OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is Being Done? Is it Enough?

David Brossard
David BrossardChief Technology Officer at Axiomatics
Identity, Privacy, and Data
Protection in the Cloud – XACML
David Brossard
Product Manager, Axiomatics
1
The issue with authorization in the cloud
Quick background on XACML
3 strategies to extend authorization to the Cloud
What it means for
customers
SaaS providers
What you will learn
2
The issue with
Authorization today
The black box challenge
3
System growth leads to AuthZ challenges
App
App
App
Cost
Brittleness
Static
Risk
Lack of visibility
Lack of audit
Violation of SoD
SaaS
SaaS
SaaS
4
What happens to my data?
Who can access which information?
How do I comply with (what the auditor will ask
for)
Regulations?
E.g. Export Control
Contractual obligations?
Going to the cloud doesn’t make it easier
Do I need a different approach for cloud?
The Authorization Challenge
5
Export Control
Know the user (citizenship, location, affiliation)
Know the end use (end location, purpose of use)
Example: Manufacturing in the cloud
6
XACML to the rescue
Implementing fine-grained
authorization in the cloud
7
Authorization is nearly always about
Who?
Identity + role (+ group)
8
Authorization should really be about…
When?What? How?Where?Who? Why?
9
eXtensible Access Control Markup Language
OASIS standard
XACML is expressed as
A specification document (a PDF) + XML schema
Policy-based & attribute-based language
Implement authorization based on object relations
Only employees of a given plant can see technical
data linked to items assigned to the plant
10
Behold XACML, the standard for ABAC
Oracle
IBM
Veterans Administration
Axiomatics
EMC2
Bank of America
The Boeing Company
And many more…
11
Who’s behind XACML?
Refresher: the XACML architecture
Decide
Policy Decision Point
Manage
Policy Administration Point
Support
Policy Information Point
Policy Retrieval Point
Enforce
Policy Enforcement Point
12
13
XACML  Transparent & Externalized AuthZ
Centrally managed policy:
”PERMIT user with clearance X to read document classified as ….”
“DENY access to classified document if…”
User Application
Information
asset
I want…
PERMIT
or
DENY?
PERMIT
or
DENY?
XACML  Anywhere AuthZ & Architecture
Datacenter
App A
Service
A
Service
D
Service
E
Service
M
Service
O
SaaS SaaS
14
Private Cloud
Fine-grained Authorization
for the Cloud
Three strategies for externalized
authorization in the cloud
15
A SaaS provider should offer
Functional APIs (their core business)
Non-functional (Security) APIs
Let customers push their own XACML policies
Apply the administrative delegation profile
http://docs.oasis-open.org/xacml/3.0/xacml-3.0-
administration-v1-spec-en.html
Option #1 – tell your provider to adopt XACML
16
SaaS provider
Option #1 – Architecture
Central IT:
Company A
SaaS Admin delegates rights to manage access control provided to
customer A. The rights are restricted to only the applications and
resources provided to this particular customer’s users.
Customer A’s admin can manage access
for their staff on its own by providing
XACML policies and attributes
Customer A users use the SaaS application
17
App#1
App#2
App#3
FunctionalAPI
XACML
Mgmt
API
1.
2.
3.
SaaS provider
Option #1 – Architecture (including id. Federation)
Central IT:
Company A
18
STSIdP
STS
1. User
authenticates
using internal
authentication
mechanism and
id store (e.g.
LDAP)
2. User calls out to SaaS
application
3. User internal identity is
translated to virtual
identity e.g. SAML
assertion
message saml message
5. User message is forwarded to SaaS
app along with SAML assertion
4. Internal user identity is verified.
User attributes are inserted inside
newly created SAML assertion
6. SAML assertion is
validated against local
STS. Attributes are
extracted from SAML
assertion and returned
Trust establishment
App#1
App#2
App#3
7. XACML AuthZ request
including the attributes
from the SAML assertion
are sent to the PDP for a
decision
Pros
Consistent access control
Fine-grained
Risk-aware
Future-proof
SaaS vendor benefit
multi-tenancy
Cons
Not many SaaS vendors
support XACML today
Option #1 – Pros & Cons
19
If you can restrict access to SaaS applications
from within the corporate network…
All access to SaaS apps could be made to tunnel
through a proxy
Option #2 – Proxy your cloud connections
20
Option #2 – Architecture
SaaS App #1
SaaS App #2
SaaS App #3
VPN
21
Pros
Workaround current SaaS
limitations
Easy to deploy
Available today
Cons
No direct access to SaaS app
Forces users to go via VPN
Access may not be as fine
grained as Option #1
Lack of visibility into the SaaS
data
Option #2 – Pros & Cons
22
What if the provider is reluctant to adopt XACML?
“If the application won’t go to XACML then XACML
will go to the application”
Eve Maler, Forrester
You still get
Centrally managed authorization
Standards-based (XACML)
Approach
Convert from XACML to expected SaaS format
Push via SaaS management APIs
Option #3 – Policy Provisioning based on XACML
23
SaaS provider
Option #3 – Architecture
Central IT:
Company A
Convert XACML policies to the native
format expected by the SaaS provider
Customer A users use the SaaS application
App#1
App#2
App#3
FunctionalAPI
Native
API
24
Authorization constraints / permissions
in the format expected by the SaaS
provider
Pros
Feasible today
Viable solution
Extends the customer’s
XACML-based authorization
system’s reach
Cons
Possible loss of XACML
richness in access control
Loss of dynamic nature
Option #3 – Pros & Cons
25
Standards are important for the cloud
It promotes vendor interoperability
It promotes layer interoperability
Example
XACML authorization services can easily use SAML<
OAUTH, OAUTH2, OpenID…
XACML can also use semantic web standards
This leads to easier deployments and faster ROI
26
Standards & the Cloud
Cloud requires eXtensible Authorization
Fine-grained
Externalized
Traditional approaches
#1: tell your SaaS provider to adopt XACML.
#2: proxy your cloud connections.
Extended approach
#3: Policy Provisioning based on XACML
Also works for business apps (SharePoint, Windows)
To summarize
27
OASIS technical committee:
http://www.oasis-open.org/committees/xacml/
LinkedIn group
http://www.linkedin.com/groups/OASIS-XACML-
3934718
28
Online resources
1 of 28

