In this presentation I introduce the basics of Attribute-based Access Control, XACML, and why it matters to developers. I also focus on the latest XACML TC profiles - the REST profile and the JSON profile that make integration easier and faster.
This slide deck gives an introduction to OAuth 2.0, starting with some concepts, explaining the flow plus a few hints. The reminder of the slides are about implementing an OAuth 2.0 server using the Apache Amber library (renamed to Apache Oltu lately). My impression is that many developers shy away as soon as they hear "security" and so I did not only want to talk about the concepts of OAuth 2.0 but also wanted to show how easily you can implement an OAuth 2.0 server ... hope it reduces the fear of contact a bit ... ;-)
It seems that OAuth 2.0 is everywhere these days. Whether you are building a hot new single page web application (SPA), a native mobile experience, or just trying to integrate with the API economy, you can't go far without running into the popular authorization framework for REST/APIs and social authentication.
During Oktane15 (https://www.okta.com/oktane15/), Karl McGuinness, our Senior Director of Identity, demystified the powerful, yet often misunderstood, world of OAuth 2.0 and shared details on Okta’s growing support for OpenID Connect.
Building a modern API architecture is a constant struggle between ease of development and security. JSON Web Tokens (JWTs) introduce a means of building authentication into JSON objects being transmitted through APIs.
In this session we’ll explore how JWTs work to build verifiable and trusted objects, allowing them to be combined with standards such as OAuth 2 for capturing access tokens, leading to a secure means of JavaScript SDK dev.
This slide deck gives an introduction to OAuth 2.0, starting with some concepts, explaining the flow plus a few hints. The reminder of the slides are about implementing an OAuth 2.0 server using the Apache Amber library (renamed to Apache Oltu lately). My impression is that many developers shy away as soon as they hear "security" and so I did not only want to talk about the concepts of OAuth 2.0 but also wanted to show how easily you can implement an OAuth 2.0 server ... hope it reduces the fear of contact a bit ... ;-)
It seems that OAuth 2.0 is everywhere these days. Whether you are building a hot new single page web application (SPA), a native mobile experience, or just trying to integrate with the API economy, you can't go far without running into the popular authorization framework for REST/APIs and social authentication.
During Oktane15 (https://www.okta.com/oktane15/), Karl McGuinness, our Senior Director of Identity, demystified the powerful, yet often misunderstood, world of OAuth 2.0 and shared details on Okta’s growing support for OpenID Connect.
Building a modern API architecture is a constant struggle between ease of development and security. JSON Web Tokens (JWTs) introduce a means of building authentication into JSON objects being transmitted through APIs.
In this session we’ll explore how JWTs work to build verifiable and trusted objects, allowing them to be combined with standards such as OAuth 2 for capturing access tokens, leading to a secure means of JavaScript SDK dev.
"Json Web Token with digital signature. Modern authentication or authorization. Cookies are bad. Avoid Man-in-the-middle-attack. No need to protect against CSRF. Stateless.
Replacing Your Shared Drive with Alfresco - Open Source ECMAlfresco Software
http://tinyurl.com/5ddd3t <--
View recorded webinar.
Learn how you can replace your shared drive with a enterprise-class content management system. With no client software.
Alfresco's Virtual File System interfaces provide CIFS (Common Internet File System), NFS (Network File System), WebDav (Web-based Distributed Authoring and Versioning) and FTP (File Transfer Protocol) access to your Alfresco content repositories making, Alfresco as easy to use as a shared drive. Open Source ECM.
www.alfresco.com
What is SAML , How does SAML Works , request and Response , Enterprise and Web SSO, Advantages and Disadvantages of SSO, What is SSO, Single Sign On, Security Assertion Mark-up language.
http://www.justin.tv/hackertv/49975/Tech_Talk_1_Leah_Culver_on_OAuth
Tech talk about OAuth, and open standard for API authentication. Originally broadcast on Justin.tv.
