Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is Being Done? Is it Enough?

1,049 views

Published on

Join a host of industry experts for this pre-conference roundtable, to hear the latest on what is being done to protect identity and ensure privacy within the cloud. This three-part interactive roundtable will open-up the dialogue on this topic, so come prepared to share information, insights and ideas.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is Being Done? Is it Enough?

  1. 1. Identity, Privacy, and Data Protection in the Cloud – XACML David Brossard Product Manager, Axiomatics 1
  2. 2. The issue with authorization in the cloud Quick background on XACML 3 strategies to extend authorization to the Cloud What it means for customers SaaS providers What you will learn 2
  3. 3. The issue with Authorization today The black box challenge 3
  4. 4. System growth leads to AuthZ challenges App App App Cost Brittleness Static Risk Lack of visibility Lack of audit Violation of SoD SaaS SaaS SaaS 4
  5. 5. What happens to my data? Who can access which information? How do I comply with (what the auditor will ask for) Regulations? E.g. Export Control Contractual obligations? Going to the cloud doesn’t make it easier Do I need a different approach for cloud? The Authorization Challenge 5
  6. 6. Export Control Know the user (citizenship, location, affiliation) Know the end use (end location, purpose of use) Example: Manufacturing in the cloud 6
  7. 7. XACML to the rescue Implementing fine-grained authorization in the cloud 7
  8. 8. Authorization is nearly always about Who? Identity + role (+ group) 8
  9. 9. Authorization should really be about… When?What? How?Where?Who? Why? 9
  10. 10. eXtensible Access Control Markup Language OASIS standard XACML is expressed as A specification document (a PDF) + XML schema Policy-based & attribute-based language Implement authorization based on object relations Only employees of a given plant can see technical data linked to items assigned to the plant 10 Behold XACML, the standard for ABAC
  11. 11. Oracle IBM Veterans Administration Axiomatics EMC2 Bank of America The Boeing Company And many more… 11 Who’s behind XACML?
  12. 12. Refresher: the XACML architecture Decide Policy Decision Point Manage Policy Administration Point Support Policy Information Point Policy Retrieval Point Enforce Policy Enforcement Point 12
  13. 13. 13 XACML  Transparent & Externalized AuthZ Centrally managed policy: ”PERMIT user with clearance X to read document classified as ….” “DENY access to classified document if…” User Application Information asset I want… PERMIT or DENY? PERMIT or DENY?
  14. 14. XACML  Anywhere AuthZ & Architecture Datacenter App A Service A Service D Service E Service M Service O SaaS SaaS 14 Private Cloud
  15. 15. Fine-grained Authorization for the Cloud Three strategies for externalized authorization in the cloud 15
  16. 16. A SaaS provider should offer Functional APIs (their core business) Non-functional (Security) APIs Let customers push their own XACML policies Apply the administrative delegation profile http://docs.oasis-open.org/xacml/3.0/xacml-3.0- administration-v1-spec-en.html Option #1 – tell your provider to adopt XACML 16
  17. 17. SaaS provider Option #1 – Architecture Central IT: Company A SaaS Admin delegates rights to manage access control provided to customer A. The rights are restricted to only the applications and resources provided to this particular customer’s users. Customer A’s admin can manage access for their staff on its own by providing XACML policies and attributes Customer A users use the SaaS application 17 App#1 App#2 App#3 FunctionalAPI XACML Mgmt API 1. 2. 3.
  18. 18. SaaS provider Option #1 – Architecture (including id. Federation) Central IT: Company A 18 STSIdP STS 1. User authenticates using internal authentication mechanism and id store (e.g. LDAP) 2. User calls out to SaaS application 3. User internal identity is translated to virtual identity e.g. SAML assertion message saml message 5. User message is forwarded to SaaS app along with SAML assertion 4. Internal user identity is verified. User attributes are inserted inside newly created SAML assertion 6. SAML assertion is validated against local STS. Attributes are extracted from SAML assertion and returned Trust establishment App#1 App#2 App#3 7. XACML AuthZ request including the attributes from the SAML assertion are sent to the PDP for a decision
  19. 19. Pros Consistent access control Fine-grained Risk-aware Future-proof SaaS vendor benefit multi-tenancy Cons Not many SaaS vendors support XACML today Option #1 – Pros & Cons 19
  20. 20. If you can restrict access to SaaS applications from within the corporate network… All access to SaaS apps could be made to tunnel through a proxy Option #2 – Proxy your cloud connections 20
  21. 21. Option #2 – Architecture SaaS App #1 SaaS App #2 SaaS App #3 VPN 21
  22. 22. Pros Workaround current SaaS limitations Easy to deploy Available today Cons No direct access to SaaS app Forces users to go via VPN Access may not be as fine grained as Option #1 Lack of visibility into the SaaS data Option #2 – Pros & Cons 22
  23. 23. What if the provider is reluctant to adopt XACML? “If the application won’t go to XACML then XACML will go to the application” Eve Maler, Forrester You still get Centrally managed authorization Standards-based (XACML) Approach Convert from XACML to expected SaaS format Push via SaaS management APIs Option #3 – Policy Provisioning based on XACML 23
  24. 24. SaaS provider Option #3 – Architecture Central IT: Company A Convert XACML policies to the native format expected by the SaaS provider Customer A users use the SaaS application App#1 App#2 App#3 FunctionalAPI Native API 24 Authorization constraints / permissions in the format expected by the SaaS provider
  25. 25. Pros Feasible today Viable solution Extends the customer’s XACML-based authorization system’s reach Cons Possible loss of XACML richness in access control Loss of dynamic nature Option #3 – Pros & Cons 25
  26. 26. Standards are important for the cloud It promotes vendor interoperability It promotes layer interoperability Example XACML authorization services can easily use SAML< OAUTH, OAUTH2, OpenID… XACML can also use semantic web standards This leads to easier deployments and faster ROI 26 Standards & the Cloud
  27. 27. Cloud requires eXtensible Authorization Fine-grained Externalized Traditional approaches #1: tell your SaaS provider to adopt XACML. #2: proxy your cloud connections. Extended approach #3: Policy Provisioning based on XACML Also works for business apps (SharePoint, Windows) To summarize 27
  28. 28. OASIS technical committee: http://www.oasis-open.org/committees/xacml/ LinkedIn group http://www.linkedin.com/groups/OASIS-XACML- 3934718 28 Online resources

×