-
1.
Fine-Grained Authorization for
Cloud-based Services
David Brossard
Axiomatics
@davidjbrossard - @axiomatics
© 2012, Axiomatics AB 1
-
2.
3 strategies to extend authorization to the Cloud
We’re in London, we definitely need this strategy
What it means for
customers
SaaS providers
What you will learn
© 2012, Axiomatics AB 2
-
3.
Access control or authorization (AuthZ)
Who can do what?
“The authorization function determines whether
a particular entity is authorized to perform a
given activity, typically inherited from
authentication when logging on to an application
or service.”
What’s authorization?
© 2012, Axiomatics AB 3
-
4.
Heard enough about SSO, federation and SAML?
Authentication: Hi, I prove who I say I am
One-off process
Focus: user’s identity and the proof of identity
Standards: OpenID, OAUTH, SAML…
Authorization: Hi, can I transfer this amount?
From code-driven to policy-driven
Standard: XACML
Authorization comes after Authentication
© 2012, Axiomatics AB 4
-
5.
The issue with
Authorization today
The black box challenge
© 2012, Axiomatics AB 5
-
6.
System growth leads to AuthZ challenges
App
App
App
Cost
Brittleness
Static
Risk
Lack of visibility
Lack of audit
Violation of SoD
SaaS
SaaS
SaaS
© 2012, Axiomatics AB 6
-
7.
What happens to my data?
Who can access which information?
How do I comply with (what the auditor will ask
for)
Regulations?
E.g. Export Control
Contractual obligations?
Going to the cloud doesn’t make it easier
Do I need a different approach for cloud?
The Authorization Challenge
© 2012, Axiomatics AB 7
-
8.
Export Control
Know the user (citizenship, location, affiliation)
Know the end use (end location, purpose of use)
Example: Manufacturing in the cloud
© 2012, Axiomatics AB 8
-
9.
Fine-grained authorization
to the rescue
Attribute-based access control
XACML
© 2012, Axiomatics AB 9
-
10.
Authorization is nearly always about
Who?
Identity + role (+ group)
© 2012, Axiomatics AB 10
Credits: all icons from the Noun Project | Invisible: Andrew Cameron
-
11.
Authorization should really be about…
When?What? How?Where?Who? Why?
© 2012, Axiomatics AB 11
Credits: all icons from the Noun Project | Invisible: Andrew Cameron, | Box: Martin Karachorov | Wrench: John O'Shea | Clock: Brandon Hopkins
-
12.
eXtensible Access Control Markup Language
OASIS standard
XACML is expressed as
A specification document (a PDF) and
An XML schema
Policy-based & attribute-based language
Implement authorization based on object relations
Only employees of a given plant can see technical
data linked to items assigned to the plant
© 2012, Axiomatics AB 12
Behold XACML, the standard for ABAC
-
13.
© 2012, Axiomatics AB
Refresher: the XACML architecture
Decide
Policy Decision Point
Manage
Policy Administration Point
Support
Policy Information Point
Policy Retrieval Point
Enforce
Policy Enforcement Point
13
-
14.
© 2012, Axiomatics AB 14
XACML Transparent & Externalized AuthZ
Centrally managed policy:
”PERMIT user with clearance X to read document classified as ….”
“DENY access to classified document if…”
User Application
Information
asset
I want…
PERMIT
or
DENY?
PERMIT
or
DENY?
-
15.
XACML Anywhere AuthZ & Architecture
Datacenter
App A
Service
A
Service
D
Service
E
Service
M
Service
O
SaaS SaaS
© 2012, Axiomatics AB 15
Private Cloud
-
16.
Fine-grained Authorization
for the Cloud
Three strategies for externalized
authorization in the cloud
© 2012, Axiomatics AB 16
-
17.
A SaaS provider should offer
Functional APIs (their core business)
Non-functional (Security) APIs
Let customers push their own XACML policies
Apply the administrative delegation profile
http://docs.oasis-open.org/xacml/3.0/xacml-3.0-
administration-v1-spec-en.html
Option #1 – tell your provider to adopt XACML
© 2012, Axiomatics AB 17
-
18.
SaaS provider
Option #1 – Architecture
Central IT:
Company A
SaaS Admin delegates rights to manage access control provided to
customer A. The rights are restricted to only the applications and
resources provided to this particular customer’s users.
Customer A’s admin can manage access
for their staff on its own by providing
XACML policies and attributes
Customer A users use the SaaS application
18© 2012, Axiomatics AB
App#1
App#2
App#3
FunctionalAPI
XACML
Mgmt
API
1.