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
Authorization - it's not just about who you areDavid Brossard
Worried about who's getting access to your app? Sprinkle in XACML and get access control that is both context-aware, externalized and dynamic.
Need to add more than basic access control to your application? Existing authorization frameworks including their pros and cons, but are typically quite limited. This talk will introduce XACML, the eXtensible Access Control Markup Language, an authorization standard from OASIS that defines fine-grained access control based on attributes. The XACML standard enables much more dynamic authorization that not only focuses on the user but also on resources, actions, and the context. XACML enables policy-based and attribute-based access control.
The talk with then look at how XACML can be used to apply authorization business rules to any Java application and even beyond (.NET, Ruby...). This is known as “any-breadth authorization”. XACML also enables consistent authorization across multiple layers (presentation tier; web tier; business tier; and data tier). It becomes possible to apply the same authorization logic in a JSF page as in a jdbc connection. This is also known as “any-depth authorization”
During the talk, we will look at live examples of applications using XACML. For instance, we will demonstrate the use of XACML and Java servlets, JAX-WS web services, and APIs as a whole. Attendees will also be able to write their own XACML policies, provided they download the ALFA plugin for Eclipse, an add-on for XACML policy authoring.
In January 2013, XACML 3.0 was approved as a formal standard and there are several implementations available (open-source, free, and commercial) for developers to get started. The talk will illustrate how developers can leverage XACML to quickly apply authorization to new and existing applications. After this session, you will easily be able to add standards-based authorization to your application - and simplify your life!
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
Brief overview of API
▸ Fingerprinting & Discovering API
▸ Authentication attacks on API (JWT)
▸ Authorization attacks on API (OAuth)
▸ Bruteforce attacks on API
▸ Attacking Dev/Staging API
▸ Traditional attacks
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?David Brossard
In this presentation, I cover the history of access control, from simpler models e.g. access control lists (ACL) to Role Based Access Control (RBAC) and eventually Attribute Based Access Control (ABAC). I then discuss limitations of RBAC and how ABAC provides a better alternative using attributes and policies.
Why lasagna is better than spaghetti: baking authorization into your applicat...David Brossard
Next-generation access control is undergoing a bit of an identity crisis. Some call it eXternalized Authorization Management, others Dynamic Access Control and still others just refer to it as Attribute Based Access Control (ABAC). Until now, XACML and ABAC have been the two pillars supporting next-gen AuthZ. Gartner predicts that 70% of enterprises will adopt ABAC by 2020.
With ALFA, REST, and JSON, even the most complex authorization scenarios become extremely simple to implement. It's haute cuisine made simple. In this session, we will go hands-on with examples, live demos, coding, and delicious samples.
"Json Web Token with digital signature. Modern authentication or authorization. Cookies are bad. Avoid Man-in-the-middle-attack. No need to protect against CSRF. Stateless.
Replacing Your Shared Drive with Alfresco - Open Source ECMAlfresco Software
http://tinyurl.com/5ddd3t <--
View recorded webinar.
Learn how you can replace your shared drive with a enterprise-class content management system. With no client software.
Alfresco's Virtual File System interfaces provide CIFS (Common Internet File System), NFS (Network File System), WebDav (Web-based Distributed Authoring and Versioning) and FTP (File Transfer Protocol) access to your Alfresco content repositories making, Alfresco as easy to use as a shared drive. Open Source ECM.
www.alfresco.com
What is SAML , How does SAML Works , request and Response , Enterprise and Web SSO, Advantages and Disadvantages of SSO, What is SSO, Single Sign On, Security Assertion Mark-up language.
http://www.justin.tv/hackertv/49975/Tech_Talk_1_Leah_Culver_on_OAuth
Tech talk about OAuth, and open standard for API authentication. Originally broadcast on Justin.tv.
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
Authorization - it's not just about who you areDavid Brossard
Worried about who's getting access to your app? Sprinkle in XACML and get access control that is both context-aware, externalized and dynamic.
