cis14: the very latest in authorization standards
DESCRIPTION
Gerry Gebel, Axiomatics Update on the latest trends and happenings regarding authorization standards and commentary on projections on this topic for the coming year, including status of the JSON and REST profiles for XACML (it’s not just XML anymore), scenarios where OAuth and XACML can coexist, and what NIST’s published report on ABAC is all about.TRANSCRIPT
The Very Latest in Authorization Standards and Trends
Cloud Identity Summit - 2014
Gerry Gebel Axiomatics [email protected] @ggebel
© 2014 Axiomatics AB 1
Preamble Authorization v.Next
Cloud Identity Summit 2014
© 2014 Axiomatics AB 2
© 2014 Axiomatics AB 3
© 2014 Axiomatics AB 4
© 2014 Axiomatics AB 5
Having a policy language is a key differentiator for ABAC/XACML
© 2014 Axiomatics AB 6
OAuth
UMA
JWT
XACML Finding the right combination
Agenda
§ Business trends that are influencing authorization requirements
§ Externalized Authorization and ABAC
§ Standards update § JSON, REST, ALFA and more
§ Prognostications
Cloud Identity Summit 2014
© 2014 Axiomatics AB 7
Business Trends & AuthZ
Cloud Identity Summit 2014
© 2014 Axiomatics AB 8
© 2014 Axiomatics AB 9
© 2014 Axiomatics AB 10
Next generation information security = dynamic authorization = attribute based access control
Legacy access controls fail in dynamic environments
© 2014 Axiomatics AB 11
ABAC thrives in dynamic environments
© 2014 Axiomatics AB 12
Who
What Sensitive / business critical Information
Grant or deny access based on the following attributes
When
Where
Why
How
© 2014 Axiomatics AB 13
By 2020, 70 percent of enterprises
will use ABAC as the dominant
mechanism to protect critical assets,
up from less than 5 percent today.
“ ”
Gartner Predicts, March 2014
Externalized Authorization and ABAC
Cloud Identity Summit 2014
© 2014 Axiomatics AB 14
NIST Special Pub 800-‐162 *
§ “[ABAC] flexibility provides the greatest breadth of subjects to access the greatest breadth of objects without specifying individual relationships between each subject and each object”
© 2014 Axiomatics AB 15
* nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf
Example from NIST report § Nurse Practitioners in the Cardiology Department can View the Records of
Heart Patients § Variables in the policy language enable very efficient policy structures – reducing the
maintenance load § Management of heart patient records is part of the business application – not an IT
function § Multiple attributes must be available for policy evaluation – either as part of the access
request or retrieved from an authoritative source
© 2014 Axiomatics AB 16
NIST example -‐ expanded § Nurse Practitioners can View the Records of Patients in the same Department
they are assigned to § This rule can apply to all departments in the hospital § Add a new department or change names of department and the rule does not change § Rule compares department of the Nurse Practitioner to the department of the Patient § Avoids the role explosion effect of RBAC models
© 2014 Axiomatics AB 17
Applying ABAC to every layer of your application
ADAF
© 2014 Axiomatics AB 18
REST, JSON, & ALFA What’s new on the XACML standards front?
© 2014 Axiomatics AB 19
§ Profiles add functionality § REST § JSON § Export Control § IP Protection § Hierarchal Resources § Etc.
What’s in the XACML standard
XACML
Reference Architecture
Policy Language
Request / Response Protocol
© 2014 Axiomatics AB 20
The Request/Response format
• Subject User id = Alice Role = Manager
• Action Action id = approve
• Resource Resource type = Purchase Order PO #= 12367
• Environment Device Type = Laptop
XACML Request
Can Manager Alice approve Purchase Order 12367?
XACML Response
Yes, she can
• Result Decision: Permit Status: ok
© 2014 Axiomatics AB 21
XML encoding of an authZ request
<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" > </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">hello</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">say</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> </xacml-ctx:Request>
Can Alice Say
Hello?