2.
3.
-
19.
Pros
Consistent access control
Fine-grained
Risk-aware
Future-proof
SaaS vendor benefit
multi-tenancy
Cons
Not many SaaS vendors
support XACML today
Option #1 – Pros & Cons
© 2012, Axiomatics AB 19
-
20.
If you can restrict access to SaaS applications
from within the corporate network…
All access to SaaS apps could be made to tunnel
through a proxy
Option #2 – Proxy your cloud connections
© 2012, Axiomatics AB 20
-
21.
Option #2 – Architecture
SaaS App #1
SaaS App #2
SaaS App #3
VPN
© 2012, Axiomatics AB 21
-
22.
Pros
Workaround current SaaS
limitations
Easy to deploy
Available today
Cons
No direct access to SaaS app
Forces users to go via VPN
Access may not be as fine
grained as Option #1
Lack of visibility into the SaaS
data
Option #2 – Pros & Cons
© 2012, Axiomatics AB 22
-
23.
What if the provider is reluctant to adopt XACML?
“If the application won’t go to XACML then XACML
will go to the application”
Eve Maler, Forrester
You still get
Centrally managed authorization
Standards-based (XACML)
Approach
Convert from XACML to expected SaaS format
Push via SaaS management APIs
Option #3 – Policy Provisioning based on XACML
© 2012, Axiomatics AB 23
-
24.
SaaS provider
Option #3 – Architecture
Central IT:
Company A
Convert XACML policies to the native
format expected by the SaaS provider
Customer A users use the SaaS application
App#1
App#2
App#3
FunctionalAPI
Native
API
© 2012, Axiomatics AB 24
Authorization constraints / permissions
in the format expected by the SaaS
provider
-
25.
Pros
Feasible today
Viable solution
Extends the customer’s
XACML-based authorization
system’s reach
Cons
Possible loss of XACML
richness in access control
Loss of dynamic nature
Option #3 – Pros & Cons
© 2012, Axiomatics AB 25
-
26.
Cloud requires eXtensible Authorization
Fine-grained
Externalized
Traditional approaches
#1: tell your SaaS provider to adopt XACML.
#2: proxy your cloud connections.
Extended approach
#3: Policy Provisioning based on XACML
Also works for business apps (SharePoint, Windows)
To summarize
© 2012, Axiomatics AB 26
-
27.
Questions?
Contact us at
info@axiomatics.com
Once upon a time, access control was about who you were. What mattered was your identity or perhaps your role or group.But today, access control should be more about what you represent, what you want to do, what you want to access, for which purpose, when, where, how, and why…Credits:Invisible: Andrew Cameron, from The Noun ProjectBox: Martin Karachorov, Wrench: John O'Sheaclock: Brandon Hopkins
Once upon a time, access control was about who you were. What mattered was your identity or perhaps your role or group.But today, access control should be more about what you represent, what you want to do, what you want to access, for which purpose, when, where, how, and why…Credits:Invisible: Andrew Cameron, from The Noun ProjectBox: Martin Karachorov, Wrench: John O'Sheaclock: Brandon Hopkins
Policy Enforcement PointIn the XACML architecture, the PEP is the component in charge of intercepting business messages and protecting targeted resources by requesting an access control decision from a policy decision point and enforcing that decision. PEPs can embrace many different form factors depending on the type of resource being protected.Policy Decision PointThe PDP sits at the very core of the XACML architecture. It implements the XACML standard and evaluation logic. Its purpose is to evaluate access control requests coming in from the PEP against the XACML policies read from the PRP. The PDP then returns a decision – either of Permit, Deny, Not Applicable, or Indeterminate.Policy Retrieval PointThe PRP is one of the components that support the PDP in its evaluation process. Its only purpose is to act as a persistence layer for XACML policies. It can therefore take many forms such as a database, a file, or a web service call to a remote repository.Policy Information PointXACML is a policy-based language which uses attributes to express rules & conditions. Attributes are bits of information about a subject, resource, action, or context describing an access control situation. Examples of attributes are a user id, a role, a resource URI, a document classification, the time of the day, etc… In its evaluation process, the PDP may need to retrieve additional attributes. It turns to PIPs where attributes are stored. Examples of PIPs include corporate user directories (LDAP…), databases, UDDIs… The PDP may for instance ask the PIP to look up the role of a given user.Policy Administration PointThe PAP’s purpose is to provide a management interface administrators can use to author policies and control their lifecycle.