Need to add more than basic access control to your application? Existing authorization frameworks including their pros and cons, but are typically quite limited. This talk will introduce XACML, the eXtensible Access Control Markup Language, an authorization standard from OASIS that defines fine-grained access control based on attributes. The XACML standard enables much more dynamic authorization that not only focuses on the user but also on resources, actions, and the context. XACML enables policy-based and attribute-based access control.
The talk with then look at how XACML can be used to apply authorization business rules to any Java application and even beyond (.NET, Ruby...). This is known as “any-breadth authorization”. XACML also enables consistent authorization across multiple layers (presentation tier; web tier; business tier; and data tier). It becomes possible to apply the same authorization logic in a JSF page as in a jdbc connection. This is also known as “any-depth authorization”
During the talk, we will look at live examples of applications using XACML. For instance, we will demonstrate the use of XACML and Java servlets, JAX-WS web services, and APIs as a whole. Attendees will also be able to write their own XACML policies, provided they download the ALFA plugin for Eclipse, an add-on for XACML policy authoring.
In January 2013, XACML 3.0 was approved as a formal standard and there are several implementations available (open-source, free, and commercial) for developers to get started. The talk will illustrate how developers can leverage XACML to quickly apply authorization to new and existing applications. After this session, you will easily be able to add standards-based authorization to your application - and simplify your life!
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
Brief overview of API
▸ Fingerprinting & Discovering API
▸ Authentication attacks on API (JWT)
▸ Authorization attacks on API (OAuth)
▸ Bruteforce attacks on API
▸ Attacking Dev/Staging API
▸ Traditional attacks
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?David Brossard
In this presentation, I cover the history of access control, from simpler models e.g. access control lists (ACL) to Role Based Access Control (RBAC) and eventually Attribute Based Access Control (ABAC). I then discuss limitations of RBAC and how ABAC provides a better alternative using attributes and policies.
Why lasagna is better than spaghetti: baking authorization into your applicat...David Brossard
Next-generation access control is undergoing a bit of an identity crisis. Some call it eXternalized Authorization Management, others Dynamic Access Control and still others just refer to it as Attribute Based Access Control (ABAC). Until now, XACML and ABAC have been the two pillars supporting next-gen AuthZ. Gartner predicts that 70% of enterprises will adopt ABAC by 2020.
With ALFA, REST, and JSON, even the most complex authorization scenarios become extremely simple to implement. It's haute cuisine made simple. In this session, we will go hands-on with examples, live demos, coding, and delicious samples.
RBAC & ABAC: гибридное решение для управления правами доступаCUSTIS
Выступление Вячеслава Муравлева, нашего ведущего разработчика, на международной выставке InfoSecurity Russia (20 сентября 2016 года, Москва).
Видеозапись выступления:
https://vimeo.com/183804752
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...David Brossard
Join a host of industry experts for this pre-conference roundtable, to hear the latest on what is being done to protect identity and ensure privacy within the cloud. This three-part interactive roundtable will open-up the dialogue on this topic, so come prepared to share information, insights and ideas.
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...David Brossard
In this panel hosted by Ian Glazer, my colleague Gerry Gebel introduces the audience to XACML and its latest developments including REST, JSON, and more developer-friendly initiatives.
Top Ten Reasons Why Developers Don't Adopt ABACForgeRock
Gerry Gebel, President of Axiomatics Americas at Axiomatics discusses the top reasons why developers don't adopt ABAC in a Breakout Session at the 2014 IRM Summit in Phoenix, Arizona.
IDM and Automated Security Entitlement SystemsSRI Infotech
A demonstration of SRI Infotech’s unique, first-in-class in-house automated security entitlement system, combining identity management with automated data source connectors.
Kamil Kozieł, Kamil Stawiarski / IT School | ORA-600
Oracle hacking session czyli o jedno uprawnienie za daleko.
Prezentacja z konferencji infoShare 2013 w Gdańsku.
Presented at infoShare 2013 conference in Gdańsk, Poland.
