Policy enabling your services - using elastic dynamic authorization to control access to your ap is, microservices, and data

David Brossard
David BrossardChief Technology Officer at Axiomatics
® POLICY-ENABLING YOUR SERVICES USING ELASTIC DYNAMIC AUTHORIZATION TO CONTROL ACCESS TO YOUR APIS, MICROSERVICES, AND DATA. GERRY GEBEL & DAVID BROSSARD
® API Growth
® A brief history of APIs Enterprise Service Bus CORBA COM/DCOM XML, WS-*, SOAP XML Gateways (Datapower…) REST API Gateways (Apigee…) API Management OAuth gRPC Service meshes (Istio) Orchestration (Kubernetes) Micro-gateways (42crunch, Ambassador…) Enterprise Application Integration Service Oriented Architecture API Micro services
® Authorization for APIs Enterprise Application Integration Service Oriented Architecture API Micro services Home-grown Home-grown SAML XACML Home-grown SAML XACML OAuth 2.0 Home-grown SAML XACML OAuth 2.0 Framework-specific* *CanCan, Laravel, Keycloak, Claims-based… Framework-specific* ALFA OPA
® Comparing Authorization Approaches Home- grown SAML OAuth 2.0 XACML ALFA OPA Description Code inside the applications Open standard for exchanging authentication and authorization data between parties OAuth 2.0 is the industry-standard protocol for authorization. Open standard which defines a declarative fine- grained, attribute- based access control policy language Open lightweight policy-based standard for attribute-based access control open source, general-purpose policy engine that enables unified, context-aware policy enforcement Policy- based No No No Yes Yes Yes RBAC Yes Yes Yes Yes Yes Yes ABAC Possibly No No Yes Yes Yes Reusable No Yes Yes Yes Yes Yes Applicable to multiple layers No No No Yes Yes No
® what OAuth 2.0 is to SAML ALFA is to XACML…
® The problem with tokens? Token bloat, role-based, no relationship, opaque
® Token bloat We create too many assertions / scopes that end up being stored inside the identity token thus bloating it
® Frankenscope When scopes blow up
® Identity-centric All about roles and permissions – no room for relationships or additional attributes
® The solution? Policy Enablement
® The Ten Commandments of Authorization 1. Authorization shall be declarative  policy-based 2. Authorization shall be dynamic  runtime decision-making 3. Authorization shall use identity, action, & resource attributes 4. Authorization shall be decoupled from the application & data 5. Authorization shall be able to use relationships 6. Authorization shall be business-driven  all in it together 7. Authorization shall be transparent  easy to edit & audit 8. Authorization shall be scalable  protect one, protect all 9. Authorization shall be technology agnostic  APIs, data, & more 10. Authorization shall be future-proof  don’t make assumptions about tomorrow
® Authorization for APIs & Data Interceptor Interceptor Transactional authorization Data-centric authorization Policy (ALFA)
® ALFA – the Abbreviated Language for Authorization • OASIS Draft Standard (2015) • Lightweight JSON-like syntax for declarative attribute-based policies • Compatible with XACML & many other policy-based architectures • Fits into the CI/CD development cycle • Authorization-as-ALFA-code
® Choose the right enforcement • APIs & Microservices • API gateways • Micro-gateways • Enforce on the way in… and out • Data stores • SQL proxies • Elasticsearch filters • Other? OData?
® Choose the right decision engine • Central authorization engine, sidecar, or distributed • Central control pane • Stateless authorization engine  you can scale horizontally
® Demo Authorization Applied to an API
® A demo • This demo uses Apigee API Gateway • The gateway calls out to an Axiomatics Cloud Policy Decision Point • In the demo we authorize on the way in… and out • Dan wants to view record 131 • Owner and status is redacted • The original record
® Demo Policy (ALFA) /*R1 - A manager can view any records */ rule manager{ target clause user.role == "manager" clause action_id == "GET" or action_id == "view" permit } /*R2 - An employee can view a record in their own department */ rule employeeView{ target clause user.role == "employee" clause action_id == "view" or action_id == "GET" condition record.department == user.department permit }
® Demo Policy – Masking /*R2.1 - An client can view a record in their own department with obligation to mask owner and status*/ rule clientView{ target clause user.role == "client" clause action_id == "view" or action_id == "GET" condition record.department == user.department permit on permit{ obligation fields { mask_fields = "owner" mask_fields = "status" } } }
21 ® Questions? @davidjbrossard |@ggebel
1 of 21

