This is the slide deck from an Axiomatics webinar held on April 3, 2014. To see the webinar recording itself, visit the webinar section on the Axiomatics home page. There you will also find the questions and answers section - there were a few interesting discussions at the end of the session.

1. © 2014 Axiomatics AB 1
Do you have a business case
for Attribute Based Access
Control (ABAC)?
Webinar: April 3, 2014

2. © 2014 Axiomatics AB 2
2:001:591:581:571:561:551:541:531:521:511:501:491:481:471:461:451:441:431:421:411:401:391:381:371:361:351:341:331:321:311:301:291:281:271:261:251:241:231:221:211:201:191:181:171:161:151:141:131:121:111:101:091:081:071:061:051:041:031:021:011:000:590:580:570:560:550:540:530:520:510:500:490:480:470:460:450:440:430:420:410:400:390:380:370:360:350:340:330:320:310:300:290:280:270:260:250:240:230:220:210:200:190:180:170:160:150:140:130:120:110:100:090:080:070:060:050:040:030:020:01NOW
Do you have a business case
for Attribute Based Access
Control (ABAC)?
Count-down
for webinar start:
Webinar: April 3, 2014

3. Guidelines
© 2014 Axiomatics AB 3
You are muted
centrally
The webinar
is recorded
Slides
available for
download
Q&A
at the end

4. Today’s speakers
© 2014 Axiomatics AB 4
Finn FrischGerry Gebel

5. @axiomatics
#XACML
© 2014 Axiomatics AB 5
Twitter

6. 6
Introduction
Overview and preamble
© 2014 Axiomatics AB
 Business drivers – why
organizations invested in ABAC
 Business challenges – what
problems they solved
 Business values – what benefits
they gained

7. The ABAC trend
7
2005
XACML version 2.0:
Concept production-ready
for enterprise needs.
2009
US Federal CIO Council –
(FICAM) Roadmap and
Implementation Plan v1.0
advocates ABAC
2006
Axiomatics founded.
First project: a nation-
wide eHealth service.
2011
FICAM v2.0:
ABAC recommended access control
model for promoting information
sharing between diverse and
disparate organizations.
2013
XACML version 3.0
2014
NIST Guide
on ABAC
2014
Gartner predicts:
”By 2020, 70% of all
businesses will use
ABAC as the dominant
mechanism to protect
critical assets,
up from 5% today.”
ABAC = Attribute Based Access Control
© 2014 Axiomatics AB
Introduction

8. What is Attribute Based Access Control (ABAC)?
 A mode of externalized authorization
 Authorization policies/rules are managed in a centralized service (deployment
can be centralized/distributed/hybrid)
 The Extensible Access Control Markup Language (XACML) is an example of an
ABAC system
 Policies utilize attributes to describe specific access rules, which is why it is
called attribute based access control
© 2014 Axiomatics AB 8
Introduction

9. Example from NIST report
 “This flexibility [of ABAC] provides the greatest breadth of subjects to access
the greatest breadth of objects without specifying individual relationships
between each subject and each object”
 Nurse Practitioners in the Cardiology Department can View the Records of
Heart Patients
 Variables in the policy language enable very efficient policy structures – reducing the
maintenance load
 Management of heart patient records is part of the business application – not an IT
function
 Multiple attributes must be available for policy evaluation – either as part of the access
request or retrieved from source
© 2014 Axiomatics AB 9
Introduction

10. NIST example - expanded
 Nurse Practitioners can View the Records of Patients in the same Department
they are assigned to
 This rule can apply to all departments in the hospital
 Add a new department or change names of department and the rule does not change
 Rule compares department of the Nurse Practitioner to the department of the Patient
 Avoids the role explosion effect of RBAC models
© 2014 Axiomatics AB 10
Introduction

11. Why are we seeing this shift to ABAC?
 Todays’ business environment is more global, dynamic and collaborative
 First generation access models cannot cope in a “need to share” world
 Users demand access to any data, from any device, at any time
© 2014 Axiomatics AB 11
Introduction

12. Why organizations invest in ABAC technology
© 2014 Axiomatics AB 12
Consolidated
infrastructure
Enhanced
security
Business
enabler
Compliance
Expose data and APIs
to customers and
partners
Write once,
Enforce everywhere
Consistent
authorization
enforcement across
applications
Implement
legal frameworks
Business drivers

13. Attribute Based Access Control (ABAC) objectives
 Get competitive advantage and create new revenue streams
 Minimize the risk of fraud with dynamic, real-time access control
 Meet global regulatory and privacy requirements
 Cut time to market and streamline internal development
© 2014 Axiomatics AB 13
Business drivers

14. © 2014 Axiomatics AB 14
Collaboration
…depends on efficient
information sharing…
… which depends on
precision in access controls…
Business challenge

15. Legacy access control Attribute based access control
© 2014 Axiomatics AB 15
Legacy access controls fail in dynamic environments
Business challenge

