The day when role based access control disappears

1. freecodecamp.org The day when Role Based Access Control disappears Ulf Mattsson www.TokenEx.com 1

2. freecodecamp.org Please submit your questions during our session! Ulf Mattsson www.TokenEx.com 2

3. 1. Head of Innovation at TokenEx 2. Chief Technology Officer at • Protegrity • Atlantic BT • Compliance Engineering 3. Developer at IBM Research and Development 4. Inventor of more than 70 issued/awarded US Patents 5. Products and Services • Data Encryption, Tokenization, and Data Discovery, • Robotics and Applications in Manufacturing, • Cloud Application Security Brokers, and Web Application Firewalls, • Managed Security Services, and Security Operation Centers, • Contributed to the development of PCI DSS and ANSI X9 • Security and Privacy Benchmarking/Gap-analysis for Financial Industry Ulf Mattsson 3

4. 4 Source: csrc.nist.gov 1992 Role Based Access Control (RBAC)

5. 5 Source: csrc.nist.gov 1992 Role Based Access Control (RBAC) – Role Relationships

6. 6 Source: csrc.nist.gov 1992 Role Based Access Control (RBAC) Multi-Role Relationships

7. Examples of Role Based Access Control (RBAC) Access control with separate responsibilities in a system where multiple roles are fulfilled 7

8. 8 Examples of Role Based Access Control (RBAC) Access control with separate responsibilities in a system where multiple roles are fulfilled

9. Source: wikipedia MAC, DAC, RBAC and ABAC 9

10. Source: wikipedia DAC is the way to go to let people manage the content they own. • DAC is very good to let users of an online social network choose who accesses their data. • It allows people to revoke or forward privileges easily and immediately RBAC is a form of access control which as you said is suitable to separate responsibilities in a system where multiple roles are fulfilled. • This is obviously true in corporations (often along with compartmentalization e.g. Brewer and Nash or MCS) but can also be used on a single user operating system to implement the principle of least privilege. • RBAC is designed for separation of duties by letting users select the roles they need for a specific task. MAC in itself is vague, there are many ways to implement it for many systems. • In practice, you'll often use a combination of different paradigms. • For instance, a UNIX system mostly uses DAC but the root account bypasses DAC privileges 10 MAC, DAC, and RBAC

11. Issues with a Role-based access control (RBAC) 1. RBAC employs pre-defined roles that carry a specific set of privileges 2. Lack of policies that express a complex Boolean rule set that can evaluate many different attributes. 3. Lack of "next generation" authorization model with no dynamic, context-aware and risk- intelligent access control to resources allowing access control policies that include specific attributes from many different information systems 4. Implementation may take 2 year and cost $10 million in a large organization 11

12. Why ABAC? 12

13. IDMWORKS What is Attribute Based Access Control (ABAC)? ABAC is an effort to shift the paradigm of granting resource access to a specific user to granting access based on the value of a user’s attributes. • While user authentication is still required the access is no longer granted via a specific ACL. • Instead at the point of authentication a decision is made based on the value of specific attributes whether or not access should be granted. This approach significantly decreases the administration required to maintain data security. It also ensures that data is available real time to those who need it and are authorized to view/use it. • No longer are provisioning request required in order to gain access to the data since access is evaluated and granted real time. ABAC provides particular advantages when it is deployed in a Federated environment. • Access is determined by the agreement between the two entities (business, organizations, governments, etc…) and then is enforced by the Policy Enforcement Point (PEP) at the time of access. Each entity maintains autonomous control of their identities. 13

14. Source: wikipedia Attribute-based access control (ABAC) 1. Defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. 2. The policies can use any type of attributes (user attributes, resource attributes, object, environment attributes etc.). 3. This model supports Boolean logic, in which rules contain "IF, THEN" statements about who is making the request, the resource, and the action. 4. Unlike role-based access control (RBAC), which employs pre-defined roles that carry a specific set of privileges associated with them and to which subjects are assigned, the key difference with ABAC is the concept of policies that express a complex Boolean rule set that can evaluate many different attributes. 5. ABAC is considered a "next generation" authorization model because it provides dynamic, context-aware and risk-intelligent access control to resources allowing access control policies that include specific attributes from many different information systems to be defined to resolve an authorization and achieve an efficient regulatory compliance, allowing enterprises flexibility in their implementations based on their existing infrastructures. 6. Attribute-based access control is sometimes referred to as policy-based access control (PBAC) or claims- based access control (CBAC). 14

