Presentation of Authzforce project, OWcon'19, June 12-13, 2019, Paris.

www.thalesgroup.com OPEN
AuthzForce
Next-Gen Access Control Framework
Romain Ferrari
Cyril Dangerville

2
OPEN
Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorin
partordisclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2015Allrightsreserved.
June 2019
Thales / Template : 87204467-DOC-GRP-EN-002
Outline
▌ AuthzForce overview
Why? What?
AuthzForce & OW2
Latest news
Use cases
▌ Use case focus:
Enterprise IAM / ABAC for Matrix chatrooms
FIDO, OpenID Connect, XACML & co
▌ Roadmap

AuthzForce
Overview

4
OPEN
June 2019
AuthzForce overview - Why
By 2020, the majority of enterprises will use attribute-based access control
(ABAC) as the dominant mechanism to protect critical assets, up from less
than five percent today.
--Gartner
Source: 2013 ISSA International Conference, The Gartner Identity and Access Management Scenario, 2014-2020.

5
OPEN
June 2019
Authzforce – Architecture (XACML)
PEP
PDP
Authz decision request
(with attributes)
Policy Enforcement Point(s)
Policy Decision Point
PIP
PRP
Policy Information Point
PAP Policy Administration Point
Policy Repository Point
PIPPIP
PEPPEP
Resources/Apps
Get policies
Manage policies
Get extra
attributes

6
OPEN
June 2019
AuthzForce – What?
▌ Attribute-Based Access Control framework (NIST standard)
100% XACML standard compliant (OASIS standard)
▌ AuthzForce & OW2 (Gitlab, award 2016, etc.)
▌ Latest news
Thales now contributes to the standard (although not XACML TC member)
CLI tool for quick & easy testing
XACML JSON Profile standard (v1.1 released 03/2019)
Other REST/JSON API improvements
Improved packaging (.deb, Docker), quality check, unit tests…
▌ Use cases
Domains: cloud, Big Data, IoT, 5G, telephony, real-time multimedia, crisis mgt, etc.
Collaborative projects: Easi-clouds, openCloudware, AU2EU, FIWARE, CHOReVOLUTION, 5G-
ENSURE, SENDATE, DRIVER+, PODIUM…)
THALES business

AuthzForce
Use case focus: IAM & ABAC for Matrix/Riot

8
OPEN
June 2019
Use case focus – Matrix framework overview
▌ Matrix/Synapse/Riot: what’s that?
▌ Thales interest
Thales Citadel
Also used by French government: Tchapp
▌ Security limitations for enterprise use (in Synapse)
No strong auth, SSO (except CAS) or identity federation out-of-the-box
Designed for DAC (Discretionary Access Control) only, not RBAC/ABAC/MLS:
- Each room admin is responsible for the AC policy on his/her own room(s)
- The room admin assigns permissions/roles (power levels) to each user individually
▌ Good news in latest Matrix framework developments:
Matrix Client-Server API: latest spec(still labeled « unstable ») supports SSO
Client-side implementation: generic Web SSO support in Riot-web and Riot-Android clients
(2019 versions)
Server-side implementation: Synapse extensible with custom auth modules
Matrix rooms now support tags (not yet usable in Riot UI but with web API)  security labels

9
OPEN
June 2019
Use case focus – Solution architecture
▌ Strong auth: FIDO
▌ Web SSO & Id. fed.: OpenID
Connect
▌ Chatroom ABAC: XACML /
AuthzForce
▌ Examples of ABAC rules:
1. Only user with role(s) X, Y and
LoA ≥ N may join room tagged Z
2. Only users with clearance level ≥
room security tag may read
messages; others may send
messages only
3. Idem but depending on
message type
API
Gateway
(AuthzForce)
PDP
(AuthzForce)
Matrix/Synapse
LDAP Mission
Database
Matrix/Riot
+ FIDO key
OIDC IdP
(Lemonldap, Gluu…)

10
OPEN
June 2019
FIDO for (strong) authentication
▌ FIDO UAF/U2F/2.0 & WebAuthn standards
▌ Standard user-friendly & developer-friendly strong authentication
framework for smartphones, tablets, PCs, etc.
▌ Max interop within FIDO alliance (GAFAMI, most OS & device vendors)
▌ Large choice of cheap FIDO products for USB/Bluetooth/NFC,
biometrics, etc.

11
OPEN
June 2019
OpenID Connect for ID federation & SSO
▌ OpenID Connect = OAuth + SAML for dummies & more
▌ Interest for ABAC: provides standardized identity attributes/assertions
▌ Adopted by major players
Google, AWS, Azure…
▌ OSS implementations
Lemonldap (OW2  )
Keycloak (aka Red Hat SSO)
Gluu (supports FIDO2  )
▌ Proprietary COTS (many)
Azure AD
…

AuthzForce
Roadmap

13
OPEN
June 2019
Roadmap
▌ Rocket.Chat (OW2) !
▌ Industrializing
Improve perf testing
Functional testing (cf. STAMP project)
▌ GUI enhancements
▌ Lightweight ABAC (e.g. for IoT)
▌ GeoXACML (authz based on geo-
loc) – looking for interns!