Recommended

EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design by
EIC 2014   Oasis Workshop: Using XACML to implement Privacy by DesignEIC 2014   Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by DesignDavid Brossard
2.2K views36 slides
Fine grained access control for cloud-based services using ABAC and XACML by
Fine grained access control for cloud-based services using ABAC and XACMLFine grained access control for cloud-based services using ABAC and XACML
Fine grained access control for cloud-based services using ABAC and XACMLDavid Brossard
2.8K views27 slides
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)? by
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?David Brossard
2.6K views58 slides
Authorization - it's not just about who you are by
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you areDavid Brossard
7.2K views41 slides
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve... by
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...David Brossard
9.4K views40 slides
To the cloud and beyond: delivering policy-driven authorization for cloud app... by
To the cloud and beyond: delivering policy-driven authorization for cloud app...To the cloud and beyond: delivering policy-driven authorization for cloud app...
To the cloud and beyond: delivering policy-driven authorization for cloud app...David Brossard
265 views15 slides

More Related Content

What's hot

Cloud design patterns - Federated Identity & Gatekeeper by
Cloud design patterns - Federated Identity & GatekeeperCloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperRoger Chien
2K views10 slides
Identity as a Service by
Identity as a ServiceIdentity as a Service
Identity as a ServicePrabath Siriwardena
5.2K views78 slides
Sam and the Cloud by
Sam and the CloudSam and the Cloud
Sam and the CloudJenny Carroll
159 views26 slides
Salesforce Backup, Restore & Archiving- Adam Best, Senior Program Architect by
Salesforce Backup, Restore & Archiving- Adam Best, Senior Program ArchitectSalesforce Backup, Restore & Archiving- Adam Best, Senior Program Architect
Salesforce Backup, Restore & Archiving- Adam Best, Senior Program Architectgemziebeth
272 views23 slides
Identiverse 2021 enterprise identity: What foundations by
Identiverse 2021 enterprise identity: What foundationsIdentiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundationsBertrand Carlier
94 views26 slides
Federated Identity Architectures Integrating With The Cloud by
Federated Identity Architectures   Integrating With The CloudFederated Identity Architectures   Integrating With The Cloud
Federated Identity Architectures Integrating With The Cloudrsnarayanan
1.3K views25 slides