15. Security Flow NIST Guide to ABAC System Definitions and Considerations Source: NIST 15

16. 16 ABAC Trust Chain Source: NIST

17. Source: NIST 17 ABAC System Definitions

18. Access Control Functional Points Source: NIST 18

19. Source: BlueTalon Example of ABAC System Deployment Architecture Example of ABAC System Security Flow 19

20. Source: BlueTalon Example of ABAC System Deployment Architecture 20

21. Source: wikipedia XACML 21

22. Source: wikipedia XACML (eXtensible Access Control Markup Language) 1. The standard defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies. 2. XACML is primarily an attribute-based access control system (ABAC), where attributes (bits of data) associated with a user or action or resource. 3. Role-based access control (RBAC) can also be implemented in XACML as a specialization of ABAC. 4. The XACML model supports and encourages the separation of the access decision from the point of use. When the client is decoupled from the access decision, authorization policies can be updated on the fly and affect all clients immediately. 5. ALFA has three structural elements: Like in XACML, a PolicySet can contain PolicySet and Policy elements. A Policy can contain Rule elements. A Rule contains a decision. 22

23. Source: EMPOWERID RBAC / ABAC Hybrid 23

24. 24Source: NIST XACML Flow

25. Source: wikipedia Data Discovery 25

26. Source: BigID 26

30. AI & ML 30

31. Discovery, Mapping, Analysis and Risk Mitigation Source: BigID 31 Article 30 - Records of processing activities - EU General Data Protection Regulation (EU-GDPR)

32. Automate Consent Tracking And Data Governance 1. Advanced ML PII & PI Discovery & Access Intelligence For Security & Privacy. Petabyte Scale. ML Driven. Structured & Unstructured. Data Subject Rights. 2. Artificial Intelligence (AI) is prevalent in everything from autocorrect to music recommendations, from Frankenstein’s monster to replicants and paranoid robots. 3. Formalized in the 1950s, AI has moved past speculative fiction and is an inescapable part of our everyday lives. 4. The past few years have seen a significant rise in software projects that use Artificial Intelligence and Machine Learning. 5. Although often used interchangeably, Artificial Intelligence (AI) and Machine Learning (ML) are not the same. 6. Think of AI as intelligence, and ML as knowledge. Source: BigID and Groundlabs 32

33. 33

34. 34

35. Artificial Intelligence • At the core of most, if not all, advanced artificial intelligence or machine learning systems is optimization problems. • Machine learning is an incredibly iterative process, and utilizes huge data sets to learn and evolve to figure out improved approaches to the problem at hand. • Novel quantum algorithms could dramatically accelerate the underlying processing required for machine learning. The strange, nearly metaphysical nature that governs how qubits operate in quantum computing, not only hold the key for better and faster artificial intelligence, but may also be the secret to true artificial intelligence. 35

36. The Difference Between Artificial Intelligence and Machine Learning • Artificial Intelligence describes the ability of machines to perform tasks that are typically associated with human activity and intelligence: reasoning, learning, natural language processing, perception, etc. Any “smart” activity performed by a machine falls under AI. • Artificial Intelligence is the capability of a machine to imitate intelligent human behavior. • Machine Learning is a subset of AI. • ML is a set of algorithms that are built to achieve AI: those algorithms require the ability to learn from data, modify themselves when exposed to more data, and are able to achieve a goal without being explicitly programmed. Source: BigID and Groundlabs 36

37. 37

38. 38

39. 39

40. EU GDPR Fines • When French regulators cited Europe's fledgling General Data Protection Act (GDPR) in fining Google $57 million earlier this year for playing fast and loose with consumer data in personalizing ads, experts called what was then the biggest fine issued under the new law the "tip of the iceberg.“ • The U.K.'s Information Commissioner's Office (ICO) on July 8 cited GDPR in announcing it would seek a $230 million fine against British Airways (equal to 1.5 percent of the company's annual revenue) for a September 2018 breach in which attackers accessed the protected data of nearly 500,000 customers through the airline's website and mobile applications. • The ICO alleged that ineffective security practices were to blame. • ICO added Marriott to the list, saying it intends to seek nearly $124 million from Marriott (or 3 percent of its annual revenue) for a breach that saw hackers maintain access to the Starwood guest reservation database between 2014 and 2018, compromising 383 million customer records. Source: rsaconference.com

