Downloaded 84 times
Uploaded byDavid Brossard
Fine grained access control for cloud-based services using ABAC and XACML
This document discusses three strategies for implementing fine-grained authorization for cloud-based services using eXtensible Access Control Markup Language (XACML). The first strategy is to encourage software-as-a-service (SaaS) providers to directly support XACML by exposing security APIs. The second is to proxy all cloud connections through an on-premise gateway that enforces authorization policies. The third strategy converts XACML policies into the native format supported by each SaaS provider and pushes them via management APIs.
In this document
Powered by AI
Introduction to Fine-Grained Authorization for cloud services by David Brossard from Axiomatics.
Introduction of three strategies for extending authorization to the cloud, targeting stakeholders.
Defines access control and the difference between authentication and authorization, emphasizing the role of standards like XACML.
Highlights current issues in authorization, particularly the complexities introduced by system growth and cloud transitions.
Discusses Export Control regulations and the importance of knowing user data and end use in the cloud environment.
Introduces fine-grained authorization through attribute-based access control and the role of XACML in managing access.
Explains the architecture of XACML, detailing how it manages authorization and integrates into various cloud services.
Outlines three options for SaaS providers to implement externalized authorization, pros, cons, and the relevance of XACML.
Discusses an alternative solution by proxying cloud connections, outlining architecture, advantages, and limitations.
Describes a third option to adapt XACML policies to SaaS application formats, highlighting feasibility and potential downsides.
Summarizes the three strategies for eXtensible Authorization in the cloud, reiterating the necessity of fine-grained controls.
Provides contact information for attendees wishing to ask questions or seek further information about the presentation.
More Related Content
Similar to Fine grained access control for cloud-based services using ABAC and XACML
Fine grained access control for cloud-based services using ABAC and XACML
- 1. Fine-Grained Authorization for Cloud-basedServices David Brossard Axiomatics @davidjbrossard - @axiomatics © 2012, Axiomatics AB 1
- 2. 3 strategies toextend authorization to the Cloud We’re in London, we definitely need this strategy What it means for customers SaaS providers What you will learn © 2012, Axiomatics AB 2
- 3. Access control orauthorization (AuthZ) Who can do what? “The authorization function determines whether a particular entity is authorized to perform a given activity, typically inherited from authentication when logging on to an application or service.” What’s authorization? © 2012, Axiomatics AB 3
- 4. Heard enough aboutSSO, federation and SAML? Authentication: Hi, I prove who I say I am One-off process Focus: user’s identity and the proof of identity Standards: OpenID, OAUTH, SAML… Authorization: Hi, can I transfer this amount? From code-driven to policy-driven Standard: XACML Authorization comes after Authentication © 2012, Axiomatics AB 4
- 5. The issue with Authorizationtoday The black box challenge © 2012, Axiomatics AB 5
- 6. System growth leadsto AuthZ challenges App App App Cost Brittleness Static Risk Lack of visibility Lack of audit Violation of SoD SaaS SaaS SaaS © 2012, Axiomatics AB 6
- 7. What happens tomy data? Who can access which information? How do I comply with (what the auditor will ask for) Regulations? E.g. Export Control Contractual obligations? Going to the cloud doesn’t make it easier Do I need a different approach for cloud? The Authorization Challenge © 2012, Axiomatics AB 7
- 8. Export Control Know theuser (citizenship, location, affiliation) Know the end use (end location, purpose of use) Example: Manufacturing in the cloud © 2012, Axiomatics AB 8
- 9. Fine-grained authorization to therescue Attribute-based access control XACML © 2012, Axiomatics AB 9
- 10. Authorization is nearlyalways about Who? Identity + role (+ group) © 2012, Axiomatics AB 10 Credits: all icons from the Noun Project | Invisible: Andrew Cameron
- 11. Authorization should reallybe about… When?What? How?Where?Who? Why? © 2012, Axiomatics AB 11 Credits: all icons from the Noun Project | Invisible: Andrew Cameron, | Box: Martin Karachorov | Wrench: John O'Shea | Clock: Brandon Hopkins
- 12. eXtensible Access ControlMarkup Language OASIS standard XACML is expressed as A specification document (a PDF) and An XML schema Policy-based & attribute-based language Implement authorization based on object relations Only employees of a given plant can see technical data linked to items assigned to the plant © 2012, Axiomatics AB 12 Behold XACML, the standard for ABAC
- 13. © 2012, AxiomaticsAB Refresher: the XACML architecture Decide Policy Decision Point Manage Policy Administration Point Support Policy Information Point Policy Retrieval Point Enforce Policy Enforcement Point 13
- 14. © 2012, AxiomaticsAB 14 XACML Transparent & Externalized AuthZ Centrally managed policy: ”PERMIT user with clearance X to read document classified as ….” “DENY access to classified document if…” User Application Information asset I want… PERMIT or DENY? PERMIT or DENY?
