This document discusses the increasing complexity of access control and the need for next generation access control solutions. It outlines 7 trends driving this complexity, including increased data sharing and regulation, identity management for many types of users, and big data analytics. It argues that traditional static access control models are no longer sufficient and that attribute-based access control (ABAC) is needed to enable fine-grained, dynamic access decisions based on multiple attributes. The document provides an overview of how ABAC works and how Axiomatics provides software to implement ABAC for applications, databases, and policy management and review.

1. Next Generation Access
Control
Urban Söderström

2. © Axiomatics 2016 2
Access Control is as easy as in the Middle Ages
Only 2 options:
• Store data safely &
• control access
• Make data unusable

3. © Axiomatics 2016 3
But internal and external requirements makes the
picture much more complex …..
And the outside world where data is used ….. has changed How ?
Collaboration
Regulatory Compliance
and Governance
New business & mobile-
driven interactions
Time-to-market

4. © Axiomatics 2016 4
1) Diligent 24 x 7 cyber crime professionals around
• Ransome ware for bitcoins
• Advanced Persistent Threat
• Spearfishing
• National surveillance breaches
Night and day working on their
Continuing Professional Education

5. © Axiomatics 2016 5
2) Population of computer users has changed
Expert engineers
But also
• Your grandma
• Your todler
• Your malware
• Your fridge
• ………
Everyone is a user
With digital identity

6. © Axiomatics 2016 6
3) Identity ontology for every individual
My ID as a….
Customer
Supplier
Partner
Private user
Administrator
Anonymous user
Machine
Fraudster, mule
Identity Federation
E-ID
E-Citizenship
Mobil-ID
Bank-ID
…….

7. © Axiomatics 2016 7
4) Rapid evolving usability requirements – “seven
any”
Any one
Any time
Any where
Any device
Any networg
Any app
Across any value chain
Easy and fast

8. © Axiomatics 2016 8
5) Purpose of data use has changed
Internet of Things
E-Municipality
E-Government
Smart cities
Mobility
Environment
Commodities
Medical
Safety
Living
Drone delivery
Robot distribution
Physical surveillance

9. © Axiomatics 2016 9
6) Globalisation & data correlation Connectivity across
Datasets
Applications
“Things”
Value chains
Companies
Continents
Jurisdictions
Platforms
Devices
Clouds
API´s
interoperability

10. © Axiomatics 2016 10
7) Big data analytics Visual data discovery
Automated decision-making
70% of large organizations
Purchase external data
100% by 2019 (Forbes)
180.000 data analysts in US 2018
E.g. fraud detection
Well combined with physical
security tools
This requires Access Management
BaaS = Back-end of IoT
as a service

11. © Axiomatics 2016 11
8) Increased control, legislation & regulation
Data protection - GDPR
1) Consistency across European Union
1) One-stop-shop for citizens and business
2) Scope: service providers outside Europe delivering EU services
3) Right to be forgotten-Right to erasure:
1) “Privacy by design” & “privacy by default”
2) Right to be forgotten also applicable to third parties
4) Notification of breach mandatory
1) High fines
5) Payment Services Directive II
1) Mandatory to share customers profiles and data with 3rd parties
2) On request (with customers consent & still adhering to the
3) data protecting regulation)

12. © Axiomatics 2016 12
Responding to all trends with old school static IAM ?
Transaction
request
Authorisation
Entitlements
For the ID
Assets
+
data
authentication
Identity
+
properties
Password
Token
PIN
Biometric
Multifactor
Behaviour

13. ©
Axioma)cs
2016
13
By 2020, 70 percent of enterprises will use ABAC as
the dominant mechanism to protect critical assets
“
70%
”
Gartner, 2013
NO ! - Dynamic and fine-grained IAM on data level
required

14. © Axiomatics 2016 14
Application access = OUT Services, Big data, Federation = IN
Access control on application level falls short
RBAC is too static
Security is required on the level of datasets, data subject
Data Centric Security
Attibute Based Access Control
Transaction
request

15. © Axiomatics 2016 15
Every single transaction request…
The only thing persistent is
The request for a transaction
(with all its relevant properties)

16. © Axiomatics 2016 16
deserves an individual VIP treatment
Access decision
engine”
• real time
• context aware
• rule based
• customised
• flexible
• fine-grained
access decisions

