Successfully reported this slideshow.

OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is Being Done? Is it Enough?

0

Share

May. 10, 2014
0 likes 1,496 views
Upcoming SlideShare
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
Loading in …3
×
1 of 28
1 of 28

OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is Being Done? Is it Enough?

May. 10, 2014
0 likes 1,496 views

0

Share

Download to read offline

Technology Business

Join a host of industry experts for this pre-conference roundtable, to hear the latest on what is being done to protect identity and ensure privacy within the cloud. This three-part interactive roundtable will open-up the dialogue on this topic, so come prepared to share information, insights and ideas.

Join a host of industry experts for this pre-conference roundtable, to hear the latest on what is being done to protect identity and ensure privacy within the cloud. This three-part interactive roundtable will open-up the dialogue on this topic, so come prepared to share information, insights and ideas.

Technology Business

Recommended

More Related Content

Viewers also liked

Sam and the Cloud
Jenny Carroll
Salesforce Backup, Restore & Archiving- Adam Best, Senior Program Architect
gemziebeth
Identiverse 2021 enterprise identity: What foundations
Bertrand Carlier
Federated Identity Architectures Integrating With The Cloud
rsnarayanan
CIS14: User-Managed Access
CloudIDSummit
SAP Identity Management Overview
SAP Technology
Getting Cloud Architecture Right the First Time Ver 2
David Linthicum
User manual of i vms 4200-v2.3.1_20150415
IsraelGuillen12
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
Profesia Srl a socio unico
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
Eve Maler
DevOps & Apps - Building and Operating Successful Mobile Apps
Apigee | Google Cloud
CIS 2015 User Managed Access - George Fletcher
CloudIDSummit
Iam suite introduction
wardell henley
Two Factor Authentication for Salesforce
ArrayShield Technologies Private Limited
The New Venn of Access Control in the API-Mobile-IOT Era
ForgeRock
Salesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Dreamforce
SSO Strategy Implementation Considerations
John Bauer
Microsoft Insurance Solutions Keynote Presentation at the Financial Services ...
Mike Walker
Large Scale User Provisioning with Hitachi ID Identity Manager
Hitachi ID Systems, Inc.

Similar to OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is Being Done? Is it Enough?

Data Entitlement with WSO2 Enterprise Middleware Platform
WSO2
CIS 2015- Rethinking Your Authorization Strategy- Gerry Gebel
CloudIDSummit
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
Brian Culver
Securing the Unsecured: Using SSO and XACML to Protect Your Web Apps
WSO2
Extending the Power of Consent with User-Managed Access & OpenUMA
kantarainitiative
Best Practices for API Security
MuleSoft
Axiomatics webinar 13 june 2013 shared
Finn Frisch
Presentation of Authzforce project, OWcon'19, June 12-13, 2019, Paris.
OW2
A recipe for standards-based Cloud IdM
Paul Madsen
Building IAM for OpenStack
Steve Martinelli
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CloudIDSummit
The Who, What, Why and How of Active Directory Federation Services (AD FS)
Jay Simcox
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
Brian Culver
SAML Protocol Overview
Mike Schwartz
Abac and the evolution of access control
Akbar Azwir, MM, PMP, PMI-SP, PSM I, CISSP
Up 2011-ken huang
Ken Huang
Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications
Novell
Alsup gd13 final
Mike Alsup
Compliance, Security, Migration, Systems Management – All Fixed by Microsoft?
Concept Searching, Inc
WSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
WSO2

More from David Brossard

Policy enabling your services - using elastic dynamic authorization to contro...
David Brossard
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
David Brossard
Why lasagna is better than spaghetti: baking authorization into your applicat...
David Brossard
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
David Brossard
XACML - Fight For Your Love
David Brossard

