CIS13: Externalized Authorization from the Developer’s Perspective

621 views

Published on

David Brossard, Product Manager, Axiomatics
Application development trends often collide with security best practices, leaving enterprises with a patchwork mix of authorization schemes that are difficult and expensive to operate, modify and certify for compliance. This session will explore the latest trends in authorization and describe standards-based mechanisms to protect APIs, web services, data resources and more. Included in the discussion will be the interaction between XACML, OAuth, REST and JSON.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
621
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
12
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

CIS13: Externalized Authorization from the Developer’s Perspective

  1. 1. XACML  for  Developers   Updates,  New  Tools,  &  Pa:erns  for   the  Eager  #IAM  Developer   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   1  
  2. 2. eXtensible  Access  Control  Markup  Language   2   What  is  XACML?   Not  guacamole   De  facto  standard   Defined  at  OASIS   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
  3. 3. One  of  the  several  standards  in  the  #IAM  family   XACML  in  the  IAM  spectrum   SAML   SPML   LDAP   RBAC   ABAC…   SCIM   OpenID   Oauth   WS-­‐*   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   3  
  4. 4. In  a  web  3.0  world  where   it’s  about  small  apps   and  your  data…   Why  XACML?   Quick,  call  the  plumber:   1-­‐800-­‐GO-­‐XACML   it’s  Ime  to  get  leaks   under  control   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   4  
  5. 5. What’s  A:ribute-­‐based   Access  Control?   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   5  
  6. 6. #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   In  the  olden  days,  authorizaIon  was  about   Who?   6  
  7. 7. AuthorizaIon  should  really  be  about…   When?  What?   How?  Where?  Who?   Why?   7  #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
  8. 8. A  car  retail  company  has  a  web  applicaIon  that   users  can  access  to  create,  view,  and  approve   purchase  orders,  in  accordance  with  policy  rules     8   Example  Scenario:  Managing  Purchase  Orders   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
  9. 9. A:ributes   Resource   a>ributes   Resource  type   PO  amount   PO  loca2on   PO  creator   PO  Status   Subject   a>ributes   Iden2ty   Department   Loca2on   Approval  limit   Role   AcBon   a>ributes   Ac2on  type   Environment   a>ributes   Device  type   IP  address   Time  of  day   Profile  designed  by  Sven  Gabriel  from  The  Noun  Project   Invisible  designed  by  Andrew  Cameron  from  The  Noun  Project   Wrench  designed  by  John  O’Shea  from  The  Noun  Project   Clock  designed  by  Brandon  Hopkins  from  The  Noun  Project   PO  Id   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   9  
  10. 10. A  simple  rule   Anyone  in  the  purchasing  department         can  create  purchase  orders   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   10  
  11. 11. A  manager  in  the  purchasing  department  can     approve      purchase  orders     §  up  to  their  approval  limit   §  if  and  only  if  the  PO  locaIon  and  the      manager  locaIon  are  the  same   §  if  and  only  if  the  manager    is  not  the  PO  creator     11   A  richer  rule   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
  12. 12. XACML  101  –  The  Basics   12  #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
  13. 13. 13   What  does  XACML  contain?   XACML   Reference   Architecture   Policy   Language   Request  /   Response   Protocol   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
  14. 14. XACML  Architecture    &  Flow   14   Decide   Policy  Decision  Point   Manage   Policy  AdministraBon  Point   Support   Policy  InformaBon  Point   Policy  Retrieval  Point   Enforce   Policy  Enforcement  Point   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   Access   Document  #123   Access   Document  #123   Can  Alice  access   Document  #123?   Yes,  Permit   Load  XACML   policies   Retrieve  user   role,  clearance   and  document   classificaIon  
