OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is Being Done? Is it Enough?

David Brossard
David BrossardChief Technology Officer at Axiomatics
Identity, Privacy, and Data Protection in the Cloud – XACML David Brossard Product Manager, Axiomatics 1
The issue with authorization in the cloud Quick background on XACML 3 strategies to extend authorization to the Cloud What it means for customers SaaS providers What you will learn 2
The issue with Authorization today The black box challenge 3
System growth leads to AuthZ challenges App App App Cost Brittleness Static Risk Lack of visibility Lack of audit Violation of SoD SaaS SaaS SaaS 4
What happens to my data? Who can access which information? How do I comply with (what the auditor will ask for) Regulations? E.g. Export Control Contractual obligations? Going to the cloud doesn’t make it easier Do I need a different approach for cloud? The Authorization Challenge 5
Export Control Know the user (citizenship, location, affiliation) Know the end use (end location, purpose of use) Example: Manufacturing in the cloud 6
XACML to the rescue Implementing fine-grained authorization in the cloud 7
Authorization is nearly always about Who? Identity + role (+ group) 8
Authorization should really be about… When?What? How?Where?Who? Why? 9
eXtensible Access Control Markup Language OASIS standard XACML is expressed as A specification document (a PDF) + XML schema Policy-based & attribute-based language Implement authorization based on object relations Only employees of a given plant can see technical data linked to items assigned to the plant 10 Behold XACML, the standard for ABAC
Oracle IBM Veterans Administration Axiomatics EMC2 Bank of America The Boeing Company And many more… 11 Who’s behind XACML?
Refresher: the XACML architecture Decide Policy Decision Point Manage Policy Administration Point Support Policy Information Point Policy Retrieval Point Enforce Policy Enforcement Point 12
13 XACML  Transparent & Externalized AuthZ Centrally managed policy: ”PERMIT user with clearance X to read document classified as ….” “DENY access to classified document if…” User Application Information asset I want… PERMIT or DENY? PERMIT or DENY?
XACML  Anywhere AuthZ & Architecture Datacenter App A Service A Service D Service E Service M Service O SaaS SaaS 14 Private Cloud
Fine-grained Authorization for the Cloud Three strategies for externalized authorization in the cloud 15
A SaaS provider should offer Functional APIs (their core business) Non-functional (Security) APIs Let customers push their own XACML policies Apply the administrative delegation profile http://docs.oasis-open.org/xacml/3.0/xacml-3.0- administration-v1-spec-en.html Option #1 – tell your provider to adopt XACML 16
SaaS provider Option #1 – Architecture Central IT: Company A SaaS Admin delegates rights to manage access control provided to customer A. The rights are restricted to only the applications and resources provided to this particular customer’s users. Customer A’s admin can manage access for their staff on its own by providing XACML policies and attributes Customer A users use the SaaS application 17 App#1 App#2 App#3 FunctionalAPI XACML Mgmt API 1. 2. 3.
SaaS provider Option #1 – Architecture (including id. Federation) Central IT: Company A 18 STSIdP STS 1. User authenticates using internal authentication mechanism and id store (e.g. LDAP) 2. User calls out to SaaS application 3. User internal identity is translated to virtual identity e.g. SAML assertion message saml message 5. User message is forwarded to SaaS app along with SAML assertion 4. Internal user identity is verified. User attributes are inserted inside newly created SAML assertion 6. SAML assertion is validated against local STS. Attributes are extracted from SAML assertion and returned Trust establishment App#1 App#2 App#3 7. XACML AuthZ request including the attributes from the SAML assertion are sent to the PDP for a decision
Pros Consistent access control Fine-grained Risk-aware Future-proof SaaS vendor benefit multi-tenancy Cons Not many SaaS vendors support XACML today Option #1 – Pros & Cons 19
If you can restrict access to SaaS applications from within the corporate network… All access to SaaS apps could be made to tunnel through a proxy Option #2 – Proxy your cloud connections 20
Option #2 – Architecture SaaS App #1 SaaS App #2 SaaS App #3 VPN 21
Pros Workaround current SaaS limitations Easy to deploy Available today Cons No direct access to SaaS app Forces users to go via VPN Access may not be as fine grained as Option #1 Lack of visibility into the SaaS data Option #2 – Pros & Cons 22
What if the provider is reluctant to adopt XACML? “If the application won’t go to XACML then XACML will go to the application” Eve Maler, Forrester You still get Centrally managed authorization Standards-based (XACML) Approach Convert from XACML to expected SaaS format Push via SaaS management APIs Option #3 – Policy Provisioning based on XACML 23
SaaS provider Option #3 – Architecture Central IT: Company A Convert XACML policies to the native format expected by the SaaS provider Customer A users use the SaaS application App#1 App#2 App#3 FunctionalAPI Native API 24 Authorization constraints / permissions in the format expected by the SaaS provider
Pros Feasible today Viable solution Extends the customer’s XACML-based authorization system’s reach Cons Possible loss of XACML richness in access control Loss of dynamic nature Option #3 – Pros & Cons 25
Standards are important for the cloud It promotes vendor interoperability It promotes layer interoperability Example XACML authorization services can easily use SAML< OAUTH, OAUTH2, OpenID… XACML can also use semantic web standards This leads to easier deployments and faster ROI 26 Standards & the Cloud
Cloud requires eXtensible Authorization Fine-grained Externalized Traditional approaches #1: tell your SaaS provider to adopt XACML. #2: proxy your cloud connections. Extended approach #3: Policy Provisioning based on XACML Also works for business apps (SharePoint, Windows) To summarize 27
OASIS technical committee: http://www.oasis-open.org/committees/xacml/ LinkedIn group http://www.linkedin.com/groups/OASIS-XACML- 3934718 28 Online resources
1 of 28

OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is Being Done? Is it Enough?

Download to read offline
TechnologyBusiness

Join a host of industry experts for this pre-conference roundtable, to hear the latest on what is being done to protect identity and ensure privacy within the cloud. This three-part interactive roundtable will open-up the dialogue on this topic, so come prepared to share information, insights and ideas.

David Brossard
David BrossardChief Technology Officer at Axiomatics

Recommended

EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design by
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by DesignEIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by DesignDavid Brossard
2.2K views36 slides
Fine grained access control for cloud-based services using ABAC and XACML by
Fine grained access control for cloud-based services using ABAC and XACMLFine grained access control for cloud-based services using ABAC and XACML
Fine grained access control for cloud-based services using ABAC and XACMLDavid Brossard
2.8K views27 slides
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)? by
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?David Brossard
2.6K views58 slides
Authorization - it's not just about who you are by
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you areDavid Brossard
7.2K views41 slides
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve... by
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...David Brossard
9.4K views40 slides
To the cloud and beyond: delivering policy-driven authorization for cloud app... by
To the cloud and beyond: delivering policy-driven authorization for cloud app...To the cloud and beyond: delivering policy-driven authorization for cloud app...
To the cloud and beyond: delivering policy-driven authorization for cloud app...David Brossard
265 views15 slides

More Related Content

What's hot

Cloud design patterns - Federated Identity & Gatekeeper by
Cloud design patterns - Federated Identity & GatekeeperCloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperRoger Chien
2K views10 slides
Identity as a Service by
Identity as a ServiceIdentity as a Service
Identity as a ServicePrabath Siriwardena
5.2K views78 slides
Sam and the Cloud by
Sam and the CloudSam and the Cloud
Sam and the CloudJenny Carroll
159 views26 slides
Salesforce Backup, Restore & Archiving- Adam Best, Senior Program Architect by
Salesforce Backup, Restore & Archiving- Adam Best, Senior Program ArchitectSalesforce Backup, Restore & Archiving- Adam Best, Senior Program Architect
Salesforce Backup, Restore & Archiving- Adam Best, Senior Program Architectgemziebeth
272 views23 slides
Identiverse 2021 enterprise identity: What foundations by
Identiverse 2021 enterprise identity: What foundationsIdentiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundationsBertrand Carlier
94 views26 slides
Federated Identity Architectures Integrating With The Cloud by
Federated Identity Architectures Integrating With The CloudFederated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The Cloudrsnarayanan
1.3K views25 slides