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4/5)
Free
No Filter: The Inside Story of Instagram Sarah Frier
(4.5/5)
Free
Autonomy: The Quest to Build the Driverless Car—And How It Will Reshape Our World Lawrence D. Burns
(5/5)
Free
Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think James Vlahos
(4/5)
Free
SAM: One Robot, a Dozen Engineers, and the Race to Revolutionize the Way We Build Jonathan Waldman
(5/5)
Free
From Gutenberg to Google: The History of Our Future Tom Wheeler
(3.5/5)
Free
The Future Is Faster Than You Think: How Converging Technologies Are Transforming Business, Industries, and Our Lives Peter H. Diamandis
(4.5/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community That Will Listen Kristen Meinzer
(3.5/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
Life After Google: The Fall of Big Data and the Rise of the Blockchain Economy George Gilder
(4/5)
Free
Future Presence: How Virtual Reality Is Changing Human Connection, Intimacy, and the Limits of Ordinary Life Peter Rubin
(4/5)
Free
Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley Corey Pein
(4.5/5)
Free
Made in China: A Prisoner, an SOS Letter, and the Hidden Cost of America's Cheap Goods Amelia Pang
(4.5/5)
Free
Hot Seat: What I Learned Leading a Great American Company Jeff Immelt
(4.5/5)
Free
Believe IT: How to Go from Underestimated to Unstoppable Jamie Kern Lima
(4.5/5)
Free
Authentic: A Memoir by the Founder of Vans Louise Maclellan
(4.5/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
Dignity in a Digital Age: Making Tech Work for All of Us Ro Khanna
(4/5)
Free
The Quiet Zone: Unraveling the Mystery of a Town Suspended in Silence Stephen Kurczy
(4.5/5)
Free
The Wires of War: Technology and the Global Struggle for Power Jacob Helberg
(4/5)
Free
System Error: Where Big Tech Went Wrong and How We Can Reboot Rob Reich
(4.5/5)
Free
If Then: How the Simulmatics Corporation Invented the Future Jill Lepore
(4.5/5)
Free
Liftoff: Elon Musk and the Desperate Early Days That Launched SpaceX Eric Berger
(5/5)
Free
The Science of Time Travel: The Secrets Behind Time Machines, Time Loops, Alternate Realities, and More! Elizabeth Howell
(3/5)
Free
A Brief History of Motion: From the Wheel, to the Car, to What Comes Next Tom Standage
(4/5)
Free
An Ugly Truth: Inside Facebook’s Battle for Domination Sheera Frenkel
(4.5/5)
Free
The Players Ball: A Genius, a Con Man, and the Secret History of the Internet's Rise David Kushner
(4.5/5)
Free
Bitcoin Billionaires: A True Story of Genius, Betrayal, and Redemption Ben Mezrich
(4.5/5)
Free
User Friendly: How the Hidden Rules of Design Are Changing the Way We Live, Work, and Play Cliff Kuang
(4.5/5)
Free
Lean Out: The Truth About Women, Power, and the Workplace Marissa Orr
(4.5/5)
Free
Blockchain: The Next Everything Stephen P. Williams
(4/5)
Free
Uncanny Valley: A Memoir Anna Wiener
(4/5)
Free
A World Without Work: Technology, Automation, and How We Should Respond Daniel Susskind
(4.5/5)
Free

OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is Being Done? Is it Enough?