  15. 15. 15   What  does  XACML  contain?   XACML   Reference   Architecture   Policy   Language   Request  /   Response   Protocol   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
  16. 16. "   3  structural  elements   " PolicySet   "   Policy   "   Rule   "   Root:  either  of  PolicySet  or  Policy   " PolicySets  contain  any  number  of  PolicySets  &   Policies   "   Policies  contain  Rules   "   Rules  contain  an  Effect:  Permit  /  Deny   "   Combining  Algorithms   16   Language  Elements  of  XACML   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
  17. 17. Root  Policy   Set   PolicySet   Policy   Rule   Effect=Permit   Rule   Effect  =  Deny   PolicySet   Policy   Rule   Effect  =   Permit   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   17   Sample  XACML  Policy  
  18. 18. 18   Language  Structure:  Russian  dolls   " PolicySet,  Policy  &  Rule   can  contain   "   Targets   "   ObligaIons   "   Advice   "   Rules  can  contain   "   CondiIons   Policy  Set   Policy   Rule   Effect=Permit   Target   Target   Target   ObligaIon   ObligaIon   ObligaIon   CondiIon   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
  19. 19. 19   What  does  XACML  contain?   XACML   Reference   Architecture   Policy   Language   Request  /   Response   Protocol   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
  20. 20. •  Subject   User  id  =  Alice   Role  =  Manager   •  AcIon   AcIon  id  =  approve   •  Resource   Resource  type  =  Purchase  Order   PO  #=  12367   •  Environment   Device  Type  =    Laptop   20   Structure  of  a  XACML  Request  /  Response   XACML  Request   XACML  Response   Can  Manager  Alice  approve   Purchase  Order  12367?   Yes,  she  can   •  Result   Decision:  Permit   Status:  ok   The  core  XACML  specificaIon  does  not   define  any  specific  transport  /   communicaIon  protocol:   -­‐ Developers  can  choose  their  own.   -­‐ The  SAML  profile  defines  a  binding  to  send  requests/ responses  over  SAML  asserIons   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs  
  21. 21. So  what’s  in  it  for  the   developer?   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   21  
  22. 22. #1  A  single  authorizaIon  model  &  framework   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   22  
  23. 23. #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   23   #1.a  working  across  all  layers  
  24. 24. #1.b  and  across  different  technology  stacks   Java   C   ObjecIve-­‐C   C++   C#   PHP   Python   (Visual)  Basic   Perl   Ruby   JavaScript   Visual  Basic  .NET   Lisp   Pascal   Delphi/Object  Pascal   Share  of  programming  languages  (Feb  2013)   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   24  
  25. 25. #2  A  rich  language  to  express  many  scenarios   ACLs   RBAC   Whitelists   SegregaBon-­‐of-­‐Duty   RelaBon-­‐based   Trust  ElevaBon   Device-­‐based   Break  the  glass   Privacy  protecBon   ABAC   Rich  business  flows   Data  redacBon   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   25  
  26. 26. "  The  REST  profile  of  XACML   "  OASIS  XACML  profile   "  Designed  by  Remon  Sinnema  of  EMC2   #3  Developer-­‐friendly  APIs   XML  over  HTTP   XML  over  HTTP   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   26   JSON  over  HTTP   JSON  over  HTTP  
  27. 27. #3.  Developer-­‐friendly  APIs  (cont’d)   Drop  the…   Use  curl,  Perl,  and  Python  with  the  REST  API   curl  -­‐X  POST  -­‐H  'Content-­‐type:text/xml'  -­‐T  xacml-­‐request.xml  h:p://foo:8443/asm-­‐pdp/pdp   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   27  
  28. 28. "  Use  the  JSON  profile  of  XACML   "  Idea   "  Remove  the  verbose  aspects  of  XACML   "  Focus  on  the  key  points   "  Make  a  request  easy  to  read   #4  Simplified  request/response   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   28  