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by DesignDavid Brossard
In this presentation delivered at the European Identity Conference, David looks at externalized authorization, attribute-based access control (ABAC) and XACML and how it can help implement privacy regulations.
This is not my creation, I loved it & wanted to share with my friends here.
The owner\'s link is there at the end of it & I appreciate his work. veyy much.
Real-Time Distributed and Reactive Systems with Apache Kafka and Apache AccumuloJoe Stein
In this talk we will walk through how Apache Kafka and Apache Accumulo can be used together to orchestrate a de-coupled, real-time distributed and reactive request/response system at massive scale. Multiple data pipelines can perform complex operations for each message in parallel at high volumes with low latencies. The final result will be inline with the initiating call. The architecture gains are immense. They allow for the requesting system to receive a response without the need for direct integration with the data pipeline(s) that messages must go through. By utilizing Apache Kafka and Apache Accumulo, these gains sustain at scale and allow for complex operations of different messages to be applied to each response in real-time.
Real time Analytics with Apache Kafka and Apache SparkRahul Jain
A presentation cum workshop on Real time Analytics with Apache Kafka and Apache Spark. Apache Kafka is a distributed publish-subscribe messaging while other side Spark Streaming brings Spark's language-integrated API to stream processing, allows to write streaming applications very quickly and easily. It supports both Java and Scala. In this workshop we are going to explore Apache Kafka, Zookeeper and Spark with a Web click streaming example using Spark Streaming. A clickstream is the recording of the parts of the screen a computer user clicks on while web browsing.
CIS13: Externalized Authorization from the Developer’s PerspectiveCloudIDSummit
David Brossard, Product Manager, Axiomatics
Application development trends often collide with security best practices, leaving enterprises with a patchwork mix of authorization schemes that are difficult and expensive to operate, modify and certify for compliance. This session will explore the latest trends in authorization and describe standards-based mechanisms to protect APIs, web services, data resources and more. Included in the discussion will be the interaction between XACML, OAuth, REST and JSON.
These are the presentation slides from the Axiomatics webinar on June 13. A recording of the webinar with audio can be viewed at www.axiomatics.com/videos-and-webinars
RightScale Roadtrip - Accelerate to CloudRightScale
The Accelerate to Cloud keynote will help you understand the current state of cloud adoption, identify the business value for your organization, and provide you a framework to plot your course to cloud adoption.
Building Cloud-Native App Series - Part 5 of 11
Microservices Architecture Series
Microservices Architecture,
Monolith Migration Patterns
- Strangler Fig
- Change Data Capture
- Split Table
Infrastructure Design Patterns
- API Gateway
- Service Discovery
- Load Balancer
NoSQL matters in Catchoom Recognition ServiceCatchoom
David Arcos from Catchoom presented at NoSQLMatters Barcelona (6 Oct 2012) how Catchoom Recognition Service (a SaaS platform for visual recognition) was implemented using Redis and other deployment tools. David argues about the necessity of NoSQL for critical components of the service.
Running microservice environments is no free lunchAlois Mayr
Since the beginning of the hype around containers and microservices, several organizations have actually transformed their IT to support both legacy and new applications in a more modern environment, moving away from physical data centers toward public, private, or hybrid clouds, using new technologies that pop up every day. While certain things have gotten easier, you still need to do your homework when it comes to proper application architecture, scalability, orchestration, performance, and monitoring.
In this presentation we cover the dark side of microservices so you don’t have to learn it the hard way.
Ever wished you had a list of cheat codes to unleash the full power of AWS Lambda for your production workload? Come learn how to build a robust, scalable, and highly available serverless application using AWS Lambda. In this session, we discuss hacks and tricks for maximizing your AWS Lambda performance, such as leveraging customer reuse, using the 500 MB scratch space and local cache, creating custom metrics for managing operations, aligning upstream and downstream services to scale along with Lambda, and many other workarounds and optimizations across your entire function lifecycle.