What's hot(20)

Cloud design patterns - Federated Identity & Gatekeeper by Roger Chien
Cloud design patterns - Federated Identity & GatekeeperCloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & Gatekeeper
Roger Chien2K views
Identity as a Service by Prabath Siriwardena
Identity as a ServiceIdentity as a Service
Identity as a Service
Prabath Siriwardena5.2K views
Sam and the Cloud by Jenny Carroll
Sam and the CloudSam and the Cloud
Sam and the Cloud
Jenny Carroll159 views
Salesforce Backup, Restore & Archiving- Adam Best, Senior Program Architect by gemziebeth
Salesforce Backup, Restore & Archiving- Adam Best, Senior Program ArchitectSalesforce Backup, Restore & Archiving- Adam Best, Senior Program Architect
Salesforce Backup, Restore & Archiving- Adam Best, Senior Program Architect
gemziebeth272 views
Identiverse 2021 enterprise identity: What foundations by Bertrand Carlier
Identiverse 2021 enterprise identity: What foundationsIdentiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundations
Bertrand Carlier94 views
Federated Identity Architectures Integrating With The Cloud by rsnarayanan
Federated Identity Architectures Integrating With The CloudFederated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The Cloud
rsnarayanan1.3K views
CIS14: User-Managed Access by CloudIDSummit
CIS14: User-Managed AccessCIS14: User-Managed Access
CIS14: User-Managed Access
CloudIDSummit1.2K views
SAP Identity Management Overview by SAP Technology
SAP Identity Management OverviewSAP Identity Management Overview
SAP Identity Management Overview
SAP Technology27.9K views
Getting Cloud Architecture Right the First Time Ver 2 by David Linthicum
Getting Cloud Architecture Right the First Time Ver 2Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2
David Linthicum1.7K views
User manual of i vms 4200-v2.3.1_20150415 by IsraelGuillen12
User manual of i vms 4200-v2.3.1_20150415User manual of i vms 4200-v2.3.1_20150415
User manual of i vms 4200-v2.3.1_20150415
IsraelGuillen1256 views
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id... by Profesia Srl, Lynx Group
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
Profesia Srl, Lynx Group95 views
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa... by Eve Maler
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
Eve Maler2.1K views
DevOps & Apps - Building and Operating Successful Mobile Apps by Apigee | Google Cloud
DevOps & Apps - Building and Operating Successful Mobile AppsDevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile Apps
Apigee | Google Cloud3.4K views
CIS 2015 User Managed Access - George Fletcher by CloudIDSummit
CIS 2015 User Managed Access - George FletcherCIS 2015 User Managed Access - George Fletcher
CIS 2015 User Managed Access - George Fletcher
CloudIDSummit764 views
Iam suite introduction by wardell henley
Iam suite introductionIam suite introduction
Iam suite introduction
wardell henley2.4K views
Two Factor Authentication for Salesforce by ArrayShield Technologies Private Limited
Two Factor Authentication for SalesforceTwo Factor Authentication for Salesforce
Two Factor Authentication for Salesforce
ArrayShield Technologies Private Limited927 views
The New Venn of Access Control in the API-Mobile-IOT Era by ForgeRock
The New Venn of Access Control in the API-Mobile-IOT EraThe New Venn of Access Control in the API-Mobile-IOT Era
The New Venn of Access Control in the API-Mobile-IOT Era
ForgeRock1.9K views
Salesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud by Dreamforce
Salesforce Shield: How to Deliver a New Level of Trust and Security in the CloudSalesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Salesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Dreamforce1.3K views
SSO Strategy Implementation Considerations by John Bauer
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
John Bauer4.6K views
Microsoft Insurance Solutions Keynote Presentation at the Financial Services ... by Mike Walker
Microsoft Insurance Solutions Keynote Presentation at the Financial Services ...Microsoft Insurance Solutions Keynote Presentation at the Financial Services ...
Microsoft Insurance Solutions Keynote Presentation at the Financial Services ...
Mike Walker1.5K views

Similar to OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is Being Done? Is it Enough?