  29. 29. #4  Sample  XACML  Before  JSON  (cont’d)   <xacml-­‐ctx:Request  ReturnPolicyIdList="true"  CombinedDecision="false"  xmlns:xacml-­‐ctx="urn:oasis:names:tc:xacml: 3.0:core:schema:wd-­‐17">        <xacml-­‐ctx:A:ributes  Category="urn:oasis:names:tc:xacml:1.0:subject-­‐category:access-­‐subject"  >              <xacml-­‐ctx:A:ribute  A:ributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-­‐id"  IncludeInResult="true">                    <xacml-­‐ctx:A:ributeValue  DataType="h:p://www.w3.org/2001/XMLSchema#string">Alice</xacml-­‐ ctx:A:ributeValue>              </xacml-­‐ctx:A:ribute>        </xacml-­‐ctx:A:ributes>        <xacml-­‐ctx:A:ributes  Category="urn:oasis:names:tc:xacml:3.0:a:ribute-­‐category:environment"  >        </xacml-­‐ctx:A:ributes>        <xacml-­‐ctx:A:ributes  Category="urn:oasis:names:tc:xacml:3.0:a:ribute-­‐category:resource"  >              <xacml-­‐ctx:A:ribute  A:ributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-­‐id"  IncludeInResult="true">                    <xacml-­‐ctx:A:ributeValue  DataType="h:p://www.w3.org/2001/XMLSchema#string">hello</xacml-­‐ ctx:A:ributeValue>              </xacml-­‐ctx:A:ribute>        </xacml-­‐ctx:A:ributes>        <xacml-­‐ctx:A:ributes  Category="urn:oasis:names:tc:xacml:3.0:a:ribute-­‐category:acIon"  >              <xacml-­‐ctx:A:ribute  A:ributeId="urn:oasis:names:tc:xacml:1.0:acIon:acIon-­‐id"  IncludeInResult="true">                    <xacml-­‐ctx:A:ributeValue  DataType="h:p://www.w3.org/2001/XMLSchema#string">say</xacml-­‐ctx:A:ributeValue>              </xacml-­‐ctx:A:ribute>        </xacml-­‐ctx:A:ributes>   </xacml-­‐ctx:Request>   Can  Alice   Say   Hello?   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   29  
  30. 30. #4  Sample  XACML  using  JSON  (cont’d)   {"subject":    {"a:ribute":[{      "a:ributeId":"username",      "value":"alice"}]},   "resource":    {"a:ribute":[{      "a:ributeId":"resource-­‐id",      "value":"hello"}]},   "acIon":    {"a:ribute":[{      "a:ributeId":"acIon-­‐id",      "value":"say"}]}}   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   30  
  31. 31. #4  JSON  &  XML  Side-­‐by-­‐side  comparison   0   10   20   30   40   50   Word  count   XML   JSON   0   200   400   600   800   1000   1200   1400   Char.  Count   XML   JSON   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   31   Size  of  a  XACML  request  
  32. 32. "  Natural  language  authoring   "  AxiomaIcs  Language  for  AuthorizaIon  (ALFA)   "  Research  iniIaIve  from  TSSG   "  And  many  more  coming…   #5  Easy  authoring  tools   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   32  
  33. 33. Provide  the  right  tools  for   Easy  Authoring   Of  XACML  policies   #5  AxiomaIcs  Language  For  AuthZ  (cont’d)   Plugs  into  Eclipse  IDE   High-­‐level  syntax   Auto-­‐complete   AutomaBc  TranslaBon  to  XACML  3.0   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   33  
  34. 34. Wrapping  up   Benefits  for  the  developer   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   34  
  35. 35. "  One  consistent  authorizaIon  model   "  Many  different  applicaIons   "  Decide  once,  enforce  everywhere   Benefits  of  using  XACML  #1   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   35  
  36. 36. "  Adios  endless  if,  else  statements   "  Hello  simple  if(authorized())   Benefits  of  using  XACML  #2   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   36   0   5000   10000   15000   20000   25000   30000   10   20   30   40   50   60   70   80   90   100   110   120   130   140   150   160   170   Developer  Happiness  Increase   Number  of  if  /  else   statements  terminated   Developer   Happiness   Index  
  37. 37. "  Security  potholes  are  a  thing  of  the  past   "  XACML  is  the  concrete  that  fills  in  the  cracks  in   your  authorizaIon  wall   Benefits  of  using  XACML  #3   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   37  
  38. 38. "  Let  developers  do  what  they  know  best   "  Offload  audiIng,  info  security  to  security   architects  &  auditors  by  externalizing   authorizaIon   #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   38   Benefits  of  using  XACML  #4   Happy  developer   Happy  auditor  
  39. 39. #CISNapa  -­‐  @davidjbrossard  -­‐  @axiomaIcs   39   Next  steps?   Download  XACML  SDK   Download  ALFA  plugin   Download  Eclipse   Code  in  your  favorite  language  
  40. 40. QuesIons?   Contact  us  at     info@axiomaIcs.com  Q&A  

×