  1. 1. Identity, Privacy, and Data Protection in the Cloud – XACML David Brossard Product Manager, Axiomatics 1
  2. 2. The issue with authorization in the cloud Quick background on XACML 3 strategies to extend authorization to the Cloud What it means for customers SaaS providers What you will learn 2
  3. 3. The issue with Authorization today The black box challenge 3
  4. 4. System growth leads to AuthZ challenges App App App Cost Brittleness Static Risk Lack of visibility Lack of audit Violation of SoD SaaS SaaS SaaS 4
  5. 5. What happens to my data? Who can access which information? How do I comply with (what the auditor will ask for) Regulations? E.g. Export Control Contractual obligations? Going to the cloud doesn’t make it easier Do I need a different approach for cloud? The Authorization Challenge 5
  6. 6. Export Control Know the user (citizenship, location, affiliation) Know the end use (end location, purpose of use) Example: Manufacturing in the cloud 6
  7. 7. XACML to the rescue Implementing fine-grained authorization in the cloud 7
  8. 8. Authorization is nearly always about Who? Identity + role (+ group) 8
  9. 9. Authorization should really be about… When?What? How?Where?Who? Why? 9
  10. 10. eXtensible Access Control Markup Language OASIS standard XACML is expressed as A specification document (a PDF) + XML schema Policy-based & attribute-based language Implement authorization based on object relations Only employees of a given plant can see technical data linked to items assigned to the plant 10 Behold XACML, the standard for ABAC
  11. 11. Oracle IBM Veterans Administration Axiomatics EMC2 Bank of America The Boeing Company And many more… 11 Who’s behind XACML?
  12. 12. Refresher: the XACML architecture Decide Policy Decision Point Manage Policy Administration Point Support Policy Information Point Policy Retrieval Point Enforce Policy Enforcement Point 12
  13. 13. 13 XACML  Transparent & Externalized AuthZ Centrally managed policy: ”PERMIT user with clearance X to read document classified as ….” “DENY access to classified document if…” User Application Information asset I want… PERMIT or DENY? PERMIT or DENY?
  14. 14. XACML  Anywhere AuthZ & Architecture Datacenter App A Service A Service D Service E Service M Service O SaaS SaaS 14 Private Cloud
  15. 15. Fine-grained Authorization for the Cloud Three strategies for externalized authorization in the cloud 15
  16. 16. A SaaS provider should offer Functional APIs (their core business) Non-functional (Security) APIs Let customers push their own XACML policies Apply the administrative delegation profile http://docs.oasis-open.org/xacml/3.0/xacml-3.0- administration-v1-spec-en.html Option #1 – tell your provider to adopt XACML 16
  17. 17. SaaS provider Option #1 – Architecture Central IT: Company A SaaS Admin delegates rights to manage access control provided to customer A. The rights are restricted to only the applications and resources provided to this particular customer’s users. Customer A’s admin can manage access for their staff on its own by providing XACML policies and attributes Customer A users use the SaaS application 17 App#1 App#2 App#3 FunctionalAPI XACML Mgmt API 1. 2. 3.
  18. 18. SaaS provider Option #1 – Architecture (including id. Federation) Central IT: Company A 18 STSIdP STS 1. User authenticates using internal authentication mechanism and id store (e.g. LDAP) 2. User calls out to SaaS application 3. User internal identity is translated to virtual identity e.g. SAML assertion message saml message 5. User message is forwarded to SaaS app along with SAML assertion 4. Internal user identity is verified. User attributes are inserted inside newly created SAML assertion 6. SAML assertion is validated against local STS. Attributes are extracted from SAML assertion and returned Trust establishment App#1 App#2 App#3 7. XACML AuthZ request including the attributes from the SAML assertion are sent to the PDP for a decision
  19. 19. Pros Consistent access control Fine-grained Risk-aware Future-proof SaaS vendor benefit multi-tenancy Cons Not many SaaS vendors support XACML today Option #1 – Pros & Cons 19
  20. 20. If you can restrict access to SaaS applications from within the corporate network… All access to SaaS apps could be made to tunnel through a proxy Option #2 – Proxy your cloud connections 20
  21. 21. Option #2 – Architecture SaaS App #1 SaaS App #2 SaaS App #3 VPN 21
  22. 22. Pros Workaround current SaaS limitations Easy to deploy Available today Cons No direct access to SaaS app Forces users to go via VPN Access may not be as fine grained as Option #1 Lack of visibility into the SaaS data Option #2 – Pros & Cons 22
  23. 23. What if the provider is reluctant to adopt XACML? “If the application won’t go to XACML then XACML will go to the application” Eve Maler, Forrester You still get Centrally managed authorization Standards-based (XACML) Approach Convert from XACML to expected SaaS format Push via SaaS management APIs Option #3 – Policy Provisioning based on XACML 23
  24. 24. SaaS provider Option #3 – Architecture Central IT: Company A Convert XACML policies to the native format expected by the SaaS provider Customer A users use the SaaS application App#1 App#2 App#3 FunctionalAPI Native API 24 Authorization constraints / permissions in the format expected by the SaaS provider
  25. 25. Pros Feasible today Viable solution Extends the customer’s XACML-based authorization system’s reach Cons Possible loss of XACML richness in access control Loss of dynamic nature Option #3 – Pros & Cons 25
  26. 26. Standards are important for the cloud It promotes vendor interoperability It promotes layer interoperability Example XACML authorization services can easily use SAML< OAUTH, OAUTH2, OpenID… XACML can also use semantic web standards This leads to easier deployments and faster ROI 26 Standards & the Cloud
  27. 27. Cloud requires eXtensible Authorization Fine-grained Externalized Traditional approaches #1: tell your SaaS provider to adopt XACML. #2: proxy your cloud connections. Extended approach #3: Policy Provisioning based on XACML Also works for business apps (SharePoint, Windows) To summarize 27
  28. 28. OASIS technical committee: http://www.oasis-open.org/committees/xacml/ LinkedIn group http://www.linkedin.com/groups/OASIS-XACML- 3934718 28 Online resources

×