Ensuring PCI DSS Compliance in the Cloud by
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudCognizant
2.2K views11 slides
Cloud computing by
Cloud computingCloud computing
Cloud computingbhaskararaomacherla
65 views25 slides
cloudintro-lec01.ppt by
cloudintro-lec01.pptcloudintro-lec01.ppt
cloudintro-lec01.pptDevendraPathak22
5 views38 slides
cloudintro-lec01.ppt by
cloudintro-lec01.pptcloudintro-lec01.ppt
cloudintro-lec01.pptMunmunSaha7
9 views38 slides
cloudintro-lec01.ppt by
cloudintro-lec01.pptcloudintro-lec01.ppt
cloudintro-lec01.pptAmitPaul775033
5 views38 slides
cloudintro-lec01.ppt by
cloudintro-lec01.pptcloudintro-lec01.ppt
cloudintro-lec01.pptahmedraed19
6 views38 slides

Similar to OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is Being Done? Is it Enough?(20)

Ensuring PCI DSS Compliance in the Cloud by Cognizant
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the Cloud
Cognizant2.2K views
Cloud computing by bhaskararaomacherla
Cloud computingCloud computing
Cloud computing
bhaskararaomacherla65 views
cloudintro-lec01.ppt by DevendraPathak22
cloudintro-lec01.pptcloudintro-lec01.ppt
cloudintro-lec01.ppt
DevendraPathak225 views
cloudintro-lec01.ppt by MunmunSaha7
cloudintro-lec01.pptcloudintro-lec01.ppt
cloudintro-lec01.ppt
MunmunSaha79 views
cloudintro-lec01.ppt by AmitPaul775033
cloudintro-lec01.pptcloudintro-lec01.ppt
cloudintro-lec01.ppt
AmitPaul7750335 views
cloudintro-lec01.ppt by ahmedraed19
cloudintro-lec01.pptcloudintro-lec01.ppt
cloudintro-lec01.ppt
ahmedraed196 views
cloudintro-lec01.ppt by Patrick Theuri
cloudintro-lec01.pptcloudintro-lec01.ppt
cloudintro-lec01.ppt
Patrick Theuri6 views
AWS Webcast - Top 3 Ways to Improve Web App Security by Amazon Web Services
AWS Webcast - Top 3 Ways to Improve Web App SecurityAWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App Security
Amazon Web Services7.4K views
Cloud Computing by Mathews Job
Cloud ComputingCloud Computing
Cloud Computing
Mathews Job221 views
Cloud Computing Networks by jayapal385
Cloud Computing NetworksCloud Computing Networks
Cloud Computing Networks
jayapal3852 views
Cloudcomputing by Muhammad Mubashar
CloudcomputingCloudcomputing
Cloudcomputing
Muhammad Mubashar30 views
Microsoft Windows Azure Platform Appfabric for Technical Decision Makers by Microsoft Private Cloud
Microsoft Windows Azure Platform Appfabric for Technical Decision MakersMicrosoft Windows Azure Platform Appfabric for Technical Decision Makers
Microsoft Windows Azure Platform Appfabric for Technical Decision Makers
Microsoft Private Cloud371 views
An introduction to the cloud 11 v1 by charan7575
An introduction to the cloud 11 v1An introduction to the cloud 11 v1
An introduction to the cloud 11 v1
charan7575672 views
A Breif On Cloud computing by Raja Raman
A Breif On Cloud computingA Breif On Cloud computing
A Breif On Cloud computing
Raja Raman354 views
Cloud services and it security by East Midlands Cyber Security Forum
Cloud services and it securityCloud services and it security
Cloud services and it security
East Midlands Cyber Security Forum1.2K views
2.evaluating cloud platforms by DrRajapraveenkN
2.evaluating cloud platforms2.evaluating cloud platforms
2.evaluating cloud platforms
DrRajapraveenkN56 views
Making Sense Of Cloud Computing - by Mark Rivington by CA Nimsoft
Making Sense Of Cloud Computing - by Mark RivingtonMaking Sense Of Cloud Computing - by Mark Rivington
Making Sense Of Cloud Computing - by Mark Rivington
CA Nimsoft570 views
Cloud Use Cases And Standards by GovCloud Network
Cloud Use Cases And StandardsCloud Use Cases And Standards
Cloud Use Cases And Standards
GovCloud Network671 views
Cloud Computing By Faisal Shehzad by Faisal Shehzad
Cloud Computing By Faisal ShehzadCloud Computing By Faisal Shehzad
Cloud Computing By Faisal Shehzad
Faisal Shehzad141 views
Protecting Your Big Data on the Cloud by Alibaba Cloud
Protecting Your Big Data on the CloudProtecting Your Big Data on the Cloud
Protecting Your Big Data on the Cloud
Alibaba Cloud207 views