Policy enabling your services - using elastic dynamic authorization to control access to your ap is, microservices, and data

Download to read offline
Software

APIs have become the backbone of many services nowadays - from the weather forecast to delivery notifications and photo printing services. Not only can we consume data and services more readily through those APIs but we can also mash them up into greater services. To do so, we tackled API security through OAuth and OpenID Connect. They form a good basis to handle authentication and basic authorization delegation, but there is so much more to consider from an authorization perspective. This session will discuss how security concerns can be addressed through policy-driven authorization in a way that meets the needs and expectations of application developers, owners, and auditors alike. We will show how complex access policies can be handled through a dedicated authorization microservice. With this approach, you can automate security deployment changes within the same CI/CD pipelines used for application management. Furthermore, new deployment configurations are possible, such as implementing the authorization service as a sidecar, to meet advanced performance and scale requirements. All this without changing a single line of code.

David Brossard
David BrossardChief Technology Officer at Axiomatics

Recommended

Updates from the OASIS XACML Technical Committee - Making Authorization Devel... by
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...David Brossard
356 views27 slides
To the cloud and beyond: delivering policy-driven authorization for cloud app... by
To the cloud and beyond: delivering policy-driven authorization for cloud app...To the cloud and beyond: delivering policy-driven authorization for cloud app...
To the cloud and beyond: delivering policy-driven authorization for cloud app...David Brossard
265 views15 slides
Why lasagna is better than spaghetti: baking authorization into your applicat... by
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...David Brossard
4.2K views31 slides
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)? by
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?David Brossard
2.6K views58 slides
Uncovering XACML to solve real world business use cases by
Uncovering XACML to solve real world business use cases Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases WSO2
4.5K views44 slides
CIS14: The Very Latest in Authorization Standards by
CIS14: The Very Latest in Authorization StandardsCIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization StandardsCloudIDSummit
1.9K views37 slides

More Related Content

What's hot

A Tour of Different API Management Architectures by
A Tour of Different API Management ArchitecturesA Tour of Different API Management Architectures
A Tour of Different API Management ArchitecturesNordic APIs
352 views20 slides
Oracle api gateway overview by
Oracle api gateway overviewOracle api gateway overview
Oracle api gateway overviewOracle Corporation
4.3K views14 slides
Blowing up the Monolith: Practical Advice on Microservices by
Blowing up the Monolith: Practical Advice on MicroservicesBlowing up the Monolith: Practical Advice on Microservices
Blowing up the Monolith: Practical Advice on MicroservicesNordic APIs
227 views44 slides
WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker... by
WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...
WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...WSO2
1.2K views25 slides
Clean up this mess - API Gateway & Service Discovery in .NET by
Clean up this mess - API Gateway & Service Discovery in .NETClean up this mess - API Gateway & Service Discovery in .NET
Clean up this mess - API Gateway & Service Discovery in .NETMarcin Tyborowski
219 views66 slides
CIS14: Enterprise Identity APIs by
CIS14: Enterprise Identity APIsCIS14: Enterprise Identity APIs
CIS14: Enterprise Identity APIsCloudIDSummit
454 views16 slides

What's hot(20)