What's hot(20)

Cloud design patterns - Federated Identity & Gatekeeper by Roger Chien
Cloud design patterns - Federated Identity & GatekeeperCloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & Gatekeeper
Roger Chien2K views
Salesforce Backup, Restore & Archiving- Adam Best, Senior Program Architect by gemziebeth
Salesforce Backup, Restore & Archiving- Adam Best, Senior Program ArchitectSalesforce Backup, Restore & Archiving- Adam Best, Senior Program Architect
Salesforce Backup, Restore & Archiving- Adam Best, Senior Program Architect
gemziebeth272 views
Identiverse 2021 enterprise identity: What foundations by Bertrand Carlier
Identiverse 2021 enterprise identity: What foundationsIdentiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundations
Bertrand Carlier94 views
Federated Identity Architectures Integrating With The Cloud by rsnarayanan
Federated Identity Architectures   Integrating With The CloudFederated Identity Architectures   Integrating With The Cloud
Federated Identity Architectures Integrating With The Cloud
rsnarayanan1.3K views
CIS14: User-Managed Access by CloudIDSummit
CIS14: User-Managed AccessCIS14: User-Managed Access
CIS14: User-Managed Access
CloudIDSummit1.2K views
SAP Identity Management Overview by SAP Technology
SAP Identity Management OverviewSAP Identity Management Overview
SAP Identity Management Overview
SAP Technology27.9K views
Getting Cloud Architecture Right the First Time Ver 2 by David Linthicum
Getting Cloud Architecture Right the First Time Ver 2Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2
David Linthicum1.7K views
User manual of i vms 4200-v2.3.1_20150415 by IsraelGuillen12
User manual of i vms 4200-v2.3.1_20150415User manual of i vms 4200-v2.3.1_20150415
User manual of i vms 4200-v2.3.1_20150415
IsraelGuillen1256 views
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id... by Profesia Srl, Lynx Group
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa... by Eve Maler
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
Eve Maler2.1K views
DevOps & Apps - Building and Operating Successful Mobile Apps by Apigee | Google Cloud
DevOps & Apps - Building and Operating Successful Mobile AppsDevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile Apps
CIS 2015 User Managed Access - George Fletcher by CloudIDSummit
CIS 2015 User Managed Access - George FletcherCIS 2015 User Managed Access - George Fletcher
CIS 2015 User Managed Access - George Fletcher
CloudIDSummit764 views
The New Venn of Access Control in the API-Mobile-IOT Era by ForgeRock
The New Venn of Access Control in the API-Mobile-IOT EraThe New Venn of Access Control in the API-Mobile-IOT Era
The New Venn of Access Control in the API-Mobile-IOT Era
ForgeRock1.9K views
Salesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud by Dreamforce
Salesforce Shield: How to Deliver a New Level of Trust and Security in the CloudSalesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Salesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Dreamforce1.3K views
SSO Strategy Implementation Considerations by John Bauer
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
John Bauer4.6K views
Microsoft Insurance Solutions Keynote Presentation at the Financial Services ... by Mike Walker
Microsoft Insurance Solutions Keynote Presentation at the Financial Services ...Microsoft Insurance Solutions Keynote Presentation at the Financial Services ...
Microsoft Insurance Solutions Keynote Presentation at the Financial Services ...
Mike Walker1.5K views

Similar to OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is Being Done? Is it Enough?