Thank You
http://authzforce.ow2.org

AuthzForce
ABAC and XACML

16
OPEN
June 2019
Evolution of Access Control models
Identity Based
• Based on user
identity
• Unmanageable
at large scale
Role based
• Role hierarchy
• Separation of
duties
• Issue with
context notion
• Role number
explosion
Attribute based
• Multiple attribute
sources
• Finer granularity
and flexibility

17
OPEN
June 2019
Identity Based Access Control
Identity Based
• Based on user
identity
• Unmanageable
at large scale
Role based
• Role hierarchy
• Separation of
duties
• Issue with
context notion
• Role number
explosion
Attribute based
sources
and flexibility

18
OPEN
June 2019
Role Based Access Control
Identity Based
• Based on user
identity
• Unmanageable
at large scale
Role based
• Role hierarchy
• Separation of
duties
• Issue with
context notion
• Role number
explosion
Attribute based
sources
and flexibility

19
OPEN
June 2019
Attribute Based Access Control
Identity Based
• Based on user
identity
• Unmanageable
at large scale
Role based
• Role hierarchy
• Separation of
duties
• Issue with
context notion
• Role number
explosion
Attribute based
sources
• Contextual
and flexibility

20
OPEN
June 2019
ABAC/XACML Architecture
PEP
PDP
Authz decision request
(with attributes)
Policy Enforcement Point(s)
Policy Decision Point
PIP
PRP
Policy Information Point
PAP Policy Administration Point
Policy Repository Point
PIPPIP
PEPPEP
Resources/Apps
Get policies
Manage policies
Get extra
attributes

21
OPEN
June 2019
Why XACML for ABAC
▌ OASIS standard: XACML = eXtensible Access Control Markup Language
▌ Why XACML?
Standard technical implementation of ABAC
Rationale: enterprise security policy (if exists) managed in different places (HR, Legal, Finance, IT, etc.), enforced in
many points: network access, mail, intranet, business apps, etc.
 Assurance that your enterprise access control policy (including “best practices”) is consistently applied globally
is VERY VERY HARD to get when using different technologies and languages everywhere
▌ XACML is the only international standard that defines concrete languages and models for:
Expressing security policy
Authorization decision request-response format

22
OPEN
June 2019
Policy enforcement in enterprise information systems (example)

23
OPEN
June 2019
XACML

24
OPEN
June 2019
XACML Request
XACML Request
….
Category subject
Category x Attribute Y
Attribute Type
(string, date, integer, …)
Category resource
Category action
Attribute Y
Attribute Value
(romain, 1970-01-01, …)
Attribute ID
(subject-id, subject-role, …)
Category n

25
OPEN
June 2019
Scenario
subject-id=charles
resource-
id=MissionManager
mission-id=47
action-id=update
PEP
PDP
MissionManager
LDAP Mission
Database
Get members
of mission 47 ?
Charles wants to update mission information with
id=47 hosted on MissionManager service

26
OPEN
June 2019
Scenario
subject-id=charles
resource-
id=MissionManager
mission-id=47
action-id=update
PEP
PDP
MissionManager
LDAP Mission
Database
Get members
of mission 47 ?
<Rule RuleId="update_Mission" Effect="Permit">
<Description>update_Mission_Rule</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="string-equal>
<AttributeValue DataType="string">update</AttributeValue>
<AttributeDesignator AttributeId="action-id"
Category=“Action” DataType="string"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition> <Target>
<AnyOf>
<AllOf>
<AttributeValue DataType="string"> Mission_Manager </AttributeValue>
<AttributeDesignator AttributeId=“subject-role"
Category=“Subject” DataType="string"/>
</Match>
<AttributeValue DataType="string"> Activity_Manager </AttributeValue>
<AttributeDesignator AttributeId=“subject-role"
Category=“Subject” DataType="string"/>
</Match>
<Match MatchId=" string-at-least-one-member-of” >
<AttributeValue DataType="string"> subject-id </AttributeValue>
<AttributeDesignator AttributeId=“mission-member "
Category=“Resource” DataType="string"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Condition>
</Rule>

27
OPEN
June 2019
Contectual access control

28
OPEN
June 2019
Role Based Access Control
Identity Based
• Based on user
identity
• Unmanageable
at large scale
Role based
• Role hierarchy
• Separation of
duties
• Issue with
context notion
• Role number
explosion
Attribute based
sources
and flexibility

29
OPEN
June 2019
Role Based Access Control – Limitations (1/2)
▌ Role explosion example:
Roles in a bank: Teller, Supervisor, Branch director
Many bank agencies: Paris, London, Berlin
What about Teller in Paris, Teller in London, Teller in Berlin, Supervisor in Paris, Supervisor
in London…?  9 roles!
▌ RBAC  / ABAC : Doctor-patient and patient-record relationships
Doctor may only access medical records of his/her own patients
If resource.type = ‘MEDICAL_RECORD’
AND action.id in {‘read’,’write’}
AND user.id = medical_record.doctor_id, then Permit
A patient may only access medical records about him/herself
If resource.type = ‘MEDICAL_RECORD’
AND action.id =‘read’
AND user.id = medical_record.patient_id, then Permit