A Tour of Different API Management Architectures by Nordic APIs
A Tour of Different API Management ArchitecturesA Tour of Different API Management Architectures
A Tour of Different API Management Architectures
Nordic APIs352 views
Oracle api gateway overview by Oracle Corporation
Oracle api gateway overviewOracle api gateway overview
Oracle api gateway overview
Oracle Corporation4.3K views
Blowing up the Monolith: Practical Advice on Microservices by Nordic APIs
Blowing up the Monolith: Practical Advice on MicroservicesBlowing up the Monolith: Practical Advice on Microservices
Blowing up the Monolith: Practical Advice on Microservices
Nordic APIs227 views
WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker... by WSO2
WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...
WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...
WSO21.2K views
Clean up this mess - API Gateway & Service Discovery in .NET by Marcin Tyborowski
Clean up this mess - API Gateway & Service Discovery in .NETClean up this mess - API Gateway & Service Discovery in .NET
Clean up this mess - API Gateway & Service Discovery in .NET
Marcin Tyborowski219 views
CIS14: Enterprise Identity APIs by CloudIDSummit
CIS14: Enterprise Identity APIsCIS14: Enterprise Identity APIs
CIS14: Enterprise Identity APIs
CloudIDSummit454 views
Con8817 api management - enable your infrastructure for secure mobile and c... by OracleIDM
Con8817 api management - enable your infrastructure for secure mobile and c...Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
OracleIDM2.1K views
HTTP Authorization using OPA by Knoldus Inc.
HTTP Authorization using OPAHTTP Authorization using OPA
HTTP Authorization using OPA
Knoldus Inc.154 views
Introduction to Building E-Commerce Solutions on Heroku and Salesforce by Salesforce Developers
Introduction to Building E-Commerce Solutions on Heroku and SalesforceIntroduction to Building E-Commerce Solutions on Heroku and Salesforce
Introduction to Building E-Commerce Solutions on Heroku and Salesforce
Salesforce Developers2.7K views
Deconstructing API Security by Akana
Deconstructing API SecurityDeconstructing API Security
Deconstructing API Security
Akana1.2K views
APIdays Helsinki 2019 - „Open Banking in a Box” and why it does not exist, Kr... by apidays
APIdays Helsinki 2019 - „Open Banking in a Box” and why it does not exist, Kr...APIdays Helsinki 2019 - „Open Banking in a Box” and why it does not exist, Kr...
APIdays Helsinki 2019 - „Open Banking in a Box” and why it does not exist, Kr...
apidays214 views
API Management Part 1 - An Introduction to Azure API Management by BizTalk360
API Management Part 1 - An Introduction to Azure API ManagementAPI Management Part 1 - An Introduction to Azure API Management
API Management Part 1 - An Introduction to Azure API Management
BizTalk3605.4K views
Tour of Heroku + Salesforce Integration Methods by Salesforce Developers
Tour of Heroku + Salesforce Integration MethodsTour of Heroku + Salesforce Integration Methods
Tour of Heroku + Salesforce Integration Methods
Salesforce Developers1.1K views
Rest API Security - A quick understanding of Rest API Security by Mohammed Fazuluddin
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin1.2K views
Policy Based Approach To Runtime Governace by Michiel.Kemperman
Policy Based Approach To Runtime GovernacePolicy Based Approach To Runtime Governace
Policy Based Approach To Runtime Governace
Michiel.Kemperman886 views
AWS Security Best Practices by Aleksandr Maklakov
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
Aleksandr Maklakov291 views
Clean architectures with fast api pycones by Alvaro Del Castillo
Clean architectures with fast api pyconesClean architectures with fast api pycones
Clean architectures with fast api pycones
Alvaro Del Castillo2K views
Secure and Optimize APIs using Azure API Management by BizTalk360
Secure and Optimize APIs using Azure API ManagementSecure and Optimize APIs using Azure API Management
Secure and Optimize APIs using Azure API Management
BizTalk360385 views
API Management and Integrated SOA Governance by Sumanth Chinthagunta
API Management and Integrated SOA GovernanceAPI Management and Integrated SOA Governance
API Management and Integrated SOA Governance
Sumanth Chinthagunta6.2K views
AlertSite Slideshow for the Booth at Web 2.0 Expo 2009 by AlertSite
AlertSite Slideshow for the Booth at Web 2.0 Expo 2009AlertSite Slideshow for the Booth at Web 2.0 Expo 2009
AlertSite Slideshow for the Booth at Web 2.0 Expo 2009
AlertSite458 views

