NextLabs : Beyond RBACTim Quan, Director - SAP Industries & Solutions, NextLabs
March 2014
ABAC and Information Control Automation
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 2
Agenda
● Common Challenges to Role Based Access Control (RBAC)
● Information Control Automation and Attribute Based Access Control (ABAC)
● Industry Frameworks for ABAC
● ABAC in SAP
● Demonstration Examples
● Benefits and Common Scenarios in SAP
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 3
Agenda
● Common Challenges to Role Based Access Control (RBAC)
● Information Control Automation and Attribute Based Access Control (ABAC)
● Industry Frameworks for ABAC
● ABAC in SAP
● Demonstration Examples
● Benefits and Common Scenarios in SAP
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 4
Product A Product B Product C Product D Product E
Supplier Granted Access
Challenge - Enforcement Granularity
“We can give her the role, but we can’t limit what data she can see”
Required Access
Leads to too much access, custom authorization logic and/or complex roles
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 5
Challenge - Discretionary Authorization
“Please have you manager approve access”
•Why should or shouldn’t you manager approve access?• Role purpose• Job function and assignments• Least privileges• Compliance requirements• Existing access• Trust
•When should your access be revoked?
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 6
Challenge - Role Explosion
Companies have multiple access drivers• Functional Roles• Compliance Regulations (e.g. ITAR, Trade Secrets, PII)
• IP Control Agreements (e.g. PIEA, NDA)• Multiple Applications and Systems (e.g. PLM, ERP, CRM)
Traditional role based access control (RBAC) explodes based on the number of variables
Number of Access Variables
Req
uire
d A
cces
s R
ules
“We have 10,000 users and 125,000 roles and growing ”
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 7
Information Control Enforcement Today
Policy Authorities
Business Authorizations
(e.g NDA, License)
Procedural Controls
(e.g. Access Review)
Systematic Controls
(e.g. Access Control)
90% 10%
Legal - Intellectual Property
Non-Disclosure Agreement
Acme Inc and Wiley Tech agree to share confidential information about Kaboom for 3 years. Materials marked “ACME Confidential” and destroyed at end of project.
Procedural ControlsIT• Create Wiley Tech Site• Manage Wiley Tech GroupEnd User• Get manager review• Mark confidential• Put data Wiley Tech
Confidential site Collaboration Portal
• Tell Wiley to Destroy
Systematic Controls
• Limit Access to Wiley Tech Site to users in Wiley Tech Group
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 8
Key Business Trends Impacting Information Risk
Industry Consolidation
• Continued M&A activity anticipated – 76% of executives anticipate at least one acquisition in 2013*
• Joint Ventures and partnerships on the raise
• Competitive threats keep companies on edge for IP Protection
Globalization
• Firms expanding footprint to international markets to drive revenue growth
• Trade and information exchange is crossing company and country borders
Anywhere.. Any device
• Firms looking for next frontier of operational efficiency gains
• Desire to minimize IT maintenance and support costs
• Firms look for enabling employees with required access to data from anywhere and through any device
* KPMG Survey on M&A Activity 2013
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 9
Increased Global Collaboration
Customers
My Company Customer Collaboration
Offshore SubsidiaryOutsourced Manufacturing
Supplier/Partner
Quality Collaboration
Supplier Collaboration
Quality Contractor
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 10
Secure Information Collaboration Challenge
Customers
My Company Customer Collaboration
Customer Collaboration
ForecastsPromotions
ReplenishmentASNs
Offshore SubsidiaryOutsourced Manufacturing
Outsourced Manufacturing
Sub Con POsASNs
InvoicesShipments
Work Order WIP
Supplier/Partner
Supplier Collaboration
Supplier Collaboration
ForecastsPurchase Orders
KanbanInvoices
Shipments
Quality Collaboration
Quality Contractor
Quality Collaboration
Quality Notifications
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 11
Business Authorization Dimensions
● Functional Access● Determine the actions a user can
perform
● Data Access● Determine the data a user can see
● Governance● Rules for access management
Functional Access
Dat
a A
cces
s
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 13
Information Control Policy
Information ControlsAudit
Data Classification
Access Control (ABAC)
Integrated Rights Management
Data Labeling and Marking
Communication Control
Application Control
Device Control
Network Control
Compliance Workflow
Policy Authorities
Business Authorizations
(e.g NDA, License)
Procedural Controls
(e.g. Access Review)
Systematic Controls
(e.g. Access Control)
Information Control Policy
90% 10%
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 14
Agenda
● Common Challenges to Role Based Access Control (RBAC)
● Information Control Automation and Attribute Based Access Control (ABAC)
● Industry Frameworks for ABAC
● ABAC in SAP
● Demonstration Examples
● Benefits and Common Scenarios in SAP
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 15
Information Control Policy
Attribute Driven PolicyAttribute Based Access Control (ABAC) enables dynamic authorization logic
Information CentricProtecting data across systems and applications
Built in Data Classification Services
Identity BasedDeep integration with common identity management systems and standards
Environment
InformationIdentity
ABAC
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 16
Policy Model
Allow only US Engineers to access Project X Specifications from US Offices
SubjectLocation = US AND Department = Engineering
ResourceProject = Project X AND Type = Specification
EnvironmentNetwork Address = 192.168.*
Attribute-based rule conveys business intentProvide fine-grain, data level control.