© 2014 Axiomatics AB 22
JSON encoding of an authZ request
{"subject": {"attribute":[{ "attributeId":"username", "value":"alice"}]},
"resource": {"attribute":[{ "attributeId":"resource-id", "value":"hello"}]},
"action": {"attribute":[{ "attributeId":"action-id", "value":"say"}]}}
© 2014 Axiomatics AB 23
JSON vs. XML
0
10
20
30
40
50
Word count
XML JSON
0 200 400 600 800
1000 1200 1400
Char. Count
XML JSON
Size of a XACML request
© 2014 Axiomatics AB 24
REST Profile
XML over HTTP
XML over HTTP
JSON over HTTP
JSON over HTTP
© 2014 Axiomatics AB 25
ALFA – Abbreviated Language for Authorization § Domain Specific Language (DSL) that provides an abstraction over XACML
§ Pseudo language is similar to C# or Java
§ Author policies in Eclipse IDE, plug in automatically generates XACML
© 2014 Axiomatics AB 26
Axiomatics has committed to submit ALFA as an XACML profile
A policy example, in English
/**
* A manager can approve a transaction if their approval limit is greater than
* the transaction amount and if the risk is less than 5
*/
Let’s take a look at this policy in XACML and ALFA
© 2014 Axiomatics AB 27
A policy example, in XACML (1)
<?xml version="1.0" encoding="UTF-8"?> <!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).> <xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="http://axiomatics.com/alfa/identifier/policing.principles.allowTransaction" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"> <xacml3:Description>Let a manager approve a transaction if their approval limit is greater than the transaction amount and if the risk is less than 5</xacml3:Description> <xacml3:PolicyDefaults> <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion> </xacml3:PolicyDefaults> <xacml3:Target> <xacml3:AnyOf> <xacml3:AllOf> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="userRole" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false" /> </xacml3:Match> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">approve</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" MustBePresent="false" />
© 2014 Axiomatics AB 28
A policy example, in XACML (2)
</xacml3:Match> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">transaction</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="resourceType" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> </xacml3:Match> </xacml3:AllOf> </xacml3:AnyOf> </xacml3:Target> <xacml3:Rule Effect="Permit" RuleId="http://axiomatics.com/alfa/identifier/policing.principles.allowTransaction.allowIfLowRiskScore"> <xacml3:Description /> <xacml3:Target /> <xacml3:Condition> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:double-greater-than"/> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#double">5.0</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="transactionRiskScore" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" />
© 2014 Axiomatics AB 29
A policy example, in XACML (3)
</xacml3:Apply> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any"> <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:double-less-than-or-equal"/> <xacml3:AttributeDesignator AttributeId="transactionAmount" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> <xacml3:AttributeDesignator AttributeId="userApprovalLimit" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false" /> </xacml3:Apply> </xacml3:Apply> </xacml3:Condition> </xacml3:Rule> </xacml3:Policy>
© 2014 Axiomatics AB 30
A policy example, in ALFA
policy allowTransaction{
target clause userRole=="manager" and actionId=="approve" and resType=="transaction"
apply firstApplicable
rule allowIfLowRiskScore{
condition (transactionRiskScore < 5) && (transactionAmount <= userApprovalLimit)
permit
}
}
© 2014 Axiomatics AB 31
OAuth & XACML? Further simplification of XACML?
Prognostications
© 2014 Axiomatics AB 32
How can OAuth and XACML complement each other?
§ OAuth: popular authZ mechanism for API security and consumer scenarios
§ Missing from OAuth: declarative policy language
© 2014 Axiomatics AB 33
§ XACML policies were used to control scopes for OAuth tokens
What if?
Easy consumption of JWT tokens for advanced authorization via XACML-‐based service
© 2014 Axiomatics AB 34
{"subject": {"attribute":[{ "attributeId":"username", "value":"alice"}]},
"resource": {"attribute":[{ "attributeId":"resource-id", "value":"hello"}]},
"action": {"attribute":[{ "attributeId":"action-id", "value":"say"}]}}
JWT
On the further simplification of XACML
§ REST and JSON profiles greatly simplify the developer experience § See David Brossard’s workshop material from Sunday
§ But what about the policy language?
© 2014 Axiomatics AB 35
© 2014 Axiomatics AB 36
SCIM + XACML
Questions? Thank you for listening