Similar to Policy enabling your services - using elastic dynamic authorization to control access to your ap is, microservices, and data

Oracle Blockchain Platform by
Oracle Blockchain PlatformOracle Blockchain Platform
Oracle Blockchain PlatformJuarez Junior
147 views16 slides
InterConnect 2015 session 2825 cics_and_the_new soa by
InterConnect 2015 session 2825 cics_and_the_new soaInterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soanick_garrod
926 views55 slides
Datapower Steven Cawn by
Datapower Steven CawnDatapower Steven Cawn
Datapower Steven CawnValeri Illescas
2.2K views30 slides
Oracle Blockchain Platform_Wonjo Yoo by
Oracle Blockchain Platform_Wonjo YooOracle Blockchain Platform_Wonjo Yoo
Oracle Blockchain Platform_Wonjo YooOracle Korea
1.2K views54 slides
Dave Carroll Application Services Salesforce by
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforcedeimos
1.4K views26 slides
20190404 Blockchain GIG #2 Oracle Mark発表資料 by
20190404 Blockchain GIG #2 Oracle Mark発表資料 20190404 Blockchain GIG #2 Oracle Mark発表資料
20190404 Blockchain GIG #2 Oracle Mark発表資料 オラクルエンジニア通信
1.7K views37 slides

Similar to Policy enabling your services - using elastic dynamic authorization to control access to your ap is, microservices, and data(20)

Oracle Blockchain Platform by Juarez Junior
Oracle Blockchain PlatformOracle Blockchain Platform
Oracle Blockchain Platform
Juarez Junior147 views
InterConnect 2015 session 2825 cics_and_the_new soa by nick_garrod
InterConnect 2015 session 2825 cics_and_the_new soaInterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soa
nick_garrod926 views
Datapower Steven Cawn by Valeri Illescas
Datapower Steven CawnDatapower Steven Cawn
Datapower Steven Cawn
Valeri Illescas2.2K views
Oracle Blockchain Platform_Wonjo Yoo by Oracle Korea
Oracle Blockchain Platform_Wonjo YooOracle Blockchain Platform_Wonjo Yoo
Oracle Blockchain Platform_Wonjo Yoo
Oracle Korea1.2K views
Dave Carroll Application Services Salesforce by deimos
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
deimos1.4K views
20190404 Blockchain GIG #2 Oracle Mark発表資料 by オラクルエンジニア通信
20190404 Blockchain GIG #2 Oracle Mark発表資料 20190404 Blockchain GIG #2 Oracle Mark発表資料
20190404 Blockchain GIG #2 Oracle Mark発表資料
オラクルエンジニア通信1.7K views
AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft Broadridge by Amazon Web Services
AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft BroadridgeAWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft Broadridge
AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft Broadridge
Amazon Web Services628 views
Global Azure 2022 - Architecting Modern Serverless APIs with Azure Functions ... by Callon Campbell
Global Azure 2022 - Architecting Modern Serverless APIs with Azure Functions ...Global Azure 2022 - Architecting Modern Serverless APIs with Azure Functions ...
Global Azure 2022 - Architecting Modern Serverless APIs with Azure Functions ...
Callon Campbell30 views
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018 by Oracle Developers
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle Developers292 views
Hyperledger Austin meetup July 10, 2018 by Oracle Developers
Hyperledger Austin meetup July 10, 2018Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018
Oracle Developers642 views
Deploying Next Generation Firewalling with ASA - CX by Cisco Canada
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CX
Cisco Canada8.5K views
Application Services On The Web Sales Forcecom by QConLondon2008
Application Services On The Web Sales ForcecomApplication Services On The Web Sales Forcecom
Application Services On The Web Sales Forcecom
QConLondon20081.7K views
APIConnect Security Best Practice by Shiu-Fun Poon
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
Shiu-Fun Poon647 views
Principal Propagation with SAP Cloud Platform by Gary Jackson MBCS
Principal Propagation with SAP Cloud PlatformPrincipal Propagation with SAP Cloud Platform
Principal Propagation with SAP Cloud Platform
Gary Jackson MBCS2.6K views
OOW 2012: Integrate Cloud Applications with Oracle SOA Suite by Rajesh Raheja
OOW 2012: Integrate Cloud Applications with Oracle SOA SuiteOOW 2012: Integrate Cloud Applications with Oracle SOA Suite
OOW 2012: Integrate Cloud Applications with Oracle SOA Suite
Rajesh Raheja1.2K views
Unlocking the Cloud Operating Model by Mitchell Pronschinske
Unlocking the Cloud Operating ModelUnlocking the Cloud Operating Model
Unlocking the Cloud Operating Model
Mitchell Pronschinske161 views
AWS Serverless API Management - Meetup by Samuel Vandecasteele
AWS Serverless API Management - MeetupAWS Serverless API Management - Meetup
AWS Serverless API Management - Meetup
Samuel Vandecasteele165 views
2015-12-02 - WebCamp - Microsoft Azure Logic Apps by Sandro Pereira
2015-12-02 - WebCamp - Microsoft Azure Logic Apps2015-12-02 - WebCamp - Microsoft Azure Logic Apps
2015-12-02 - WebCamp - Microsoft Azure Logic Apps
Sandro Pereira2K views
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris... by Amazon Web Services
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Amazon Web Services2.8K views
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S... by CA Technologies
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
CA Technologies10.9K views

