SlideShare a Scribd company logo

POLICY-ENABLING YOUR SERVICES USING ELASTIC DYNAMIC AUTHORIZATION TO CONTROL ACCESS TO YOUR APIS, MICROSERVICES, AND DATA

Download as PPTX, PDF
David Brossard
David Brossard

This document discusses policy-based authorization approaches for APIs and microservices. It describes the limitations of traditional token-based authorization using SAML and OAuth and proposes a policy-based approach using the ALFA language. ALFA allows declarative attribute-based policies that can consider identity, action, resource attributes and relationships to make dynamic authorization decisions. The document recommends enforcing authorization at API gateways and data sources using a centralized or distributed policy decision engine. It demonstrates how ALFA policies can be used to authorize and redact fields in API responses.

Software
1 of 21
® POLICY-ENABLING YOUR SERVICES USING ELASTIC DYNAMIC AUTHORIZATION TO CONTROL ACCESS TO YOUR APIS, MICROSERVICES, AND DATA. GERRY GEBEL & DAVID BROSSARD
® API Growth
® A brief history of APIs Enterprise Service Bus CORBA COM/DCOM XML, WS-*, SOAP XML Gateways (Datapower…) REST API Gateways (Apigee…) API Management OAuth gRPC Service meshes (Istio) Orchestration (Kubernetes) Micro-gateways (42crunch, Ambassador…) Enterprise Application Integration Service Oriented Architecture API Micro services
® Authorization for APIs Enterprise Application Integration Service Oriented Architecture API Micro services Home-grown Home-grown SAML XACML Home-grown SAML XACML OAuth 2.0 Home-grown SAML XACML OAuth 2.0 Framework-specific* *CanCan, Laravel, Keycloak, Claims-based… Framework-specific* ALFA OPA
® Comparing Authorization Approaches Home- grown SAML OAuth 2.0 XACML ALFA OPA Description Code inside the applications Open standard for exchanging authentication and authorization data between parties OAuth 2.0 is the industry-standard protocol for authorization. Open standard which defines a declarative fine- grained, attribute- based access control policy language Open lightweight policy-based standard for attribute-based access control open source, general-purpose policy engine that enables unified, context-aware policy enforcement Policy- based No No No Yes Yes Yes RBAC Yes Yes Yes Yes Yes Yes ABAC Possibly No No Yes Yes Yes Reusable No Yes Yes Yes Yes Yes Applicable to multiple layers No No No Yes Yes No
® what OAuth 2.0 is to SAML ALFA is to XACML…
® The problem with tokens? Token bloat, role-based, no relationship, opaque
® Token bloat We create too many assertions / scopes that end up being stored inside the identity token thus bloating it
® Frankenscope When scopes blow up
® Identity-centric All about roles and permissions – no room for relationships or additional attributes
® The solution? Policy Enablement
® The Ten Commandments of Authorization 1. Authorization shall be declarative  policy-based 2. Authorization shall be dynamic  runtime decision-making 3. Authorization shall use identity, action, & resource attributes 4. Authorization shall be decoupled from the application & data 5. Authorization shall be able to use relationships 6. Authorization shall be business-driven  all in it together 7. Authorization shall be transparent  easy to edit & audit 8. Authorization shall be scalable  protect one, protect all 9. Authorization shall be technology agnostic  APIs, data, & more 10. Authorization shall be future-proof  don’t make assumptions about tomorrow
® Authorization for APIs & Data Interceptor Interceptor Transactional authorization Data-centric authorization Policy (ALFA)
® ALFA – the Abbreviated Language for Authorization • OASIS Draft Standard (2015) • Lightweight JSON-like syntax for declarative attribute-based policies • Compatible with XACML & many other policy-based architectures • Fits into the CI/CD development cycle • Authorization-as-ALFA-code
® Choose the right enforcement • APIs & Microservices • API gateways • Micro-gateways • Enforce on the way in… and out • Data stores • SQL proxies • Elasticsearch filters • Other? OData?
® Choose the right decision engine • Central authorization engine, sidecar, or distributed • Central control pane • Stateless authorization engine  you can scale horizontally
® Demo Authorization Applied to an API
® A demo • This demo uses Apigee API Gateway • The gateway calls out to an Axiomatics Cloud Policy Decision Point • In the demo we authorize on the way in… and out • Dan wants to view record 131 • Owner and status is redacted • The original record
® Demo Policy (ALFA) /*R1 - A manager can view any records */ rule manager{ target clause user.role == "manager" clause action_id == "GET" or action_id == "view" permit } /*R2 - An employee can view a record in their own department */ rule employeeView{ target clause user.role == "employee" clause action_id == "view" or action_id == "GET" condition record.department == user.department permit }
® Demo Policy – Masking /*R2.1 - An client can view a record in their own department with obligation to mask owner and status*/ rule clientView{ target clause user.role == "client" clause action_id == "view" or action_id == "GET" condition record.department == user.department permit on permit{ obligation fields { mask_fields = "owner" mask_fields = "status" } } }
21 ® Questions? @davidjbrossard |@ggebel

