cis 2015- rethinking your authorization strategy- gerry gebel

Rethinking Your Authorization Strategy Gerry Gebel, Axiomatics @ggebel

Agenda

2

Before Hard coded AuthZ: Group Lists, Roles and ACLs

Now Externalized AuthZ: ABAC, OpenID Connect

Future More options: ABAC for big data, Provision policies, Authorization Token Service

© 2015 Axiomatics AB

© 2015 Axiomatics AB 3

Need to Know …


Need to Share …


“We no longer operate largely on the principle of compartmentalization, that is, sharing information based on “need to know.” We now start from the imperative of “responsibility to share,” in order to collaborate with and better support our intelligence consumers – from the White House to the foxhole.”

James R. Clapper, September 2011


“Success in coping with these kinds of challenges ultimately depends on finding ways to overcome the “need to know” default option in most organizations and moving to a “need to share” network culture.”

American Society for Public Administration, 2009


“Need to Share” paradigms require changes in technology…

…as well as organizational dynamics and culture.

Externalized AuthZ helps you address one of the above


Big Data

BYOD

Mobile

Cloud

Internet of

Things

APIs

Data sharing concerns

§ Are privacy rules being enforced?

§ Is collaboration causing excessive risk?

§ What is the potential for data leakage?

§ How can the insider threat risk be reduced?



Secure collaboration

…depends on efficient information sharing…

… which depends on precision in access controls.

Before


Agenda


Hundreds or thousands of IF-‐clauses scattered all over your code

If the user is member of group Z then … else …

If device is android

then … else …

If project X is in production phase

then … else … If role is manager AND location is TX then … else …


“A role’s got to know its limitations”

Clint Eastwood in Magnum Force, 1973

The RBAC model


A

B

C

You know you’ve lost control of your RBAC deployment when…


Volumetrics of existing customer base today: 7,000 customers 73,000 functional roles 20,000 data roles

“We have more than 50 people assigned to search for SoD conflicts in role definitions and assignments”

Don’t make a wrong turn


The journey to ABAC

Existing RBAC definitions

ABAC Goal State


The journey to ABAC

Existing RBAC definitions

ABAC Goal State

ABAC starting point

Legacy access control issues

§ Hard coded in applications § Audit and certification are difficult § Change control is time consuming and expensive

§ Not suitable for dynamic or complex scenarios

§ Manageability challenges: that role explosion issue


Now


Agenda

What is Attribute Based Access Control (ABAC)? §  A mode of externalized authorization

§  Authorization policies/rules are managed in a centralized service (deployment can be centralized/distributed/hybrid)

§  Policies utilize attributes to describe specific access rules, which is why it is called attribute based access control


Policies

Attribute Sources

1.  Access request is intercepted

2.  A query is sent to the external authorization service

3.  The authorization engine evaluates the relevant policies

4.  It may also need to query external attribute sources for more info

5.  The decision – PERMIT or DENY is returned and enforced

User: Bob Application

Can Bob access record #22 PERMIT/DENY

Authorization Service

Externalized Authorization

ABAC Enables Secure Information Sharing

§  Attributes of different types provide the context

§  Policy language defines the conditions for allowing or denying access

22

WHO WHAT WHERE WHEN WHY HOW It’s not just about but also and

© 2015 Axiomatics AB

Brokers can view the insurance policies of a customer if the broker is assigned to the customer

Role==broker

Action==view

Resource==insurance policy This is the relationship

userId == customer.assignedBroker

A user with the role == broker can do the action == view on resources of type == insurance policy if the user id == the customer’s assigned broker id.

High level process for ABAC


Trending: Consent management and Externalized access §  Allow end users to manage who can access their private data

§  Most common in health care, insurance and financial services

§  Patient controls who can see medical records and other patient records §  Personal data, diagnosis, treatment §  White list, black list

§  Insurance client controls who can see ins policy or claims records §  Distinguish access for brokers, adjusters, etc. §  Useful in family scenarios: spouse, children, parent access


Question: Where do you manage consent/profile data?

§  In the authorization service?

§  In the application/service?

§  Both, other?


Externalized access control issues

§ It’s new, must overcome decades of ingrained approaches and techniques

§ COTS applications rarely provide “hooks” to enable externalized authorization

§ Don’t make simple scenarios more complex – Make complex scenarios manageable


Future


Agenda

The concept of “Policy Provisioning” §  Define access policies in the XACML standard

§  Translate or transform policies into formats supported by other platforms §  Could be other standards or proprietary formats

§  Target platform performs its normal access control §  No call out to external service



Policy provisioning into Windows Server 2012

1. Author and test access policies in XACML

2. Translate XACML to SDDL and import into AD

3. Enforce access on Windows Server 2012 file system

In federated SSO, we have the Security Token Service…


Do we need an Authorization Token Service (ATS)? §  Input: subject ID and proposed claims Output: OAuth token w/ valid claims



Policies

ATS userID123 claim 1 claim 2 claim 3 …

OAuth token Subject=userID123 Scopes=claim 1 & claim 3

Do we need an Authorization Token Service (ATS)?



Policies

ATS userID123 resourceType = medicalRecord

OAuth token Subject=userID123 Scopes: claim1=NY, claim3=MtSainai, claimZ=oncology

§  Input: subject ID and resource ID Output: OAuth token w/ valid claims

Do we need an Authorization Token Service (ATS)?


JWT


Policies

ATS userID123 claim 1 claim 2 claim 3 …

§  Input: subject ID and proposed claims Output: JWT token w/ valid claims

In summary

•  Think of authorization in the context of macro trends in the industry

•  Roles/groups work well, but with constraints •  Externalized authZ is on the rise, based on attributes,

policies and context •  The future holds many possibilities and you will need

many authZ tools to meet a variety of scenarios