More from David Brossard

OpenID Foundation AuthZEN WG Update by
OpenID Foundation AuthZEN WG UpdateOpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG UpdateDavid Brossard
73 views9 slides
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design by
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by DesignEIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by DesignDavid Brossard
2.2K views36 slides
Fine grained access control for cloud-based services using ABAC and XACML by
Fine grained access control for cloud-based services using ABAC and XACMLFine grained access control for cloud-based services using ABAC and XACML
Fine grained access control for cloud-based services using ABAC and XACMLDavid Brossard
2.8K views27 slides
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is... by
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...David Brossard
1.5K views28 slides
Authorization - it's not just about who you are by
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you areDavid Brossard
7.2K views41 slides
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ... by
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...David Brossard
3.1K views20 slides

More from David Brossard(8)

OpenID Foundation AuthZEN WG Update by David Brossard
OpenID Foundation AuthZEN WG UpdateOpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG Update
David Brossard73 views
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design by David Brossard
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by DesignEIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
David Brossard2.2K views
Fine grained access control for cloud-based services using ABAC and XACML by David Brossard
Fine grained access control for cloud-based services using ABAC and XACMLFine grained access control for cloud-based services using ABAC and XACML
Fine grained access control for cloud-based services using ABAC and XACML
David Brossard2.8K views
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is... by David Brossard
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
David Brossard1.5K views
Authorization - it's not just about who you are by David Brossard
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you are
David Brossard7.2K views
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ... by David Brossard
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
David Brossard3.1K views
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve... by David Brossard
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
David Brossard9.4K views
XACML - Fight For Your Love by David Brossard
XACML - Fight For Your LoveXACML - Fight For Your Love
XACML - Fight For Your Love
David Brossard1.7K views

Recently uploaded

Programming Field by
Programming FieldProgramming Field
Programming Fieldthehardtechnology
6 views9 slides
The Era of Large Language Models.pptx by
The Era of Large Language Models.pptxThe Era of Large Language Models.pptx
The Era of Large Language Models.pptxAbdulVahedShaik
7 views9 slides
Gen Apps on Google Cloud PaLM2 and Codey APIs in Action by
Gen Apps on Google Cloud PaLM2 and Codey APIs in ActionGen Apps on Google Cloud PaLM2 and Codey APIs in Action
Gen Apps on Google Cloud PaLM2 and Codey APIs in ActionMárton Kodok
16 views55 slides
FOSSLight Community Day 2023-11-30 by
FOSSLight Community Day 2023-11-30FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30Shane Coughlan
6 views18 slides
Understanding HTML terminology by
Understanding HTML terminologyUnderstanding HTML terminology
Understanding HTML terminologyartembondar5
7 views8 slides
nintendo_64.pptx by
nintendo_64.pptxnintendo_64.pptx
nintendo_64.pptxpaiga02016
6 views7 slides