Recommended

Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...David Brossard
 
To the cloud and beyond: delivering policy-driven authorization for cloud app...
To the cloud and beyond: delivering policy-driven authorization for cloud app...To the cloud and beyond: delivering policy-driven authorization for cloud app...
To the cloud and beyond: delivering policy-driven authorization for cloud app...David Brossard
 
Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...David Brossard
 
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?David Brossard
 
Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases WSO2
 
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization StandardsCIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization StandardsCloudIDSummit
 
Achieving Microservices Maturity
Achieving Microservices MaturityAchieving Microservices Maturity
Achieving Microservices MaturityNordic APIs
 
APIdays Singapore 2019 - API Gateway in a Nutshell, Allan Chua, Solution and ...
APIdays Singapore 2019 - API Gateway in a Nutshell, Allan Chua, Solution and ...APIdays Singapore 2019 - API Gateway in a Nutshell, Allan Chua, Solution and ...
APIdays Singapore 2019 - API Gateway in a Nutshell, Allan Chua, Solution and ...apidays
 

Recommended

Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...David Brossard
 
To the cloud and beyond: delivering policy-driven authorization for cloud app...
To the cloud and beyond: delivering policy-driven authorization for cloud app...To the cloud and beyond: delivering policy-driven authorization for cloud app...
To the cloud and beyond: delivering policy-driven authorization for cloud app...David Brossard
 
Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...David Brossard
 
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?David Brossard
 
Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases WSO2
 
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization StandardsCIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization StandardsCloudIDSummit
 
Achieving Microservices Maturity
Achieving Microservices MaturityAchieving Microservices Maturity
Achieving Microservices MaturityNordic APIs
 
APIdays Singapore 2019 - API Gateway in a Nutshell, Allan Chua, Solution and ...
APIdays Singapore 2019 - API Gateway in a Nutshell, Allan Chua, Solution and ...APIdays Singapore 2019 - API Gateway in a Nutshell, Allan Chua, Solution and ...
APIdays Singapore 2019 - API Gateway in a Nutshell, Allan Chua, Solution and ...apidays
 
A Tour of Different API Management Architectures
A Tour of Different API Management ArchitecturesA Tour of Different API Management Architectures
A Tour of Different API Management ArchitecturesNordic APIs
 
Oracle api gateway overview
Oracle api gateway overviewOracle api gateway overview
Oracle api gateway overviewOracle Corporation
 
Blowing up the Monolith: Practical Advice on Microservices
Blowing up the Monolith: Practical Advice on MicroservicesBlowing up the Monolith: Practical Advice on Microservices
Blowing up the Monolith: Practical Advice on MicroservicesNordic APIs
 
WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...
WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...
WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...WSO2
 
Clean up this mess - API Gateway & Service Discovery in .NET
Clean up this mess - API Gateway & Service Discovery in .NETClean up this mess - API Gateway & Service Discovery in .NET
Clean up this mess - API Gateway & Service Discovery in .NETMarcin Tyborowski
 
CIS14: Enterprise Identity APIs
CIS14: Enterprise Identity APIsCIS14: Enterprise Identity APIs
CIS14: Enterprise Identity APIsCloudIDSummit
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...OracleIDM
 
HTTP Authorization using OPA
HTTP Authorization using OPAHTTP Authorization using OPA
HTTP Authorization using OPAKnoldus Inc.
 