Ensuring PCI DSS Compliance in the Cloud by
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudCognizant
2.2K views11 slides
Cloud computing by
Cloud computingCloud computing
Cloud computingbhaskararaomacherla
65 views25 slides
cloudintro-lec01.ppt by
cloudintro-lec01.pptcloudintro-lec01.ppt
cloudintro-lec01.pptDevendraPathak22
5 views38 slides
cloudintro-lec01.ppt by
cloudintro-lec01.pptcloudintro-lec01.ppt
cloudintro-lec01.pptMunmunSaha7
9 views38 slides
cloudintro-lec01.ppt by
cloudintro-lec01.pptcloudintro-lec01.ppt
cloudintro-lec01.pptAmitPaul775033
5 views38 slides
cloudintro-lec01.ppt by
cloudintro-lec01.pptcloudintro-lec01.ppt
cloudintro-lec01.pptahmedraed19
6 views38 slides

Similar to OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is Being Done? Is it Enough?(20)

Ensuring PCI DSS Compliance in the Cloud by Cognizant
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the Cloud
Cognizant2.2K views
AWS Webcast - Top 3 Ways to Improve Web App Security by Amazon Web Services
AWS Webcast - Top 3 Ways to Improve Web App SecurityAWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App Security
Amazon Web Services7.4K views
Cloud Computing Networks by jayapal385
Cloud Computing NetworksCloud Computing Networks
Cloud Computing Networks
jayapal3852 views
Microsoft Windows Azure Platform Appfabric for Technical Decision Makers by Microsoft Private Cloud
Microsoft Windows Azure Platform Appfabric for Technical Decision MakersMicrosoft Windows Azure Platform Appfabric for Technical Decision Makers
Microsoft Windows Azure Platform Appfabric for Technical Decision Makers
An introduction to the cloud 11 v1 by charan7575
An introduction to the cloud 11 v1An introduction to the cloud 11 v1
An introduction to the cloud 11 v1
charan7575672 views
A Breif On Cloud computing by Raja Raman
A Breif On Cloud computingA Breif On Cloud computing
A Breif On Cloud computing
Raja Raman354 views
Making Sense Of Cloud Computing - by Mark Rivington by CA Nimsoft
Making Sense Of Cloud Computing - by Mark RivingtonMaking Sense Of Cloud Computing - by Mark Rivington
Making Sense Of Cloud Computing - by Mark Rivington
CA Nimsoft570 views
Cloud Computing By Faisal Shehzad by Faisal Shehzad
Cloud Computing By Faisal ShehzadCloud Computing By Faisal Shehzad
Cloud Computing By Faisal Shehzad
Faisal Shehzad141 views
Protecting Your Big Data on the Cloud by Alibaba Cloud
Protecting Your Big Data on the CloudProtecting Your Big Data on the Cloud
Protecting Your Big Data on the Cloud
Alibaba Cloud207 views

More from David Brossard

OpenID Foundation AuthZEN WG Update by
OpenID Foundation AuthZEN WG UpdateOpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG UpdateDavid Brossard
71 views9 slides
Policy enabling your services - using elastic dynamic authorization to contro... by
Policy enabling your services - using elastic dynamic authorization to contro...Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...David Brossard
430 views21 slides
Updates from the OASIS XACML Technical Committee - Making Authorization Devel... by
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...David Brossard
356 views27 slides
Why lasagna is better than spaghetti: baking authorization into your applicat... by
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...David Brossard
4.2K views31 slides
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ... by
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...David Brossard
3.1K views20 slides
XACML - Fight For Your Love by
XACML - Fight For Your LoveXACML - Fight For Your Love
XACML - Fight For Your LoveDavid Brossard
1.7K views21 slides

More from David Brossard(6)

OpenID Foundation AuthZEN WG Update by David Brossard
OpenID Foundation AuthZEN WG UpdateOpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG Update
David Brossard71 views
Policy enabling your services - using elastic dynamic authorization to contro... by David Brossard
Policy enabling your services - using elastic dynamic authorization to contro...Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...
David Brossard430 views
Updates from the OASIS XACML Technical Committee - Making Authorization Devel... by David Brossard
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
David Brossard356 views
Why lasagna is better than spaghetti: baking authorization into your applicat... by David Brossard
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...
David Brossard4.2K views
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ... by David Brossard
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
David Brossard3.1K views
XACML - Fight For Your Love by David Brossard
XACML - Fight For Your LoveXACML - Fight For Your Love
XACML - Fight For Your Love
David Brossard1.7K views