16. Achievements made – return on investment (ROI)
 Question: Before you went for Attribute Based Access Control
(ABAC), how would you have approached the type of solution
you now have built?
 Answer: We wouldn’t. It would simply not have been possible
to build this type of service with the access control models we
used before.
© 2014 Axiomatics AB 16
ROI=ROI of new service which gives a competitive advantage
Business values

17. ABAC enables secure information sharing
Challenge: Collaboration
Objective: Increase revenue
© 2014 Axiomatics AB 17
Conclusion

18. © 2014 Axiomatics AB 18
Speed in business
transactions
…depends on efficient
delegation of powers…
… while losses due to fraud or
excessive risk taking are minimized…
Business challenge

19. The RBAC Sudoku
© 2014 Axiomatics AB 19
Business challenge
A
B
C

20. Using ABAC to overcome the RBAC weakness
 Solution:
To authorize a Service Entry and Release, enforce the following XACML rule:
 PERMIT Service Entry and Release for users with Cost Center Signature
Authority for Purchase Orders of their own Cost Centers providing they were
not previously involved in the creation, editing or approval of the related
Purchase Order or the corresponding Vendor or Service provider account.
 Result:
Multiple attributes combined [cost center, PO and Vendor approver etc.] –
not just the role of the user – are considered to minimize the risk
(in our example the risk of individuals releasing service entries for their own
fraudulent purchase orders.)
© 2014 Axiomatics AB 20
Business challenge

21. Achievements made – return on investment (ROI)
 “Maintain separation of duties so that no one person has too
much control”
 “Reduce risks of data breaches, data leakage and identity theft”
 “Prevent or limit unauthorized bank system access or use”
© 2014 Axiomatics AB 21
Business values

22. ABAC enables delegation of powers for
secure transactions
Challenge: Speed in transactions
Objective: Minimize loss
© 2014 Axiomatics AB 22
Conclusion

23. © 2014 Axiomatics AB 23
Regulatory
compliance
…depends on efficient
IT governance …
…which in turn depends on correct
and verifiable authorizations …
Business challenge

24. © 2014 Axiomatics AB 24
Business challenge

25. Achievements made – return on investment (ROI)
“[…] is a multi-national company and must comply with
financial regulations in multiple jurisdictions. […]
Application-external authorization must ensure applications
at all times comply with changing and country specific
regulations.”
© 2014 Axiomatics AB 25
ROI=Avoiding fines, avoiding reputational damage
Business values

26. ABAC auditably controls who has access
to what, where, when, why and how
Challenge: Compliance / Governance
Objective: Avoiding fines / reputational damage
© 2014 Axiomatics AB 26
Conclusion

27. © 2014 Axiomatics AB 27
Timely service
delivery
…depends on efficient
software development…
…and change management
not causing delays
Business challenge

28. Costly access control – expensive change management
© 2014 Axiomatics AB 28
Business challenge

29. Legacy access control
 Authorization checks repeated over
and over in code:
if (!User.IsInRole("Administrators"))
{
Msg.Text = “Acccess denied.";
ListBox.Visible = false;
return;
}
 Imagine more conditions: data
classification, ListBox.DataSource,
administrator’s clearance level ….
Attribute based access control
 Write once, use many times –
simply send an access request to the
authorization service
Req=BuildRequest(UserID,ListBox)
if (!PDPPermit(Req)) ….
© 2014 Axiomatics AB 29
Implementing authorization in applications
Business challenge

30.  $312 billion: Estimated global expenditure on software
debugging in 2012
 52 %: Portion of total effort spent fixing ‘architecturally
complex defects’, which account for only 8% of all defects*
ROI = reduced software development costs + improved quality +
reduced time-to-market for new service
Code maintenance – return on investment (ROI)
© 2014 Axiomatics AB 30
* Scott Buchholz, director, Deloitte Consulting LLP and David Sisk, director, Deloitte Consulting LLP, “Technical debt reversal, Lowering the IT debt ceiling” in
“Tech Trends 2014: Inspiring Disruption”, http://dupress.com/articles/2014-tech-trends-technical-debt-reversal/
Business values

31. ABAC enables “write once, use many”
patterns which reduces code complexity
and release cycles
Challenge: Software maintenance
Objective:Time-to-market gains, cost reduction
© 2014 Axiomatics AB 31
Conclusion

32. © 2014 Axiomatics AB 32
References
Reading materials
Upcoming webinars

33. Reading materials
 Axiomatics White Paper: The Business Case for Attribute Based Access Control
 Axiomatics White Paper: Getting Started with ABAC
 NIST paper on ABAC
 nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf
© 2014 Axiomatics AB 33
References
Webinars
 Get started now! Attribute Based Access Control (ABAC) for applications.
April 10, 2014
 Protect business critical data with dynamic authorization for databases.
May 8, 2014

34. © 2014 Axiomatics AB 34
Questions?
Thank you for listening