Introduction to Building E-Commerce Solutions on Heroku and Salesforce
Introduction to Building E-Commerce Solutions on Heroku and SalesforceIntroduction to Building E-Commerce Solutions on Heroku and Salesforce
Introduction to Building E-Commerce Solutions on Heroku and SalesforceSalesforce Developers
 
Deconstructing API Security
Deconstructing API SecurityDeconstructing API Security
Deconstructing API SecurityAkana
 
APIdays Helsinki 2019 - „Open Banking in a Box” and why it does not exist, Kr...
APIdays Helsinki 2019 - „Open Banking in a Box” and why it does not exist, Kr...APIdays Helsinki 2019 - „Open Banking in a Box” and why it does not exist, Kr...
APIdays Helsinki 2019 - „Open Banking in a Box” and why it does not exist, Kr...apidays
 
API Management Part 1 - An Introduction to Azure API Management
API Management Part 1 - An Introduction to Azure API ManagementAPI Management Part 1 - An Introduction to Azure API Management
API Management Part 1 - An Introduction to Azure API ManagementBizTalk360
 
Tour of Heroku + Salesforce Integration Methods
Tour of Heroku + Salesforce Integration MethodsTour of Heroku + Salesforce Integration Methods
Tour of Heroku + Salesforce Integration MethodsSalesforce Developers
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
Policy Based Approach To Runtime Governace
Policy Based Approach To Runtime GovernacePolicy Based Approach To Runtime Governace
Policy Based Approach To Runtime GovernaceMichiel.Kemperman
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAleksandr Maklakov
 
Clean architectures with fast api pycones
Clean architectures with fast api pyconesClean architectures with fast api pycones
Clean architectures with fast api pyconesAlvaro Del Castillo
 
Secure and Optimize APIs using Azure API Management
Secure and Optimize APIs using Azure API ManagementSecure and Optimize APIs using Azure API Management
Secure and Optimize APIs using Azure API ManagementBizTalk360
 
API Management and Integrated SOA Governance
API Management and Integrated SOA GovernanceAPI Management and Integrated SOA Governance
API Management and Integrated SOA GovernanceSumanth Chinthagunta
 
AlertSite Slideshow for the Booth at Web 2.0 Expo 2009
AlertSite Slideshow for the Booth at Web 2.0 Expo 2009AlertSite Slideshow for the Booth at Web 2.0 Expo 2009
AlertSite Slideshow for the Booth at Web 2.0 Expo 2009AlertSite
 
Oracle Blockchain Platform
Oracle Blockchain PlatformOracle Blockchain Platform
Oracle Blockchain PlatformJuarez Junior
 
InterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soaInterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soanick_garrod
 

More Related Content

What's hot

A Tour of Different API Management Architectures
A Tour of Different API Management ArchitecturesA Tour of Different API Management Architectures
A Tour of Different API Management ArchitecturesNordic APIs
 
Blowing up the Monolith: Practical Advice on Microservices
Blowing up the Monolith: Practical Advice on MicroservicesBlowing up the Monolith: Practical Advice on Microservices
Blowing up the Monolith: Practical Advice on MicroservicesNordic APIs
 
WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...
WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...
WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...WSO2
 
Clean up this mess - API Gateway & Service Discovery in .NET
Clean up this mess - API Gateway & Service Discovery in .NETClean up this mess - API Gateway & Service Discovery in .NET
Clean up this mess - API Gateway & Service Discovery in .NETMarcin Tyborowski
 
CIS14: Enterprise Identity APIs
CIS14: Enterprise Identity APIsCIS14: Enterprise Identity APIs
CIS14: Enterprise Identity APIsCloudIDSummit
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...OracleIDM
 
HTTP Authorization using OPA
HTTP Authorization using OPAHTTP Authorization using OPA
HTTP Authorization using OPAKnoldus Inc.
 
Introduction to Building E-Commerce Solutions on Heroku and Salesforce
Introduction to Building E-Commerce Solutions on Heroku and SalesforceIntroduction to Building E-Commerce Solutions on Heroku and Salesforce
Introduction to Building E-Commerce Solutions on Heroku and SalesforceSalesforce Developers
 
Deconstructing API Security
Deconstructing API SecurityDeconstructing API Security
Deconstructing API SecurityAkana
 
APIdays Helsinki 2019 - „Open Banking in a Box” and why it does not exist, Kr...
APIdays Helsinki 2019 - „Open Banking in a Box” and why it does not exist, Kr...APIdays Helsinki 2019 - „Open Banking in a Box” and why it does not exist, Kr...
APIdays Helsinki 2019 - „Open Banking in a Box” and why it does not exist, Kr...apidays
 