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 17
Policy Structure
FOR Confidential – Top SecretON AccessBY NOT Employee Level 5
WHERE User.Authority = Resource.Authority
DO Allow, Log Access
Targetdetermines policy applicability
Conditiondetermines policy effect
EffectPolicy decision and obligations
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 18
Agenda
● Common Challenges to Role Based Access Control (RBAC)
● Information Control Automation and Attribute Based Access Control (ABAC)
● Industry Frameworks for ABAC
● ABAC in SAP
● Demonstration Examples
● Benefits and Common Scenarios in SAP
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 19
Gartner: Dynamic Attribute-based Authorization will be dominant
Attributes are now "how we role“
Context will play an ever-expanding role as people come to enterprise networks from all angles and devices. It will be a world of attribute-based access control, where an identity marketplace becomes a key provider of user attributes that build context and define access control decisions, especially for critical data, systems. Crafting policy definitions, however, will continue to present challenges.
Prediction: By 2020, 70% of all businesses will use attribute-based access control (ABAC) as the dominant mechanism to protect critical assets, up from <5% today.
Gartner Predicts 2014: Identity and Access Management(source 1, source 2)
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 20
Kuppinger: Dynamic Attribute-based Authorization is the future
Source: Kuppinger Cole Leadership Compass for Access Governance
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 21
NIST Cyber Security Framework
Source: Improving Critical Infrastructure Cybersecurity, Executive Order 13636, NIST, 2013
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 22
NIST Cyber Security Framework
Source: Improving Critical Infrastructure Cybersecurity, Executive Order 13636, NIST, 2013
• SAP Identity Management• SAP GRC AC
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 23
NIST Cyber Security Framework
Source: Improving Critical Infrastructure Cybersecurity, Executive Order 13636, NIST, 2013
• Centrally define corporate information security policies
• Segregate policy management by role
• Classify data based on policy• Enforce data segregation based on
policies• Control access and usage based
on multiple attributes, including user type, location, device type, media type
• Rights protect information based on multiple attributes
• Control how data is shared via email based on policy
• Monitor and log data access and usage based on policies
• Raise user awareness through context based messages
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 24
Agenda
● Common Challenges to Role Based Access Control (RBAC)
● Information Control Automation and Attribute Based Access Control (ABAC)
● Industry Frameworks for ABAC
● ABAC in SAP
● Demonstration Examples
● Benefits and Common Scenarios in SAP
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 25
NextLabs Solution Approach
Manage MonitorEducateEnforce
Audit
� Turns business requirements into enforceable controls
� Integrates with enterprise, cloud, and client applications
− Data Classification− Data Segregation− Access Control− Rights Protection− Communications
Control− Activity Logging
� Log and audit data and user activity
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 26
Policy-Driven Security Controls and Compliance Auto mation for SAP
UserAttributes
Data ClassificationContext
• Data-level and transaction-level security• Field-level security control• Virtualized data segregation
• Attribute-based Access Control and Access Segregation
• Encryption and DRM protection of data inside and outside of SAP
• Monitor or Deny modes• Audit and Reporting of all requested
access
“Allow only Project A Team Members in Site 1 to access Project A data for 6 months ”
NextLabs is a SAP Endorsed Business Solution Partner
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 28
Security Classification
•Centrally manages SAP Master data attributes
•Features• Granularity (Transaction & Master data)• Extensible Schema• Inheritance (e.g., Material to BOM)• Classification Lifecycle Management• Classification Automation• Integration with external Classification systems
(e.g., SAP GTS for Export Control)
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 29
Attribute Based Access Control
ACCESS DENIED: Only members of Project Y can access project data