More from David Brossard

OpenID Foundation AuthZEN WG Update by
OpenID Foundation AuthZEN WG UpdateOpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG UpdateDavid Brossard
71 views9 slides
Policy enabling your services - using elastic dynamic authorization to contro... by
Policy enabling your services - using elastic dynamic authorization to contro...Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...David Brossard
430 views21 slides
Updates from the OASIS XACML Technical Committee - Making Authorization Devel... by
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...David Brossard
356 views27 slides
Why lasagna is better than spaghetti: baking authorization into your applicat... by
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...David Brossard
4.2K views31 slides
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ... by
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...David Brossard
3.1K views20 slides
XACML - Fight For Your Love by
XACML - Fight For Your LoveXACML - Fight For Your Love
XACML - Fight For Your LoveDavid Brossard
1.7K views21 slides

More from David Brossard(6)

OpenID Foundation AuthZEN WG Update by David Brossard
OpenID Foundation AuthZEN WG UpdateOpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG Update
David Brossard71 views
Policy enabling your services - using elastic dynamic authorization to contro... by David Brossard
Policy enabling your services - using elastic dynamic authorization to contro...Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...
David Brossard430 views
Updates from the OASIS XACML Technical Committee - Making Authorization Devel... by David Brossard
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
David Brossard356 views
Why lasagna is better than spaghetti: baking authorization into your applicat... by David Brossard
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...
David Brossard4.2K views
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ... by David Brossard
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
David Brossard3.1K views
XACML - Fight For Your Love by David Brossard
XACML - Fight For Your LoveXACML - Fight For Your Love
XACML - Fight For Your Love
David Brossard1.7K views

Recently uploaded

ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ... by
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...Jasper Oosterveld
28 views49 slides
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue by
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlueCloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlueShapeBlue
46 views13 slides
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ... by
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...ShapeBlue
77 views12 slides
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... by
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...James Anderson
133 views32 slides
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... by
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc
77 views29 slides
State of the Union - Rohit Yadav - Apache CloudStack by
State of the Union - Rohit Yadav - Apache CloudStackState of the Union - Rohit Yadav - Apache CloudStack
State of the Union - Rohit Yadav - Apache CloudStackShapeBlue
145 views53 slides

Recently uploaded(20)

ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ... by Jasper Oosterveld
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
Jasper Oosterveld28 views
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue by ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlueCloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
ShapeBlue46 views
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ... by ShapeBlue
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
ShapeBlue77 views
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... by James Anderson
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
James Anderson133 views
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... by TrustArc
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc77 views
State of the Union - Rohit Yadav - Apache CloudStack by ShapeBlue
State of the Union - Rohit Yadav - Apache CloudStackState of the Union - Rohit Yadav - Apache CloudStack
State of the Union - Rohit Yadav - Apache CloudStack
ShapeBlue145 views
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT by ShapeBlue
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBITUpdates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
ShapeBlue91 views
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha... by ShapeBlue
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
ShapeBlue74 views
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院 by IttrainingIttraining
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
IttrainingIttraining80 views
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R... by ShapeBlue
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
ShapeBlue54 views
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue by ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueVNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
ShapeBlue85 views
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by Network Automation Forum
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Network Automation Forum46 views
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue by ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
ShapeBlue50 views
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue by ShapeBlue
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlueMigrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue
ShapeBlue96 views
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ... by ShapeBlue
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
ShapeBlue83 views
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T by ShapeBlue
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&TCloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
ShapeBlue56 views
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or... by ShapeBlue
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
ShapeBlue88 views
Scaling Knowledge Graph Architectures with AI by Enterprise Knowledge
Scaling Knowledge Graph Architectures with AIScaling Knowledge Graph Architectures with AI
Scaling Knowledge Graph Architectures with AI
Enterprise Knowledge53 views
Data Integrity for Banking and Financial Services by Precisely
Data Integrity for Banking and Financial ServicesData Integrity for Banking and Financial Services
Data Integrity for Banking and Financial Services
Precisely56 views
DRBD Deep Dive - Philipp Reisner - LINBIT by ShapeBlue
DRBD Deep Dive - Philipp Reisner - LINBITDRBD Deep Dive - Philipp Reisner - LINBIT
DRBD Deep Dive - Philipp Reisner - LINBIT
ShapeBlue62 views

OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is Being Done? Is it Enough?