API Management Part 1 - An Introduction to Azure API Management
API Management Part 1 - An Introduction to Azure API ManagementAPI Management Part 1 - An Introduction to Azure API Management
API Management Part 1 - An Introduction to Azure API ManagementBizTalk360
 
Tour of Heroku + Salesforce Integration Methods
Tour of Heroku + Salesforce Integration MethodsTour of Heroku + Salesforce Integration Methods
Tour of Heroku + Salesforce Integration MethodsSalesforce Developers
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
Policy Based Approach To Runtime Governace
Policy Based Approach To Runtime GovernacePolicy Based Approach To Runtime Governace
Policy Based Approach To Runtime GovernaceMichiel.Kemperman
 
Clean architectures with fast api pycones
Clean architectures with fast api pyconesClean architectures with fast api pycones
Clean architectures with fast api pyconesAlvaro Del Castillo
 
Secure and Optimize APIs using Azure API Management
Secure and Optimize APIs using Azure API ManagementSecure and Optimize APIs using Azure API Management
Secure and Optimize APIs using Azure API ManagementBizTalk360
 
API Management and Integrated SOA Governance
API Management and Integrated SOA GovernanceAPI Management and Integrated SOA Governance
API Management and Integrated SOA GovernanceSumanth Chinthagunta
 
AlertSite Slideshow for the Booth at Web 2.0 Expo 2009
AlertSite Slideshow for the Booth at Web 2.0 Expo 2009AlertSite Slideshow for the Booth at Web 2.0 Expo 2009
AlertSite Slideshow for the Booth at Web 2.0 Expo 2009AlertSite
 

What's hot (20)

A Tour of Different API Management Architectures
A Tour of Different API Management ArchitecturesA Tour of Different API Management Architectures
A Tour of Different API Management Architectures
 
Oracle api gateway overview
Oracle api gateway overviewOracle api gateway overview
Oracle api gateway overview
 
Blowing up the Monolith: Practical Advice on Microservices
Blowing up the Monolith: Practical Advice on MicroservicesBlowing up the Monolith: Practical Advice on Microservices
Blowing up the Monolith: Practical Advice on Microservices
 
WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...
WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...
WSO2Con USA 2017: Brokerage as a Service (BaaS), Transforming Fidelity Broker...
 
Clean up this mess - API Gateway & Service Discovery in .NET
Clean up this mess - API Gateway & Service Discovery in .NETClean up this mess - API Gateway & Service Discovery in .NET
Clean up this mess - API Gateway & Service Discovery in .NET
 
CIS14: Enterprise Identity APIs
CIS14: Enterprise Identity APIsCIS14: Enterprise Identity APIs
CIS14: Enterprise Identity APIs
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
 
HTTP Authorization using OPA
HTTP Authorization using OPAHTTP Authorization using OPA
HTTP Authorization using OPA
 
Introduction to Building E-Commerce Solutions on Heroku and Salesforce
Introduction to Building E-Commerce Solutions on Heroku and SalesforceIntroduction to Building E-Commerce Solutions on Heroku and Salesforce
Introduction to Building E-Commerce Solutions on Heroku and Salesforce
 
Deconstructing API Security
Deconstructing API SecurityDeconstructing API Security
Deconstructing API Security
 
APIdays Helsinki 2019 - „Open Banking in a Box” and why it does not exist, Kr...
APIdays Helsinki 2019 - „Open Banking in a Box” and why it does not exist, Kr...APIdays Helsinki 2019 - „Open Banking in a Box” and why it does not exist, Kr...
APIdays Helsinki 2019 - „Open Banking in a Box” and why it does not exist, Kr...
 
API Management Part 1 - An Introduction to Azure API Management
API Management Part 1 - An Introduction to Azure API ManagementAPI Management Part 1 - An Introduction to Azure API Management
API Management Part 1 - An Introduction to Azure API Management
 
Tour of Heroku + Salesforce Integration Methods
Tour of Heroku + Salesforce Integration MethodsTour of Heroku + Salesforce Integration Methods
Tour of Heroku + Salesforce Integration Methods
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
Policy Based Approach To Runtime Governace
Policy Based Approach To Runtime GovernacePolicy Based Approach To Runtime Governace
Policy Based Approach To Runtime Governace
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
Clean architectures with fast api pycones
Clean architectures with fast api pyconesClean architectures with fast api pycones
Clean architectures with fast api pycones
 