You also learn how Hearst converted its real-time clickstream analytics data pipeline from a server-based model to a serverless one. The infrastructure of the data pipeline relied on Amazon EC2 instances and cron jobs to shepherd data through the process. In 2016, Hearst converted its data pipeline architecture to a serverless process that relies on event triggers and the power of AWS Lambda. By moving from a time-based process to a trigger-based process, Hearst improved its pipeline latency times by 50%.
LinuxCon North America 2013: Why Lease When You Can Buy Your CloudMark Hinkle
Perhaps one of the perplexing things about cloud computing is the choice around renting time in someone else’s cloud (Amazon, Google, Rackspace or a myriad of others) or building your own. It’s not unlike the age-old car buyer’s dilemma, take the lower payments and lower total miles lease or buy the car and drive it for the long haul. Cloud computing users are often faced with the same conundrum. This presentation will focus on how to buy and build a cloud that can be fulfill the needs of most users including strategies for making use of the open source private cloud or managing workloads in both the private and public cloud using open source software.
The Accelerate to Cloud Dallas keynote will help you understand the current state of cloud adoption, identify the business value for your organization, and provide you a framework to plot your course to cloud adoption.
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...CA Technologies
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Solutions (Formerly Automic) and CA Privileged Access Manager
For more information on DevSecOps, please visit: http://ow.ly/u2pN50g63tN
Policy enabling your services - using elastic dynamic authorization to contro...David Brossard
APIs have become the backbone of many services nowadays - from the weather forecast to delivery notifications and photo printing services. Not only can we consume data and services more readily through those APIs but we can also mash them up into greater services. To do so, we tackled API security through OAuth and OpenID Connect. They form a good basis to handle authentication and basic authorization delegation, but there is so much more to consider from an authorization perspective. This session will discuss how security concerns can be addressed through policy-driven authorization in a way that meets the needs and expectations of application developers, owners, and auditors alike. We will show how complex access policies can be handled through a dedicated authorization microservice. With this approach, you can automate security deployment changes within the same CI/CD pipelines used for application management. Furthermore, new deployment configurations are possible, such as implementing the authorization service as a sidecar, to meet advanced performance and scale requirements. All this without changing a single line of code.
5 Factors When Selecting a High Performance, Low Latency DatabaseScyllaDB
There are hundreds of possible databases you can choose from today. Yet if you draw up a short list of critical criteria related to performance and scalability for your use case, the field of choices narrows and your evaluation decision becomes much easier.
In this session, we’ll explore 5 essential factors to consider when selecting a high performance low latency database, including options, opportunities, and tradeoffs related to software architecture, hardware utilization, interoperability, RASP, and Deployment.
Gerhard Pretorius, Cloud Architect, Rackspace Asia presented at the Accion Cloud in Practice event in Singapore, where he described how enterprises can benefit from adopting the cloud, and what they need to consider while doing so
OpenID AuthZEN Interop Read Out - AuthorizationDavid Brossard
During Identiverse 2024 and EIC 2024, members of the OpenID AuthZEN WG got together and demoed their authorization endpoints conforming to the AuthZEN API
Policies, Graphs or Relationships - A Modern Approach to Fine-Grained Authori...David Brossard
Authorization is becoming more important than ever as the growth in data, services, apps, and users shows no sign of slowing down. Making sure the right individuals have access to the right data under the right circumstances is paramount. In this presentation, I will discuss the different approaches to dynamic, runtime authorization.
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...David Brossard
In this presentation, Mark Berg, my colleague at Axiomatics, presented the latest on the Abbreviated Language for Authorization (ALFA), OASIS’s standard for fine-grained authorization. You can read more at https://alfa.guide.
ALFA is a fine-grained authorization language that allows to implement any number of authorization models from RBAC to ReBAC and ABAC. It is dynamic, fully declarative, and conforms to the NIST ABAC standard.
