10 Attribute-based access control (ABAC)
  11. 11. Enable realtime access reviews & compliance audits  ABAC uses policies to define access rights  Policies can express advanced scenarios e.g.  Segregation-of-duty  Risk-based access control  Geo-based access  Compliance use cases…  Healthcare scenarios  Policies enable timely and accurate compliance reporting  Make the auditors happy  Reports  What can a user do?  Who can access a given resource / API? © 2015 Axiomatics - @axiomatics 11 Attribute-based Access Control
  12. 12. Securing APIs Apply Attribute-based access control to your APIs © 2015 Axiomatics - @axiomatics 12
  13. 13. Government Use Case – enable the e-citizen  Defense Agency of a European government  Challenge  Securely expose an API to send/receive messages between government agencies and the e-citizen  Solution  Axway API Gateway to expose and secure the messaging APIs  Axiomatics Policy Server to apply fine-grained autorization on the APIs © 2015 Axiomatics - @axiomatics 13 Secure your APIs using Axiomatics & Axway
  14. 14. Cloud-based services – SaaS – Federate & Control Access  Challenge  Let users use internal & cloud services seamlessly & make sure they access the relevant data only  Solution  Route all the calls to the cloud & internal apps via the Axway API Gateway  Use the API gateway to federate identities between the internal IdP and the cloud  Use the Axiomatics Policy Server to determine whether the user has access to the information in the cloud  Use the Axiomatics Policy Server to implement fine-grained authorization  Make sure the right data ends up in the right hands, right place, right jurisdiction at the right time © 2015 Axiomatics - @axiomatics 15 Secure your APIs using Axiomatics & Axway
  15. 15. Enterprise Axway API Gateway IdP © 2015 Axiomatics - @axiomatics 16 Architectural Overview & Flow Axiomatics Policy Server (APS) Internal Apps Cloud Apps (Salesforce…)
  16. 16. Customer Enablement Use Case – Insurance Company  Challenge  Unlock insurance data and expose it online via a customer/agent portal  Solution  Build an API portal using the Axway API Gateway  Build a web portal / mobile application that connect to the APIs  Use the Axiomatics Policy Server to determine who can view what data  Example: agents can only view the insurance profile of a customer they are assigned to © 2015 Axiomatics - @axiomatics 17 Secure your APIs using Axiomatics & Axway
  17. 17. © 2015 Axiomatics - @axiomatics 18 Architectural Overview & Flow Axiomatics Policy Server (APS) 3. The gw calls APS for a fine- grained authorization decision: can Bob view insurance contract #123? Web Portal Mobile App 1. View insurance contract Insurance APIs Insurance Data Customer Axway API Gateway 2. The gateway handles authentication & API security PIP 4. Retrieve metadata about the user and the insurance contract 5. Permit / Deny + extra options 6. The call is routed to the relevant API Partner
  18. 18. Securing SharePoint Apply Attribute-based access control to SharePoint © 2015 Axiomatics - @axiomatics 19
  19. 19. Use Case: Export Control & Access to Sensitive Material  Users  Belong to different projects  Have different nationalities  Have clearance levels  Documents  Have been classified (sorted, analyzed, and labeled)  Have a sensitivity classification (LOW, MEDIUM, HIGH)  Belong to special projects  Example rules  Documents with a Protective Marking of PINK may only be accessed by subjects with Clearance of Medium or High  Documents with a Nationality Constraint may only be accessed by subjects with that Nationality © 2015 Axiomatics - @axiomatics 20 Fine-grained access control for MS SharePoint
  20. 20. Architectural Overview © 2015 Axiomatics - @axiomatics 21 Fine-grained access control for MS SharePoint Axiomatics Policy Server Axway API Gateway PIP Microsoft SharePoint
  21. 21. Axway API Gateway handles  Authentication / federation  Interception  Protection of the SharePoint web portal  Protection of the SharePoint APIs  Calls the Axiomatics Policy Server  On the way in  On the way out  Filters out content based on decisions from the Axiomatics Policy Server  Retrieves metadata from SharePoint APIs Axiomatics Policy Server handles  Access control policy definition/design  Retrieves metadata from SharePoint APIs  Reaches decisions based on information provided by  Axway API Gateway  SharePoint APIs  Can produce additional statements e.g.  Encrypt a given web part  Send email notification to manager © 2015 Axiomatics - @axiomatics 22 How does it work? Fine-grained access control for MS SharePoint
  22. 22. Example Request © 2015 Axiomatics - @axiomatics 23 Fine-grained access control for MS SharePoint Can Anne access a document from Project Epsilon? Permit Deny
  23. 23. What’s the next step?  Start your ABAC journey with Axiomatics  Download the Assessment Package  Request an evaluation © 2015 Axiomatics - @axiomatics 24 Thank You
  24. 24. © 2015 Axiomatics - @axiomatics 25 Thanks for listening Questions?

×