30
OPEN
June 2019
Role Based Access Control – Limitations (2/2)
▌ RBAC  / ABAC : Dynamic separation of duties
User may approve purchase order only if not assigned to him/herself (approver ≠
assignee)
ABAC-style (deny unless permit):
If resource.type = ‘PURCHASE_ORDER’
AND action.id = ‘approve’
AND user.id ≠ purchase_order.assignee, then Permit

31
OPEN
June 2019
US Standardization Activities (NIST, DoD…)
▌ NIST/NCCoE publications on ABAC/XACML
- NCCoE publications on « ABAC » building block, in partnership with Cisco,
Microsoft, Symantec, RSA… [2], in particular:
– NIST Cybersecurity Practice Guide SP 1800-3 (septembre 2017).
- NIST SP 800-162: Guide to ABAC
- NIST SP 800-178: Comparison of ABAC standards for Data Service Applications
- NIST SP 800-192: Verification and Test Methods for Access Control Policies/Models,
made a tool for editing and validating XACML policies (GUI is very technical,
expert-oriented)
▌ DoD
US Army IdAM (Identity & Access Mgt) architecture requirements include XACML

32
OPEN
June 2019
Features – Community Edition
▌ XACML 3.0 standards:
Core
RBAC Profile
REST Profile
Multiple Decision profile
JSON Profile
Experimental: DLP/NAC,
Additional Combining Algorithms
▌ Multi-tenant REST API
Policy Admin
Policy Decision
XML/JSON data format
▌ Policy Enforcers (PEP)
Java & Python SDK
Apache Kafka authorizer
▌ Extensible Architecture (plugins)
Attribute Providers (XACML PIPs): SQL, LDAP…
Policy Providers (for XACML PRP)
Datatypes & Functions
Policy/Rule Combining Algorithms
Request/Result Filters
Decision Cache
▌ Security
XML/JSON schema & syntax validation
XML attack mitigation
Circular policy reference mitigation
▌ Performance
Fast Infoset (ISO standard)
PDP Clustering

33
OPEN
June 2019
Code to product
▌ Source
Community: GitHub, OW2 Gitlab
Enterprise: Thales internal GitLab
▌ Continuous integration
Community: Github/Travis
CI/Maven Central
Enterprise: internal Jenkins/Nexus
▌ Quality check
Unit tests
PMD, FindBugs + Find Security
Bugs, Sonar, OWASP
dependency check
CII Best Practices
FOSSA license check
▌ Documentation
OW2 wiki
AuthzForce Server (readthedocs)
▌ Ticketing system
Community: GitHub issues
Enterprise: internal Gitlab issues
▌ Conventions
Keepachangelog.com
Semantic Versioning
▌ Distribution
.deb, .tar.gz, Docker

34
OPEN
June 2019
Collaborative Projects
▌ Easi-clouds (2011-2015)
▌ openCloudware (2012-2015)
▌ FIWARE (2014-2016): REST API, integration with IAM framework
▌ AU2EU (2013-2015): Integration with IBM privacy framework
▌ 5G-ENSURE (2015-2017): Fine-grained & autonomous ABAC policy
enforcement in constrained environments (e.g. IoT)
▌ PODIUM (2016-2019): TRT NL’s Martello integration
▌ SENDATE (2016-2019): Access control in network slices (NFV)
▌ DRIVER+ (2017-2020): Access control to Apache Kafa topics (pub-sub)

35
OPEN
June 2019
5G-ENSURE – Efficient dynamic authorization for IoT

36
OPEN
June 2019
Competitors
▌ Open Source
XACML 3.0
- AT&T - OpenAZ (AT&T)
– Low activity since 2015
- WSO2 – Balana/Identity Server
– REST API for PDP only
– Buggy
XACML 2.0 only:
- SUN - SunXACML
- HERAS-AF
None provides 3.0 support and…:
- Multi-tenant (cloud-ready) REST API
for PDP/PAP
- Standard-based XML optimization
(ISO Fast Infoset)
▌ Commercial
XACML 3.0
- Axiomatics (leader)
- Atos DirX Access
- ViewDS Access Sentinel
- NextLabs
- Oracle Entitlements Server (only with
Oracle IAM suite)
- ForgeRock AM (only for policy export)
XACML 2.0 only
- IBM Tivoli Security Policy Manager
- Dell/EMC
- Cisco (network access control)

Presentation of Authzforce project, OWcon'19, June 12-13, 2019, Paris.

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Presentation of Authzforce project, OWcon'19, June 12-13, 2019, Paris.

Similar to Presentation of Authzforce project, OWcon'19, June 12-13, 2019, Paris. (20)

More from OW2

More from OW2 (20)

Recently uploaded

Recently uploaded (20)

Presentation of Authzforce project, OWcon'19, June 12-13, 2019, Paris.