Recently uploaded(20)

Programming Field by thehardtechnology
Programming FieldProgramming Field
Programming Field
thehardtechnology6 views
The Era of Large Language Models.pptx by AbdulVahedShaik
The Era of Large Language Models.pptxThe Era of Large Language Models.pptx
The Era of Large Language Models.pptx
AbdulVahedShaik7 views
Gen Apps on Google Cloud PaLM2 and Codey APIs in Action by Márton Kodok
Gen Apps on Google Cloud PaLM2 and Codey APIs in ActionGen Apps on Google Cloud PaLM2 and Codey APIs in Action
Gen Apps on Google Cloud PaLM2 and Codey APIs in Action
Márton Kodok16 views
FOSSLight Community Day 2023-11-30 by Shane Coughlan
FOSSLight Community Day 2023-11-30FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30
Shane Coughlan6 views
Understanding HTML terminology by artembondar5
Understanding HTML terminologyUnderstanding HTML terminology
Understanding HTML terminology
artembondar57 views
nintendo_64.pptx by paiga02016
nintendo_64.pptxnintendo_64.pptx
nintendo_64.pptx
paiga020166 views
What is API by artembondar5
What is APIWhat is API
What is API
artembondar512 views
How Workforce Management Software Empowers SMEs | TraQSuite by TraQSuite
How Workforce Management Software Empowers SMEs | TraQSuiteHow Workforce Management Software Empowers SMEs | TraQSuite
How Workforce Management Software Empowers SMEs | TraQSuite
TraQSuite6 views
JioEngage_Presentation.pptx by admin125455
JioEngage_Presentation.pptxJioEngage_Presentation.pptx
JioEngage_Presentation.pptx
admin1254558 views
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx by animuscrm
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx
animuscrm15 views
Bootstrapping vs Venture Capital.pptx by Zeljko Svedic
Bootstrapping vs Venture Capital.pptxBootstrapping vs Venture Capital.pptx
Bootstrapping vs Venture Capital.pptx
Zeljko Svedic15 views
Top-5-production-devconMunich-2023.pptx by Tier1 app
Top-5-production-devconMunich-2023.pptxTop-5-production-devconMunich-2023.pptx
Top-5-production-devconMunich-2023.pptx
Tier1 app9 views
Sprint 226 by ManageIQ
Sprint 226Sprint 226
Sprint 226
ManageIQ11 views
Airline Booking Software by SharmiMehta
Airline Booking SoftwareAirline Booking Software
Airline Booking Software
SharmiMehta9 views
Introduction to Gradle by John Valentino
Introduction to GradleIntroduction to Gradle
Introduction to Gradle
John Valentino5 views
AI and Ml presentation .pptx by FayazAli87
AI and Ml presentation .pptxAI and Ml presentation .pptx
AI and Ml presentation .pptx
FayazAli8714 views
Top-5-production-devconMunich-2023-v2.pptx by Tier1 app
Top-5-production-devconMunich-2023-v2.pptxTop-5-production-devconMunich-2023-v2.pptx
Top-5-production-devconMunich-2023-v2.pptx
Tier1 app6 views
MS PowerPoint.pptx by Litty Sylus
MS PowerPoint.pptxMS PowerPoint.pptx
MS PowerPoint.pptx
Litty Sylus7 views
Benefits in Software Development by John Valentino
Benefits in Software DevelopmentBenefits in Software Development
Benefits in Software Development
John Valentino5 views
EV Charging App Case by iCoderz Solutions
EV Charging App Case EV Charging App Case
EV Charging App Case
iCoderz Solutions9 views

Policy enabling your services - using elastic dynamic authorization to control access to your ap is, microservices, and data