Secure and Optimize APIs using Azure API Management
Secure and Optimize APIs using Azure API ManagementSecure and Optimize APIs using Azure API Management
Secure and Optimize APIs using Azure API Management
 
API Management and Integrated SOA Governance
API Management and Integrated SOA GovernanceAPI Management and Integrated SOA Governance
API Management and Integrated SOA Governance
 
AlertSite Slideshow for the Booth at Web 2.0 Expo 2009
AlertSite Slideshow for the Booth at Web 2.0 Expo 2009AlertSite Slideshow for the Booth at Web 2.0 Expo 2009
AlertSite Slideshow for the Booth at Web 2.0 Expo 2009
 

Similar to POLICY-ENABLING YOUR SERVICES USING ELASTIC DYNAMIC AUTHORIZATION TO CONTROL ACCESS TO YOUR APIS, MICROSERVICES, AND DATA

Oracle Blockchain Platform
Oracle Blockchain PlatformOracle Blockchain Platform
Oracle Blockchain PlatformJuarez Junior
 
InterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soaInterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soanick_garrod
 
Oracle Blockchain Platform_Wonjo Yoo
Oracle Blockchain Platform_Wonjo YooOracle Blockchain Platform_Wonjo Yoo
Oracle Blockchain Platform_Wonjo YooOracle Korea
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforcedeimos
 
AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft Broadridge
AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft BroadridgeAWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft Broadridge
AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft BroadridgeAmazon Web Services
 
Global Azure 2022 - Architecting Modern Serverless APIs with Azure Functions ...
Global Azure 2022 - Architecting Modern Serverless APIs with Azure Functions ...Global Azure 2022 - Architecting Modern Serverless APIs with Azure Functions ...
Global Azure 2022 - Architecting Modern Serverless APIs with Azure Functions ...Callon Campbell
 
Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018Oracle Developers
 
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018Oracle Developers
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXCisco Canada
 
Application Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomApplication Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomQConLondon2008
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best PracticeShiu-Fun Poon
 
Principal Propagation with SAP Cloud Platform
Principal Propagation with SAP Cloud PlatformPrincipal Propagation with SAP Cloud Platform
Principal Propagation with SAP Cloud PlatformGary Jackson MBCS
 
OOW 2012: Integrate Cloud Applications with Oracle SOA Suite
OOW 2012: Integrate Cloud Applications with Oracle SOA SuiteOOW 2012: Integrate Cloud Applications with Oracle SOA Suite
OOW 2012: Integrate Cloud Applications with Oracle SOA SuiteRajesh Raheja
 
AWS Serverless API Management - Meetup
AWS Serverless API Management - MeetupAWS Serverless API Management - Meetup
AWS Serverless API Management - MeetupSamuel Vandecasteele
 
2015-12-02 - WebCamp - Microsoft Azure Logic Apps
2015-12-02 - WebCamp - Microsoft Azure Logic Apps2015-12-02 - WebCamp - Microsoft Azure Logic Apps
2015-12-02 - WebCamp - Microsoft Azure Logic AppsSandro Pereira
 
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...Amazon Web Services
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...CA Technologies
 

Similar to POLICY-ENABLING YOUR SERVICES USING ELASTIC DYNAMIC AUTHORIZATION TO CONTROL ACCESS TO YOUR APIS, MICROSERVICES, AND DATA (20)

Oracle Blockchain Platform
Oracle Blockchain PlatformOracle Blockchain Platform
Oracle Blockchain Platform
 
InterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soaInterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soa
 
Datapower Steven Cawn
Datapower Steven CawnDatapower Steven Cawn
Datapower Steven Cawn
 
Oracle Blockchain Platform_Wonjo Yoo
Oracle Blockchain Platform_Wonjo YooOracle Blockchain Platform_Wonjo Yoo
Oracle Blockchain Platform_Wonjo Yoo
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
 
20190404 Blockchain GIG #2 Oracle Mark発表資料
20190404 Blockchain GIG #2 Oracle Mark発表資料 20190404 Blockchain GIG #2 Oracle Mark発表資料
20190404 Blockchain GIG #2 Oracle Mark発表資料
 
AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft Broadridge
AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft BroadridgeAWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft Broadridge
AWS FSI Symposium 2017 NYC - Moving at the Speed of Serverless ft Broadridge
 
Global Azure 2022 - Architecting Modern Serverless APIs with Azure Functions ...
Global Azure 2022 - Architecting Modern Serverless APIs with Azure Functions ...Global Azure 2022 - Architecting Modern Serverless APIs with Azure Functions ...
Global Azure 2022 - Architecting Modern Serverless APIs with Azure Functions ...
 
Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018
 
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CX
 
Application Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomApplication Services On The Web Sales Forcecom
Application Services On The Web Sales Forcecom
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
 
Principal Propagation with SAP Cloud Platform
Principal Propagation with SAP Cloud PlatformPrincipal Propagation with SAP Cloud Platform
Principal Propagation with SAP Cloud Platform
 
OOW 2012: Integrate Cloud Applications with Oracle SOA Suite
OOW 2012: Integrate Cloud Applications with Oracle SOA SuiteOOW 2012: Integrate Cloud Applications with Oracle SOA Suite
OOW 2012: Integrate Cloud Applications with Oracle SOA Suite
 
Unlocking the Cloud Operating Model
Unlocking the Cloud Operating ModelUnlocking the Cloud Operating Model
Unlocking the Cloud Operating Model
 
AWS Serverless API Management - Meetup
AWS Serverless API Management - MeetupAWS Serverless API Management - Meetup
AWS Serverless API Management - Meetup
 
2015-12-02 - WebCamp - Microsoft Azure Logic Apps
2015-12-02 - WebCamp - Microsoft Azure Logic Apps2015-12-02 - WebCamp - Microsoft Azure Logic Apps
2015-12-02 - WebCamp - Microsoft Azure Logic Apps
 
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
 

More from David Brossard

Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...David Brossard
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...David Brossard
 
The Holy Grail of IAM: Getting to Grips with Authorization
The Holy Grail of IAM: Getting to Grips with AuthorizationThe Holy Grail of IAM: Getting to Grips with Authorization
The Holy Grail of IAM: Getting to Grips with AuthorizationDavid Brossard
 
OpenID AuthZEN ALFA PEP-PDP Prior Art
OpenID AuthZEN ALFA PEP-PDP Prior ArtOpenID AuthZEN ALFA PEP-PDP Prior Art
OpenID AuthZEN ALFA PEP-PDP Prior ArtDavid Brossard
 
OpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG UpdateOpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG UpdateDavid Brossard
 
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by DesignEIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by DesignDavid Brossard
 
Fine grained access control for cloud-based services using ABAC and XACML
Fine grained access control for cloud-based services using ABAC and XACMLFine grained access control for cloud-based services using ABAC and XACML
Fine grained access control for cloud-based services using ABAC and XACMLDavid Brossard
 
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...David Brossard
 
Authorization - it's not just about who you are
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you areDavid Brossard
 
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...David Brossard
 
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...David Brossard
 
XACML - Fight For Your Love
XACML - Fight For Your LoveXACML - Fight For Your Love
XACML - Fight For Your LoveDavid Brossard
 

More from David Brossard (12)

Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
 
The Holy Grail of IAM: Getting to Grips with Authorization
The Holy Grail of IAM: Getting to Grips with AuthorizationThe Holy Grail of IAM: Getting to Grips with Authorization
The Holy Grail of IAM: Getting to Grips with Authorization
 
OpenID AuthZEN ALFA PEP-PDP Prior Art
OpenID AuthZEN ALFA PEP-PDP Prior ArtOpenID AuthZEN ALFA PEP-PDP Prior Art
OpenID AuthZEN ALFA PEP-PDP Prior Art
 
OpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG UpdateOpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG Update
 
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by DesignEIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
 
Fine grained access control for cloud-based services using ABAC and XACML
Fine grained access control for cloud-based services using ABAC and XACMLFine grained access control for cloud-based services using ABAC and XACML
Fine grained access control for cloud-based services using ABAC and XACML
 
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
 
Authorization - it's not just about who you are
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you are
 
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
 
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
 
XACML - Fight For Your Love
XACML - Fight For Your LoveXACML - Fight For Your Love
XACML - Fight For Your Love
 

Recently uploaded

ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningVitsRangannavar
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 

Recently uploaded (20)

ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learning
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 

POLICY-ENABLING YOUR SERVICES USING ELASTIC DYNAMIC AUTHORIZATION TO CONTROL ACCESS TO YOUR APIS, MICROSERVICES, AND DATA