17. ©
Axioma)cs
2016
17
⁃ Policies to protect assets / IP
⁃ Policies to prevent fraud
⁃ Policies to comply with external regulations
⁃ Policies to be more efficient
⁃ Policies to enable new business
⁃ CEOs, CIOs, CISOs, CDOs and other CXOs have responsibilities to define and
implement these policies
⁃ Security and compliance are board-level issues: requires key policies in place to
protect the Enterprise’s interests, IP and to safeguard their investments
Modern Enterprises need to be policy-driven

18. © Axiomatics 2016 18
⁃ Modern dynamic enterprises need modern dynamic
authorization models to meet requirements for ease of change
and centralization
⁃ Authorizations to…
⁃ Protect sensitive data
⁃ Protect critical assets
⁃ Protect critical transactions
Attribute Based Access Control is the new dynamic model
Access Policies

19. © Axiomatics 2016 19
Security everywhere
Centralized Rules Management
Data Layer
Service Layer
Process layer
Presentation Layer
Distributed rules enforcement

20. © Axiomatics 2016 20
Finegrained context aware access mmnt - building blocks
user profile
database
identity federation trust level
framework
framework to manage
interaction of rule sets
e.g conflicting rules,
hierarchy, veto,
ownership
rulesets
in rule
engines

21. © Axiomatics 2016 21
Attribute Based Access Control
“Context Based”, or “Rule Based” Access Control:
• Fine-grained
• Additional authentication if reqiured (“step-up”)
• Flexible – Easy access if possible, complex when
required
• Configuration of rules in IAM: short time-to-market
(not programmed in applications)
• Risk level on dataset or transaction
• Trustlevel on authentication context
• Immediate intervention in case of compromise
(trustlevel attribute)
• From RBAC to ABAC or hybrid (role is also a rule!)

22. © Axiomatics 2016 22
Attribute-Based Access Control
A context-aware and dynamic authorization model
Who? What? When? Where? Why? How?

23. © Axiomatics 2016 23
GDPR or PSD-2 is a opportunity to start using
ABAC
⁃ DPR – GDPR requires changes in your rule and policy
governance
⁃ By using ABAC you don´t have to rework your rule and policy
governance in every application when changes are applied
⁃ You can include the Business in the process by using Business
processes when creating new policys

24. © Axiomatics 2016 24
Compared to legacy RBAC models…
⁃ Permissions assigned to roles
⁃ Roles assigned to users
⁃ Applications handle access
control intentionally

25. © Axiomatics 2016 25
Using ABAC to extend role definitions
⁃ ABAC uses attributes and
policies to implement precise
controls
⁃ ABAC extends roles with
⁃ Context and
⁃ Relationships
⁃ ABAC utilizes attributes of the
user as well as the resource to
represent relationships

26. ©
Axioma)cs
2016
26
Axiomatics provides enterprise
software for access control

27. © Axiomatics 2016 27
Who we are…
About Axiomatics...
Offices in USA
and Sweden
Venture-backed
since 2013
90% growth
in 2015

28. © Axiomatics 2016 28
Our Customers
⁃ Fortune 500
⁃ Government Agencies
⁃ Vertical market expertise
⁃ Financial services (banking, insurance)
⁃ Highly-regulated industries (pharmaceuticals, aerospace, automotive…)
⁃ Media companies

29. Success stories
⁃ Securing online payments for 200 million users
⁃ Securing exchange of clinical trial data in
pharmaceutical research
⁃ Millions of transactions a day secured for one of the
world’s largest banks
⁃ Protecting privacy for insurance company’s clients
⁃ Compliance with Export Control regulations for aircraft
manufacturers
⁃ Copyright-protected streaming media for authorized users only
⁃ Improving speed and quality of health IT systems for
veterans nationwide

30. © Axiomatics 2016 30
Axiomatics Solutions
⁃ Authorization for Applications
⁃ Business logic and middleware
⁃ APIs and web services
⁃ On-premise and cloud applications
⁃ Authorization for Databases
⁃ Relational databases
⁃ Big Data
⁃ Access Review on policies
⁃ Prove regulatory compliance and
permissions of users or groups
⁃ Real-time review of dynamic authorization
⁃ Internal reporting and auditing needed at
various levels of user
⁃ Review what your employees can do

31. © Axiomatics 2016 31
Structuring the Policies
The Authorization Policy Lifecycle

32. © Axiomatics 2016 32
Deploy the architecture – Defence in Depth

33. © Axiomatics 2016 33
Questions?