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...David Brossard
During Nordic APIs 2024, I discussed the different authorization approaches to securing APIs. Much like authentication (via OAuth and other) is externalized from the API, so should authorization. There are different options ranging from ABAC (attribute-based access control) to ReBAC (relationship-based access control).
This presentation talks about the OWASP challenges developers are faced with and how externalized authorization can help address them in a clean and efficient way. We also look into an example of fine-grained authorization using ALFA, the Abbreviated Language For Authorization.
The Holy Grail of IAM: Getting to Grips with AuthorizationDavid Brossard
Tackling authorization in your apps and APIs shouldn't be hard. Learn how to decouple your app code from your authorization code, externalize to an authorization framework, leverage a policy language e.g. ALFA, and enable secure access to your APIs. In this presentation we compare and contrast different authorization approaches such as ABAC, ReBAC, Zanzibar, and more.
An overview of the ALFA Abbreviated Language for Authorization and how it accepts authorization requests and produces authorization decisions that are returned to a client.
As of October 2023, the OpenID Foundation has launched a new working group to tackle challenges around externalized authorization. The group brings together vendors, customers, and R&D partners to drive the design and adoption of authorization patterns.
The purpose of the AuthZEN WG is to provide standard mechanisms, protocols and formats to communicate authorization related information between components within one organization or across organizations, which may have been developed or sourced from different entities.
The chairs can be reached at openid-specs-authzen@lists.openid.net
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...David Brossard
In this 20-minute presentation, David of the OASIS XACML TC and Axiomatics will show how XACML can be used to address fine-grained authorization, attribute-based access control, and policy-based access control using the REST, JSON, and ALFA profiles of XACML making authorization easy to create and consume.
This presentation was initially delivered at Oxford University in 2019.
To the cloud and beyond: delivering policy-driven authorization for cloud app...David Brossard
In this presentation delivered at the European Identity Conference, I discuss how externalized dynamic authorization management based on attributes and policies (ABAC and PBAC) have evolved to cater to securing cloud capabilities such as S3, Databricks, and so on.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Developer
1. XACML for Developers
Updates, New Tools, & Patterns for
the Eager #IAM Developer
#CISNapa - @davidjbrossard - @axiomatics 1
2. eXtensible Access Control Markup Language
2
What is XACML?
Not guacamole
De facto standard
Defined at OASIS
#CISNapa - @davidjbrossard - @axiomatics
3. One of the several standards in the #IAM family
XACML in the IAM spectrum
SAML
SPML
LDAP
RBAC
ABAC…
SCIM
OpenID
Oauth
WS-*
#CISNapa - @davidjbrossard - @axiomatics 3
4. In a web 3.0 world where
it’s about small apps
and your data…
Why XACML?
it’s time to get leaks
under control
#CISNapa - @davidjbrossard - @axiomatics 4
7. Authorization should really be about…
When?What? How?Where?Who? Why?
7#CISNapa - @davidjbrossard - @axiomatics
8. A car retail company has a web application that
users can access to create, view, and approve
purchase orders, in accordance with policy rules
8
Example Scenario: Managing Purchase Orders
#CISNapa - @davidjbrossard - @axiomatics
9. Attributes
Resource
attributes
Resource type
PO amount
PO location
PO creator
PO Status
Subject
attributes
Identity
Department
Location
Approval limit
Role
Action
attributes
Action type
Environment
attributes
Device type
IP address
Time of day
Profile designed by Sven Gabriel from The Noun Project
Invisible designed by Andrew Cameron from The Noun Project
Wrench designed by John O’Shea from The Noun Project
Clock designed by Brandon Hopkins from The Noun Project
PO Id
#CISNapa - @davidjbrossard - @axiomatics 9
10. A simple rule
Anyone in the purchasing department
can create purchase orders
#CISNapa - @davidjbrossard - @axiomatics 10
11. A manager in the purchasing department can
approve purchase orders
up to their approval limit
if and only if the PO location and the
manager location are the same
if and only if the manager is not the PO creator
11
A richer rule
#CISNapa - @davidjbrossard - @axiomatics
13. 13
What does XACML contain?