Recently uploaded

ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ... by
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...Jasper Oosterveld
28 views49 slides
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue by
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlueCloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlueShapeBlue
46 views13 slides
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ... by
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...ShapeBlue
77 views12 slides
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... by
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...James Anderson
133 views32 slides
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... by
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc
77 views29 slides
State of the Union - Rohit Yadav - Apache CloudStack by
State of the Union - Rohit Yadav - Apache CloudStackState of the Union - Rohit Yadav - Apache CloudStack
State of the Union - Rohit Yadav - Apache CloudStackShapeBlue
145 views53 slides

Recently uploaded(20)

ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ... by Jasper Oosterveld
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue by ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlueCloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
ShapeBlue46 views
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ... by ShapeBlue
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
ShapeBlue77 views
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... by James Anderson
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
James Anderson133 views
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... by TrustArc
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc77 views
State of the Union - Rohit Yadav - Apache CloudStack by ShapeBlue
State of the Union - Rohit Yadav - Apache CloudStackState of the Union - Rohit Yadav - Apache CloudStack
State of the Union - Rohit Yadav - Apache CloudStack
ShapeBlue145 views
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT by ShapeBlue
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBITUpdates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
ShapeBlue91 views
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha... by ShapeBlue
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
ShapeBlue74 views
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院 by IttrainingIttraining
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R... by ShapeBlue
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
ShapeBlue54 views
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue by ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueVNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
ShapeBlue85 views
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by Network Automation Forum
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue by ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
ShapeBlue50 views
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue by ShapeBlue
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlueMigrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue
ShapeBlue96 views
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ... by ShapeBlue
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
ShapeBlue83 views
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T by ShapeBlue
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&TCloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
ShapeBlue56 views
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or... by ShapeBlue
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
ShapeBlue88 views
Data Integrity for Banking and Financial Services by Precisely
Data Integrity for Banking and Financial ServicesData Integrity for Banking and Financial Services
Data Integrity for Banking and Financial Services
Precisely56 views
DRBD Deep Dive - Philipp Reisner - LINBIT by ShapeBlue
DRBD Deep Dive - Philipp Reisner - LINBITDRBD Deep Dive - Philipp Reisner - LINBIT
DRBD Deep Dive - Philipp Reisner - LINBIT
ShapeBlue62 views

OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is Being Done? Is it Enough?