- 15. XACML AnywhereAuthZ & Architecture Datacenter App A Service A Service D Service E Service M Service O SaaS SaaS © 2012, Axiomatics AB 15 Private Cloud
- 16. Fine-grained Authorization for theCloud Three strategies for externalized authorization in the cloud © 2012, Axiomatics AB 16
- 17. A SaaS providershould offer Functional APIs (their core business) Non-functional (Security) APIs Let customers push their own XACML policies Apply the administrative delegation profile http://docs.oasis-open.org/xacml/3.0/xacml-3.0- administration-v1-spec-en.html Option #1 – tell your provider to adopt XACML © 2012, Axiomatics AB 17
- 18. SaaS provider Option #1– Architecture Central IT: Company A SaaS Admin delegates rights to manage access control provided to customer A. The rights are restricted to only the applications and resources provided to this particular customer’s users. Customer A’s admin can manage access for their staff on its own by providing XACML policies and attributes Customer A users use the SaaS application 18© 2012, Axiomatics AB App#1 App#2 App#3 FunctionalAPI XACML Mgmt API 1. 2. 3.
- 19. Pros Consistent access control Fine-grained Risk-aware Future-proof SaaSvendor benefit multi-tenancy Cons Not many SaaS vendors support XACML today Option #1 – Pros & Cons © 2012, Axiomatics AB 19
- 20. If you canrestrict access to SaaS applications from within the corporate network… All access to SaaS apps could be made to tunnel through a proxy Option #2 – Proxy your cloud connections © 2012, Axiomatics AB 20
- 21. Option #2 –Architecture SaaS App #1 SaaS App #2 SaaS App #3 VPN © 2012, Axiomatics AB 21
- 22. Pros Workaround current SaaS limitations Easyto deploy Available today Cons No direct access to SaaS app Forces users to go via VPN Access may not be as fine grained as Option #1 Lack of visibility into the SaaS data Option #2 – Pros & Cons © 2012, Axiomatics AB 22
- 23. What if theprovider is reluctant to adopt XACML? “If the application won’t go to XACML then XACML will go to the application” Eve Maler, Forrester You still get Centrally managed authorization Standards-based (XACML) Approach Convert from XACML to expected SaaS format Push via SaaS management APIs Option #3 – Policy Provisioning based on XACML © 2012, Axiomatics AB 23
- 24. SaaS provider Option #3– Architecture Central IT: Company A Convert XACML policies to the native format expected by the SaaS provider Customer A users use the SaaS application App#1 App#2 App#3 FunctionalAPI Native API © 2012, Axiomatics AB 24 Authorization constraints / permissions in the format expected by the SaaS provider
- 25. Pros Feasible today Viable solution Extendsthe customer’s XACML-based authorization system’s reach Cons Possible loss of XACML richness in access control Loss of dynamic nature Option #3 – Pros & Cons © 2012, Axiomatics AB 25
- 26. Cloud requires eXtensibleAuthorization Fine-grained Externalized Traditional approaches #1: tell your SaaS provider to adopt XACML. #2: proxy your cloud connections. Extended approach #3: Policy Provisioning based on XACML Also works for business apps (SharePoint, Windows) To summarize © 2012, Axiomatics AB 26
- 27.
Editor's Notes
- #11 Once upon a time, access control was about who you were. What mattered was your identity or perhaps your role or group.But today, access control should be more about what you represent, what you want to do, what you want to access, for which purpose, when, where, how, and why…Credits:Invisible: Andrew Cameron, from The Noun ProjectBox: Martin Karachorov, Wrench: John O'Sheaclock: Brandon Hopkins
- #12 Once upon a time, access control was about who you were. What mattered was your identity or perhaps your role or group.But today, access control should be more about what you represent, what you want to do, what you want to access, for which purpose, when, where, how, and why…Credits:Invisible: Andrew Cameron, from The Noun ProjectBox: Martin Karachorov, Wrench: John O'Sheaclock: Brandon Hopkins
- #14 Policy Enforcement PointIn the XACML architecture, the PEP is the component in charge of intercepting business messages and protecting targeted resources by requesting an access control decision from a policy decision point and enforcing that decision. PEPs can embrace many different form factors depending on the type of resource being protected.Policy Decision PointThe PDP sits at the very core of the XACML architecture. It implements the XACML standard and evaluation logic. Its purpose is to evaluate access control requests coming in from the PEP against the XACML policies read from the PRP. The PDP then returns a decision – either of Permit, Deny, Not Applicable, or Indeterminate.Policy Retrieval PointThe PRP is one of the components that support the PDP in its evaluation process. Its only purpose is to act as a persistence layer for XACML policies. It can therefore take many forms such as a database, a file, or a web service call to a remote repository.Policy Information PointXACML is a policy-based language which uses attributes to express rules & conditions. Attributes are bits of information about a subject, resource, action, or context describing an access control situation. Examples of attributes are a user id, a role, a resource URI, a document classification, the time of the day, etc… In its evaluation process, the PDP may need to retrieve additional attributes. It turns to PIPs where attributes are stored. Examples of PIPs include corporate user directories (LDAP…), databases, UDDIs… The PDP may for instance ask the PIP to look up the role of a given user.Policy Administration PointThe PAP’s purpose is to provide a management interface administrators can use to author policies and control their lifecycle.