41. GDPR and California Consumer Privacy Act (CCPA) 41

42. GDPR and California Consumer Privacy Act (CCPA) 42

43. PII Inventory • Locating sensitive PII is essential to protecting it. • However data maps alone can't provide a complete protection or privacy picture. • New privacy protection regulations mandate an individual's right to access their own data, the right-tobe-forgotten, the right to port their data and the right to be notified of a breach. Source: BigID (TokenEx partner) 43

44. Source: Verizon 2019 DBIR, data-breach-investigations-report Term clusters in criminal forum and marketplace posts 44

45. Pseudonymisation Under the GDPR Within the text of the GDPR, there are multiple references to pseudonymisation as an appropriate mechanism for protecting personal data. Pseudonymisation—replacing identifying or sensitive data with pseudonyms, is synonymous with tokenization—replacing identifying or sensitive data with tokens. Article 4 – Definitions • (1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); …such as a name, an identification number, location data, an online identifier… • (5) ‘pseudonymisation’ means the processing personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately… What is Personal Data according to EU GDPR? 45

46. Source: IBM Encryption and TokenizationDiscover Data Assets Security by Design EU GDPR Security Requirements – Discovery, Encryption and Tokenization

47. Data sources Data Warehouse In Italy Complete policy- enforced de- identification of sensitive data across all bank entities Tokenization for Cross Border Data-centric Security (EU GDPR) • Protecting Personally Identifiable Information (PII), including names, addresses, phone, email, policy and account numbers • Compliance with EU Cross Border Data Protection Laws • Utilizing Data Tokenization, and centralized policy, key management, auditing, and reporting 47

48. Type of Data Use Case I Structured How Should I Secure Different Types of Data? I Un-structured Simple – Complex – PCI PHI PII Encryption of Files Card Holder Data Tokenization of Fields Protected Health Information Personally Identifiable Information 48

49. Application of Data Security and Privacy techniques On-premises, in Public, and Private Clouds Vault-based tokenization (VBT) Suitable for cloud deployment and centralized token generation. CPU impact and latency is typically similar to a database lookup query transaction. Vault-less tokenization (VLT) Suitable for on-premises deployment and distributed token generation. Suitable for high performance requirements, including transaction switches and Datawarehouse databases. CPU impact is typically similar to AES encryption. Format Preserving Encryption (FPE) Suitable for any deployment model. CPU impact is typically 10 times more than AES encryption Homomorphic Encryption (HE) Suitable for public cloud based computation with operations on encrypted data values is required. CPU impact for asymmetric crypto operational can be significant compared to AES and other symmetric crypto algorithms. Masking Since masking is a one-way process, not reversable, it may be less suitable in operational transaction systems. Server Model Suitable for cloud deployment models. CPU impact for cleaning the database similar to a database scan with change transactions. Local Model Suitable for client side of any deployment model. CPU impact for cleaning the database is similar to a database scan with change transactions. L-diversity Suitable for privacy for any deployment model. CPU impact for cleaning the database similar to a database scan with change transactions. T-closeness Suitable for privacy in any deployment model. CPU impact for cleaning the database similar to a database scan with change transactions. Tokenization (T) Privacy enhancing data de-identification terminology and classification of techniques Cryptographic tools (CT) Formal privacy measurement models (PMM) Differential Privacy (DP) K-anonymity model De-identification techniques (DT) Data Security and Privacy techniques 49

50. Data Security and Privacy Standard Source: INTERNATIONAL STANDARD ISO/IEC 20889 Encrypted data has the same format Server model Local model Differential Privacy (DP) Formal privacy measurement models (PMM) De-identification techniques (DT) Cryptographic tools (CT) Format Preserving Encryption (FPE) Homomorphic Encryption (HE) Two values encrypted can be combined* K-anonymity model Responses to queries are only able to be obtained through a software component or “middleware”, known as the “curator**” The entity receiving the data is looking to reduce risk Ensures that for each identifier there is a corresponding equivalence class containing at least K records *: Multi Party Computation (MPC) **: Example Apple and Google 50

51. Minimization Devaluation/Pseudonymisation/ Tokenization Data Hashing/Masking Encryption DataUtility Data Protection Max Utility Min Utility Min Protection Max Protection Source:TokenEx Data Security Approaches 51