  • 1. Identity, Privacy, and Data Protection in the Cloud – XACML David Brossard Product Manager, Axiomatics 1
  • 2. The issue with authorization in the cloud Quick background on XACML 3 strategies to extend authorization to the Cloud What it means for customers SaaS providers What you will learn 2
  • 3. The issue with Authorization today The black box challenge 3
  • 4. System growth leads to AuthZ challenges App App App Cost Brittleness Static Risk Lack of visibility Lack of audit Violation of SoD SaaS SaaS SaaS 4
  • 5. What happens to my data? Who can access which information? How do I comply with (what the auditor will ask for) Regulations? E.g. Export Control Contractual obligations? Going to the cloud doesn’t make it easier Do I need a different approach for cloud? The Authorization Challenge 5
  • 6. Export Control Know the user (citizenship, location, affiliation) Know the end use (end location, purpose of use) Example: Manufacturing in the cloud 6
  • 7. XACML to the rescue Implementing fine-grained authorization in the cloud 7
  • 8. Authorization is nearly always about Who? Identity + role (+ group) 8
  • 9. Authorization should really be about… When?What? How?Where?Who? Why? 9
  • 10. eXtensible Access Control Markup Language OASIS standard XACML is expressed as A specification document (a PDF) + XML schema Policy-based & attribute-based language Implement authorization based on object relations Only employees of a given plant can see technical data linked to items assigned to the plant 10 Behold XACML, the standard for ABAC
  • 11. Oracle IBM Veterans Administration Axiomatics EMC2 Bank of America The Boeing Company And many more… 11 Who’s behind XACML?
  • 12. Refresher: the XACML architecture Decide Policy Decision Point Manage Policy Administration Point Support Policy Information Point Policy Retrieval Point Enforce Policy Enforcement Point 12
  • 13. 13 XACML  Transparent & Externalized AuthZ Centrally managed policy: ”PERMIT user with clearance X to read document classified as ….” “DENY access to classified document if…” User Application Information asset I want… PERMIT or DENY? PERMIT or DENY?
  • 14. XACML  Anywhere AuthZ & Architecture Datacenter App A Service A Service D Service E Service M Service O SaaS SaaS 14 Private Cloud
  • 15. Fine-grained Authorization for the Cloud Three strategies for externalized authorization in the cloud 15
  • 16. A SaaS provider should offer Functional APIs (their core business) Non-functional (Security) APIs Let customers push their own XACML policies Apply the administrative delegation profile http://docs.oasis-open.org/xacml/3.0/xacml-3.0- administration-v1-spec-en.html Option #1 – tell your provider to adopt XACML 16
  • 17. SaaS provider Option #1 – Architecture Central IT: Company A SaaS Admin delegates rights to manage access control provided to customer A. The rights are restricted to only the applications and resources provided to this particular customer’s users. Customer A’s admin can manage access for their staff on its own by providing XACML policies and attributes Customer A users use the SaaS application 17 App#1 App#2 App#3 FunctionalAPI XACML Mgmt API 1. 2. 3.
  • 18. SaaS provider Option #1 – Architecture (including id. Federation) Central IT: Company A 18 STSIdP STS 1. User authenticates using internal authentication mechanism and id store (e.g. LDAP) 2. User calls out to SaaS application 3. User internal identity is translated to virtual identity e.g. SAML assertion message saml message 5. User message is forwarded to SaaS app along with SAML assertion 4. Internal user identity is verified. User attributes are inserted inside newly created SAML assertion 6. SAML assertion is validated against local STS. Attributes are extracted from SAML assertion and returned Trust establishment App#1 App#2 App#3 7. XACML AuthZ request including the attributes from the SAML assertion are sent to the PDP for a decision
  • 19. Pros Consistent access control Fine-grained Risk-aware Future-proof SaaS vendor benefit multi-tenancy Cons Not many SaaS vendors support XACML today Option #1 – Pros & Cons 19
  • 20. If you can restrict access to SaaS applications from within the corporate network… All access to SaaS apps could be made to tunnel through a proxy Option #2 – Proxy your cloud connections 20
  • 21. Option #2 – Architecture SaaS App #1 SaaS App #2 SaaS App #3 VPN 21
  • 22. Pros Workaround current SaaS limitations Easy to deploy Available today Cons No direct access to SaaS app Forces users to go via VPN Access may not be as fine grained as Option #1 Lack of visibility into the SaaS data Option #2 – Pros & Cons 22
  • 23. What if the provider is reluctant to adopt XACML? “If the application won’t go to XACML then XACML will go to the application” Eve Maler, Forrester You still get Centrally managed authorization Standards-based (XACML) Approach Convert from XACML to expected SaaS format Push via SaaS management APIs Option #3 – Policy Provisioning based on XACML 23
  • 24. SaaS provider Option #3 – Architecture Central IT: Company A Convert XACML policies to the native format expected by the SaaS provider Customer A users use the SaaS application App#1 App#2 App#3 FunctionalAPI Native API 24 Authorization constraints / permissions in the format expected by the SaaS provider
  • 25. Pros Feasible today Viable solution Extends the customer’s XACML-based authorization system’s reach Cons Possible loss of XACML richness in access control Loss of dynamic nature Option #3 – Pros & Cons 25
  • 26. Standards are important for the cloud It promotes vendor interoperability It promotes layer interoperability Example XACML authorization services can easily use SAML< OAUTH, OAUTH2, OpenID… XACML can also use semantic web standards This leads to easier deployments and faster ROI 26 Standards & the Cloud
  • 27. Cloud requires eXtensible Authorization Fine-grained Externalized Traditional approaches #1: tell your SaaS provider to adopt XACML. #2: proxy your cloud connections. Extended approach #3: Policy Provisioning based on XACML Also works for business apps (SharePoint, Windows) To summarize 27
  • 28. OASIS technical committee: http://www.oasis-open.org/committees/xacml/ LinkedIn group http://www.linkedin.com/groups/OASIS-XACML- 3934718 28 Online resources