XACML
Reference
Architecture
Policy
Language
Request /
Response
Protocol
#CISNapa - @davidjbrossard - @axiomatics
14. XACML Architecture & Flow
14
Decide
Policy Decision Point
Manage
Policy Administration Point
Support
Policy Information Point
Policy Retrieval Point
Enforce
Policy Enforcement Point
#CISNapa - @davidjbrossard - @axiomatics
Access
Document #123
Access
Document #123
Can Alice access
Document #123?
Yes, Permit
Load XACML
policies
Retrieve user
role, clearance
and document
classification
15. 15
What does XACML contain?
XACML
Reference
Architecture
Policy
Language
Request /
Response
Protocol
#CISNapa - @davidjbrossard - @axiomatics
16. 3 structural elements
PolicySet
Policy
Rule
Root: either of PolicySet or Policy
PolicySets contain any number of PolicySets &
Policies
Policies contain Rules
Rules contain an Effect: Permit / Deny
Combining Algorithms
16
Language Elements of XACML
#CISNapa - @davidjbrossard - @axiomatics
18. 18
Language Structure: Russian dolls
PolicySet, Policy & Rule
can contain
Targets
Obligations
Advice
Rules can contain
Conditions
Policy Set
Policy
Rule
Effect=Permit
Target
Target
Target
Obligation
Obligation
Obligation
Condition
#CISNapa - @davidjbrossard - @axiomatics
19. 19
What does XACML contain?
XACML
Reference
Architecture
Policy
Language
Request /
Response
Protocol
#CISNapa - @davidjbrossard - @axiomatics
20. • Subject
User id = Alice
Role = Manager
• Action
Action id = approve
• Resource
Resource type = Purchase Order
PO #= 12367
• Environment
Device Type = Laptop
20
Structure of a XACML Request / Response
XACML Request XACML Response
Can Manager Alice approve
Purchase Order 12367?
Yes, she can
• Result
Decision: Permit
Status: ok
The core XACML specification does not
define any specific transport /
communication protocol:
-Developers can choose their own.
-The SAML profile defines a binding to send
requests/responses over SAML assertions
#CISNapa - @davidjbrossard - @axiomatics
21. So what’s in it for the
developer?
#CISNapa - @davidjbrossard - @axiomatics 21
22. #1 A single authorization model & framework
#CISNapa - @davidjbrossard - @axiomatics 22
24. #1.b and across different technology stacks
Java
C
Objective-C
C++
C#
PHP
Python
(Visual) Basic
Perl
Ruby
JavaScript
Visual Basic .NET
Lisp
Pascal
Delphi/Object Pascal
Share of programming languages (Feb 2013)
#CISNapa - @davidjbrossard - @axiomatics 24
25. #2 A rich language to express many scenarios
ACLs
RBAC
Whitelists
Segregation-of-Duty
Relation-based
Trust Elevation
Device-based
Break the glass
Privacy protection
ABAC
Rich business flows
Data redaction
#CISNapa - @davidjbrossard - @axiomatics 25
26. The REST profile of XACML
OASIS XACML profile
Designed by Remon Sinnema of EMC2
#3 Developer-friendly APIs
XML over HTTP
XML over HTTP
#CISNapa - @davidjbrossard - @axiomatics 26
JSON over HTTP
JSON over HTTP
27. #3. Developer-friendly APIs (cont’d)
Drop the…
Use curl, Perl, and Python with the REST API
curl -X POST -H 'Content-type:text/xml' -T xacml-request.xml http://foo:8443/asm-pdp/pdp
#CISNapa - @davidjbrossard - @axiomatics 27
28. Use the JSON profile of XACML
Idea
Remove the verbose aspects of XACML
Focus on the key points
Make a request easy to read
#4 Simplified request/response
#CISNapa - @davidjbrossard - @axiomatics 28
31. #4 JSON & XML Side-by-side comparison
0
10
20
30
40
50
Word count
XML
JSON
0
200
400
600
800
1000
1200
1400
Char. Count
XML
JSON
#CISNapa - @davidjbrossard - @axiomatics 31
Size of a XACML request
32. Natural language authoring
Axiomatics Language for Authorization (ALFA)
Research initiative from TSSG
And many more coming…
#5 Easy authoring tools
#CISNapa - @davidjbrossard - @axiomatics 32
33. Provide the right tools for
Easy Authoring
Of XACML policies
#5 Axiomatics Language For AuthZ (cont’d)