52. Gartner Hype Cycle for DataOps DataOps 52

53. Definition: DataOps is a collaborative data management practice focused on improving the communication, integration and automation of data flows between data managers and consumers across an organization. The goal of DataOps is to create predictable delivery and change management of data, data models and related artifacts. DataOps uses technology to automate data delivery with the appropriate levels of security, quality and metadata to improve the use and value of data in a dynamic environment. Position and Adoption Speed Justification: Currently, there are no standards or known frameworks for DataOps. Today's loose interpretation makes it difficult to know where to begin, what success looks like, or if organizations are even "doing DataOps" at all. This lack of a documented discipline will likely inhibit adoption of the practice over the next 12 to 18 months, feeding the confusion and driving hype further. A growing number of technology providers are adopting the DataOps terminology and even claiming to offer DataOps solutions. At the same time, Gartner sees early-stage interest from data and analytics teams asking about the concepts. Given the tremendous pressure to achieve faster delivery of new and enhanced data analytics capabilities, DataOps will quickly traverse the first half of the Hype Cycle. User Advice: As a new practice, DataOps will be most successful on projects targeting a small scope with some level of executive sponsorship, primarily from the CDO or other top data and analytics leader. Executive sponsorship will be key as DataOps represents a new way of delivering data to consumers. Practitioners will have to overcome the resistance to change existing practices as they introduce this concept. 53 Gartner - DataOps

54. DataOps is NOT Just DevOps for Data • One common misconception about DataOps is that it is just DevOps applied to data analytics. • It communicates that data analytics can achieve what software development attained with DevOps. • DataOps can yield an order of magnitude improvement in quality and cycle time when data teams utilize new tools and methodologies. • The specific ways that DataOps achieves these gains reflect the unique people, processes and tools characteristic of data teams (versus software development teams using DevOps). Source: datakitchen 54

55. 55 DataOps

56. On Premise tokenization • Limited PCI DSS scope reduction - must still maintain a CDE with PCI data • Higher risk – sensitive data still resident in environment • Associated personnel and hardware costs Cloud-Based tokenization • Significant reduction in PCI DSS scope • Reduced risk – sensitive data removed from the environment • Platform-focused security • Lower associated costs – cyber insurance, PCI audit, maintenance Total Cost and Risk of Tokenization Example: 50% Lower Total Cost 56

57. Source: wikipedia Identity Management 57

58. #1 Siloed (Centralized) Identity1 S YOU ACCOUNT ORG STANDARDS: Source: Sovrin.org

59. #2 Third-Party IDP (Federated) Identity YOU ACCOUNT ORG STANDARDS: IDP Source: Sovrin.org

60. #3 Self-Sovereign Identity (SSI) YOU CONNECTION PEER DISTRIBUTED LEDGER (BLOCKCHAIN) Source: Sovrin.org The Sovrin Network is the first public-permissioned blockchain designed as a global public utility exclusively to support self-sovereign identity and verifiable claims. Recent advancements in blockchain technology now allow every public key to have its own address, which is called a decentralized identifier (DID).

61. #3 Self-Sovereign Identity (SSI) PEER DISTRIBUTED LEDGER (BLOCKCHAIN) DIGITAL WALLET CONNECTION GET CREDENTIAL SHOW CREDENTIAL 1 DIDs 2 DKMS 3 DID AUTH 4 Verifiable Credentials Source: Sovrin.org

62. OpenID Source: https://openid.net/ What is OpenID Connect? OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 family of specifications. It uses straightforward REST/JSON message flows with a design goal of “making simple things simple and complicated things possible”. It’s uniquely easy for developers to integrate, compared to any preceding Identity protocol. OpenID Connect lets developers authenticate their users across websites and apps without having to own and manage password files. For the app builder, it provides a secure verifiable, answer to the question: “What is the identity of the person currently using the browser or native app that is connected to me?” The OpenID Foundation (OIDF) promotes, protects and nurtures the OpenID community and technologies. The OpenID Foundation is a non-profit international standardization organization of individuals and companies committed to enabling, promoting and protecting OpenID technologies. Formed in June 2007, the foundation serves as a public trust organization representing the open community of developers, vendors, and users.

63. Self-Sovereign Identity (SSI)

64. Thank You! Ulf Mattsson, TokenEx www.TokenEx.com 64