  • 1. ® POLICY-ENABLING YOUR SERVICES USING ELASTIC DYNAMIC AUTHORIZATION TO CONTROL ACCESS TO YOUR APIS, MICROSERVICES, AND DATA. GERRY GEBEL & DAVID BROSSARD
  • 3. ® A brief history of APIs Enterprise Service Bus CORBA COM/DCOM XML, WS-*, SOAP XML Gateways (Datapower…) REST API Gateways (Apigee…) API Management OAuth gRPC Service meshes (Istio) Orchestration (Kubernetes) Micro-gateways (42crunch, Ambassador…) Enterprise Application Integration Service Oriented Architecture API Micro services
  • 4. ® Authorization for APIs Enterprise Application Integration Service Oriented Architecture API Micro services Home-grown Home-grown SAML XACML Home-grown SAML XACML OAuth 2.0 Home-grown SAML XACML OAuth 2.0 Framework-specific* *CanCan, Laravel, Keycloak, Claims-based… Framework-specific* ALFA OPA
  • 5. ® Comparing Authorization Approaches Home- grown SAML OAuth 2.0 XACML ALFA OPA Description Code inside the applications Open standard for exchanging authentication and authorization data between parties OAuth 2.0 is the industry-standard protocol for authorization. Open standard which defines a declarative fine- grained, attribute- based access control policy language Open lightweight policy-based standard for attribute-based access control open source, general-purpose policy engine that enables unified, context-aware policy enforcement Policy- based No No No Yes Yes Yes RBAC Yes Yes Yes Yes Yes Yes ABAC Possibly No No Yes Yes Yes Reusable No Yes Yes Yes Yes Yes Applicable to multiple layers No No No Yes Yes No
  • 6. ® what OAuth 2.0 is to SAML ALFA is to XACML…
  • 7. ® The problem with tokens? Token bloat, role-based, no relationship, opaque
  • 8. ® Token bloat We create too many assertions / scopes that end up being stored inside the identity token thus bloating it
  • 10. ® Identity-centric All about roles and permissions – no room for relationships or additional attributes
  • 12. ® The Ten Commandments of Authorization 1. Authorization shall be declarative  policy-based 2. Authorization shall be dynamic  runtime decision-making 3. Authorization shall use identity, action, & resource attributes 4. Authorization shall be decoupled from the application & data 5. Authorization shall be able to use relationships 6. Authorization shall be business-driven  all in it together 7. Authorization shall be transparent  easy to edit & audit 8. Authorization shall be scalable  protect one, protect all 9. Authorization shall be technology agnostic  APIs, data, & more 10. Authorization shall be future-proof  don’t make assumptions about tomorrow
  • 13. ® Authorization for APIs & Data Interceptor Interceptor Transactional authorization Data-centric authorization Policy (ALFA)
  • 14. ® ALFA – the Abbreviated Language for Authorization • OASIS Draft Standard (2015) • Lightweight JSON-like syntax for declarative attribute-based policies • Compatible with XACML & many other policy-based architectures • Fits into the CI/CD development cycle • Authorization-as-ALFA-code
  • 15. ® Choose the right enforcement • APIs & Microservices • API gateways • Micro-gateways • Enforce on the way in… and out • Data stores • SQL proxies • Elasticsearch filters • Other? OData?
  • 16. ® Choose the right decision engine • Central authorization engine, sidecar, or distributed • Central control pane • Stateless authorization engine  you can scale horizontally
  • 18. ® A demo • This demo uses Apigee API Gateway • The gateway calls out to an Axiomatics Cloud Policy Decision Point • In the demo we authorize on the way in… and out • Dan wants to view record 131 • Owner and status is redacted • The original record
  • 19. ® Demo Policy (ALFA) /*R1 - A manager can view any records */ rule manager{ target clause user.role == "manager" clause action_id == "GET" or action_id == "view" permit } /*R2 - An employee can view a record in their own department */ rule employeeView{ target clause user.role == "employee" clause action_id == "view" or action_id == "GET" condition record.department == user.department permit }
  • 20. ® Demo Policy – Masking /*R2.1 - An client can view a record in their own department with obligation to mask owner and status*/ rule clientView{ target clause user.role == "client" clause action_id == "view" or action_id == "GET" condition record.department == user.department permit on permit{ obligation fields { mask_fields = "owner" mask_fields = "status" } } }