Plugs into Eclipse IDE
High-level syntax
Auto-complete
Automatic Translation to XACML 3.0
#CISNapa - @davidjbrossard - @axiomatics 33
35. One consistent authorization model
Many different applications
Decide once, enforce everywhere
Benefits of using XACML #1
#CISNapa - @davidjbrossard - @axiomatics 35
36. Adios endless if, else statements
Hello simple if(authorized())
Benefits of using XACML #2
#CISNapa - @davidjbrossard - @axiomatics 36
0
5000
10000
15000
20000
25000
30000
10 20 30 40 50 60 70 80 90 100 110 120 130 140 150 160 170
Developer Happiness Increase
Number of if / else
statements terminated
Developer
Happiness
Index
37. Security potholes are a thing of the past
XACML is the concrete that fills in the cracks in
your authorization wall
Benefits of using XACML #3
#CISNapa - @davidjbrossard - @axiomatics 37
38. Let developers do what they know best
Offload auditing, info security to security
architects & auditors by externalizing
authorization
#CISNapa - @davidjbrossard - @axiomatics 38
Benefits of using XACML #4
Happy developer
Happy auditor
39. #CISNapa - @davidjbrossard - @axiomatics 39
Next steps?
Download XACML SDK
Download ALFA plugin
Download Eclipse
Code in your favorite language
PronunciationOASIS standardV 3.0 approved in January 2013V 1.0 approved in 2003 (10 years ago!)XACML is expressed asA specification document andAn XML schemahttp://www.oasis-open.org/committees/xacml/
Once upon a time, access control was about who you were. What mattered was your identity or perhaps your role or group.But today, access control should be more about what you represent, what you want to do, what you want to access, for which purpose, when, where, how, and why…Credits:Invisible: Andrew Cameron, from The Noun ProjectBox: Martin Karachorov, Wrench: John O'Sheaclock: Brandon Hopkins
Context attributesdevice typeIPtime of the dayAction attributesAction id: create, approve, view
Policy Enforcement PointIn the XACML architecture, the PEP is the component in charge of intercepting business messages and protecting targeted resources by requesting an access control decision from a policy decision point and enforcing that decision. PEPs can embrace many different form factors depending on the type of resource being protected.Policy Decision PointThe PDP sits at the very core of the XACML architecture. It implements the XACML standard and evaluation logic. Its purpose is to evaluate access control requests coming in from the PEP against the XACML policies read from the PRP. The PDP then returns a decision – either of Permit, Deny, Not Applicable, or Indeterminate.Policy Retrieval PointThe PRP is one of the components that support the PDP in its evaluation process. Its only purpose is to act as a persistence layer for XACML policies. It can therefore take many forms such as a database, a file, or a web service call to a remote repository.Policy Information PointXACML is a policy-based language which uses attributes to express rules & conditions. Attributes are bits of information about a subject, resource, action, or context describing an access control situation. Examples of attributes are a user id, a role, a resource URI, a document classification, the time of the day, etc… In its evaluation process, the PDP may need to retrieve additional attributes. It turns to PIPs where attributes are stored. Examples of PIPs include corporate user directories (LDAP…), databases, UDDIs… The PDP may for instance ask the PIP to look up the role of a given user.Policy Administration PointThe PAP’s purpose is to provide a management interface administrators can use to author policies and control their lifecycle.
Need to clarify the location constrain. Permit is assuming that Alice location == 12367 location