  • 1. ® POLICY-ENABLING YOUR SERVICES USING ELASTIC DYNAMIC AUTHORIZATION TO CONTROL ACCESS TO YOUR APIS, MICROSERVICES, AND DATA. GERRY GEBEL & DAVID BROSSARD
  • 3. ® A brief history of APIs Enterprise Service Bus CORBA COM/DCOM XML, WS-*, SOAP XML Gateways (Datapower…) REST API Gateways (Apigee…) API Management OAuth gRPC Service meshes (Istio) Orchestration (Kubernetes) Micro-gateways (42crunch, Ambassador…) Enterprise Application Integration Service Oriented Architecture API Micro services
  • 4. ® Authorization for APIs Enterprise Application Integration Service Oriented Architecture API Micro services Home-grown Home-grown SAML XACML Home-grown SAML XACML OAuth 2.0 Home-grown SAML XACML OAuth 2.0 Framework-specific* *CanCan, Laravel, Keycloak, Claims-based… Framework-specific* ALFA OPA
  • 5. ® Comparing Authorization Approaches Home- grown SAML OAuth 2.0 XACML ALFA OPA Description Code inside the applications Open standard for exchanging authentication and authorization data between parties OAuth 2.0 is the industry-standard protocol for authorization. Open standard which defines a declarative fine- grained, attribute- based access control policy language Open lightweight policy-based standard for attribute-based access control open source, general-purpose policy engine that enables unified, context-aware policy enforcement Policy- based No No No Yes Yes Yes RBAC Yes Yes Yes Yes Yes Yes ABAC Possibly No No Yes Yes Yes Reusable No Yes Yes Yes Yes Yes Applicable to multiple layers No No No Yes Yes No
  • 6. ® what OAuth 2.0 is to SAML ALFA is to XACML…
  • 7. ® The problem with tokens? Token bloat, role-based, no relationship, opaque
  • 8. ® Token bloat We create too many assertions / scopes that end up being stored inside the identity token thus bloating it
  • 10. ® Identity-centric All about roles and permissions – no room for relationships or additional attributes
  • 12. ® The Ten Commandments of Authorization 1. Authorization shall be declarative  policy-based 2. Authorization shall be dynamic  runtime decision-making 3. Authorization shall use identity, action, & resource attributes 4. Authorization shall be decoupled from the application & data 5. Authorization shall be able to use relationships 6. Authorization shall be business-driven  all in it together 7. Authorization shall be transparent  easy to edit & audit 8. Authorization shall be scalable  protect one, protect all 9. Authorization shall be technology agnostic  APIs, data, & more 10. Authorization shall be future-proof  don’t make assumptions about tomorrow
  • 13. ® Authorization for APIs & Data Interceptor Interceptor Transactional authorization Data-centric authorization Policy (ALFA)
  • 14. ® ALFA – the Abbreviated Language for Authorization • OASIS Draft Standard (2015) • Lightweight JSON-like syntax for declarative attribute-based policies • Compatible with XACML & many other policy-based architectures • Fits into the CI/CD development cycle • Authorization-as-ALFA-code
  • 15. ® Choose the right enforcement • APIs & Microservices • API gateways • Micro-gateways • Enforce on the way in… and out • Data stores • SQL proxies • Elasticsearch filters • Other? OData?
  • 16. ® Choose the right decision engine • Central authorization engine, sidecar, or distributed • Central control pane • Stateless authorization engine  you can scale horizontally
  • 18. ® A demo • This demo uses Apigee API Gateway • The gateway calls out to an Axiomatics Cloud Policy Decision Point • In the demo we authorize on the way in… and out • Dan wants to view record 131 • Owner and status is redacted • The original record
  • 19. ® Demo Policy (ALFA) /*R1 - A manager can view any records */ rule manager{ target clause user.role == "manager" clause action_id == "GET" or action_id == "view" permit } /*R2 - An employee can view a record in their own department */ rule employeeView{ target clause user.role == "employee" clause action_id == "view" or action_id == "GET" condition record.department == user.department permit }
  • 20. ® Demo Policy – Masking /*R2.1 - An client can view a record in their own department with obligation to mask owner and status*/ rule clientView{ target clause user.role == "client" clause action_id == "view" or action_id == "GET" condition record.department == user.department permit on permit{ obligation fields { mask_fields = "owner" mask_fields = "status" } } }