  • 1. Identity, Privacy, and Data Protection in the Cloud – XACML David Brossard Product Manager, Axiomatics 1
  • 2. The issue with authorization in the cloud Quick background on XACML 3 strategies to extend authorization to the Cloud What it means for customers SaaS providers What you will learn 2
  • 3. The issue with Authorization today The black box challenge 3
  • 4. System growth leads to AuthZ challenges App App App Cost Brittleness Static Risk Lack of visibility Lack of audit Violation of SoD SaaS SaaS SaaS 4
  • 5. What happens to my data? Who can access which information? How do I comply with (what the auditor will ask for) Regulations? E.g. Export Control Contractual obligations? Going to the cloud doesn’t make it easier Do I need a different approach for cloud? The Authorization Challenge 5
  • 6. Export Control Know the user (citizenship, location, affiliation) Know the end use (end location, purpose of use) Example: Manufacturing in the cloud 6
  • 7. XACML to the rescue Implementing fine-grained authorization in the cloud 7
  • 8. Authorization is nearly always about Who? Identity + role (+ group) 8
  • 9. Authorization should really be about… When?What? How?Where?Who? Why? 9
  • 10. eXtensible Access Control Markup Language OASIS standard XACML is expressed as A specification document (a PDF) + XML schema Policy-based & attribute-based language Implement authorization based on object relations Only employees of a given plant can see technical data linked to items assigned to the plant 10 Behold XACML, the standard for ABAC
  • 11. Oracle IBM Veterans Administration Axiomatics EMC2 Bank of America The Boeing Company And many more… 11 Who’s behind XACML?
  • 12. Refresher: the XACML architecture Decide Policy Decision Point Manage Policy Administration Point Support Policy Information Point Policy Retrieval Point Enforce Policy Enforcement Point 12
  • 13. 13 XACML  Transparent & Externalized AuthZ Centrally managed policy: ”PERMIT user with clearance X to read document classified as ….” “DENY access to classified document if…” User Application Information asset I want… PERMIT or DENY? PERMIT or DENY?
  • 14. XACML  Anywhere AuthZ & Architecture Datacenter App A Service A Service D Service E Service M Service O SaaS SaaS 14 Private Cloud
  • 15. Fine-grained Authorization for the Cloud Three strategies for externalized authorization in the cloud 15
  • 16. A SaaS provider should offer Functional APIs (their core business) Non-functional (Security) APIs Let customers push their own XACML policies Apply the administrative delegation profile http://docs.oasis-open.org/xacml/3.0/xacml-3.0- administration-v1-spec-en.html Option #1 – tell your provider to adopt XACML 16
  • 17. SaaS provider Option #1 – Architecture Central IT: Company A SaaS Admin delegates rights to manage access control provided to customer A. The rights are restricted to only the applications and resources provided to this particular customer’s users. Customer A’s admin can manage access for their staff on its own by providing XACML policies and attributes Customer A users use the SaaS application 17 App#1 App#2 App#3 FunctionalAPI XACML Mgmt API 1. 2. 3.
  • 18. SaaS provider Option #1 – Architecture (including id. Federation) Central IT: Company A 18 STSIdP STS 1. User authenticates using internal authentication mechanism and id store (e.g. LDAP) 2. User calls out to SaaS application 3. User internal identity is translated to virtual identity e.g. SAML assertion message saml message 5. User message is forwarded to SaaS app along with SAML assertion 4. Internal user identity is verified. User attributes are inserted inside newly created SAML assertion 6. SAML assertion is validated against local STS. Attributes are extracted from SAML assertion and returned Trust establishment App#1 App#2 App#3 7. XACML AuthZ request including the attributes from the SAML assertion are sent to the PDP for a decision
  • 19. Pros Consistent access control Fine-grained Risk-aware Future-proof SaaS vendor benefit multi-tenancy Cons Not many SaaS vendors support XACML today Option #1 – Pros & Cons 19
  • 20. If you can restrict access to SaaS applications from within the corporate network… All access to SaaS apps could be made to tunnel through a proxy Option #2 – Proxy your cloud connections 20
  • 21. Option #2 – Architecture SaaS App #1 SaaS App #2 SaaS App #3 VPN 21
  • 22. Pros Workaround current SaaS limitations Easy to deploy Available today Cons No direct access to SaaS app Forces users to go via VPN Access may not be as fine grained as Option #1 Lack of visibility into the SaaS data Option #2 – Pros & Cons 22
  • 23. What if the provider is reluctant to adopt XACML? “If the application won’t go to XACML then XACML will go to the application” Eve Maler, Forrester You still get Centrally managed authorization Standards-based (XACML) Approach Convert from XACML to expected SaaS format Push via SaaS management APIs Option #3 – Policy Provisioning based on XACML 23
  • 24. SaaS provider Option #3 – Architecture Central IT: Company A Convert XACML policies to the native format expected by the SaaS provider Customer A users use the SaaS application App#1 App#2 App#3 FunctionalAPI Native API 24 Authorization constraints / permissions in the format expected by the SaaS provider
  • 25. Pros Feasible today Viable solution Extends the customer’s XACML-based authorization system’s reach Cons Possible loss of XACML richness in access control Loss of dynamic nature Option #3 – Pros & Cons 25
  • 26. Standards are important for the cloud It promotes vendor interoperability It promotes layer interoperability Example XACML authorization services can easily use SAML< OAUTH, OAUTH2, OpenID… XACML can also use semantic web standards This leads to easier deployments and faster ROI 26 Standards & the Cloud
  • 27. Cloud requires eXtensible Authorization Fine-grained Externalized Traditional approaches #1: tell your SaaS provider to adopt XACML. #2: proxy your cloud connections. Extended approach #3: Policy Provisioning based on XACML Also works for business apps (SharePoint, Windows) To summarize 27
  • 28. OASIS technical committee: http://www.oasis-open.org/committees/xacml/ LinkedIn group http://www.linkedin.com/groups/OASIS-XACML- 3934718 28 Online resources