ACCESS DENIED: ITAR Technical Data: Export Authorization Required
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 30
Integrated Rights Management for SAP
Protects data inside and outside SAP
Features� Automatic rights protection
– Long Text– Documents
� File type agnostic
� Persistence– Classification– Metadata– Rights
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 31
Policy Compliance Audit
Dashboards
� Role based dashboards for easy access to most critical analysis
Analytics
� Multi-dimensional summary analysis
� Trend Analysis
End to End Activity Audit
� Data access, use and distribution across applications
� Details required for Incident Investigation and Response
Compliance Audit
� Policy Enforcement
� Policy Based Activity Audit
Personal and Shared Reports
Integrates with Compliance Record Keeping
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 32
Agenda
● Common Challenges to Role Based Access Control (RBAC)
● Information Control Automation and Attribute Based Access Control (ABAC)
● Industry Frameworks for ABAC
● ABAC in SAP
● Demonstration Examples
● Benefits and Common Scenarios in SAP
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 33
Agenda
● Common Challenges to Role Based Access Control (RBAC)
● Information Control Automation and Attribute Based Access Control (ABAC)
● Industry Frameworks for ABAC
● ABAC in SAP
● Demonstration Examples
● Benefits and Common Scenarios in SAP
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 34
RBAC vs. RBAC+ABAC in SAP
97% less roles using Attributes
Scenario RBAC RBAC + ABAC
50 Functional roles & 5 Subsidiaries
300 total roles:� 50 Functional roles� 5 derived company
code� 35 derived Plants
50 Functional roles
35 Plants under 5 subsidiaries
1840 Roles � 50 x 35 = 1,750� 1,750 + 5+ 35 + 50 =
1840 Roles
51 Authorizations� 50 Functional roles� 1 NextLabs policy
Benefit Baseline97% less than RBAC alone
1 Company
5 Subsidiaries
7 Plants/Subsidiary
= 35 Plants
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 35
• Accelerate and enable safe collaboration with external partners .
• Improve data access visibility within partner networks.
• Centrally define and enforce policies.
• Accelerate and enable safe collaboration with external partners .
• Improve data access visibility within partner networks.
• Centrally define and enforce policies.
Secure Collaboration IP and Data Security
NextLabs can help address Security & Compliance Cha llenges
• Accelerateconsolidation with dynamic authorization.
• Enable field level security without role explosion with attribute based access control (ABAC).
• Accelerateconsolidation with dynamic authorization.
• Enable field level security without role explosion with attribute based access control (ABAC).
Business Transformation
Automate tedious compliance processes and audit reporting for
• Export (ITAR/EAR, BAFA , Dual Use, …)
• Privacy (PCI, PII …)
• Others (ChemicalWeapons Convention, Nuclear Energy..)
Automate tedious compliance processes and audit reporting for
• Export (ITAR/EAR, BAFA , Dual Use, …)
• Privacy (PCI, PII …)
• Others (ChemicalWeapons Convention, Nuclear Energy..)
Regulatory Compliance
• Protect and prevent loss of critical data inside and outside SAP Business Suite.
• Persistently protect IP data distributed with digital rights technology in and out of the enterprise.
• Protect and prevent loss of critical data inside and outside SAP Business Suite.
• Persistently protect IP data distributed with digital rights technology in and out of the enterprise.
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 36
SA
P E
CC
Policy Evaluation
• ACC = Project 01
Subject• userid=“carter”• Department = ‘Sales’• location= “US”
Action• Run
Resource• UI Function = Display• Mat = CRD-100-1• Exp Security = ITAR• IP = Proprietary• Export Lic = NA• ACC = Project 01
Query
ResponseEffect• Allow/Deny
Obligations• Show Message “ITAR
TECHNICAL DATA”
Control Center (PAP)
Deploy
Evaluate
SAP ServerSAP Server
Policies /Policy
Components
Policies /Policy
Components
AD/ LDAPAD/
LDAP
SAP CUASAP CUA
HRMSHRMS
IdMIdM
Po
licy
Co
ntr
oll
er
(PD
P)
Policy Bundle
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 37
Application
Policy Combining
AuthZ Concept
Policy Decision Point (PDP)
Policy Information Point (PIP)
PEPPIP
Policy 1(IP Control)
ALLOW
Data
Policy 2(Export
Compliance)ALLOW
Policy 3(National Security)
DENY
Andy Access Material A
DENY
Deny Override
Manage Access Rules Independently. Reduces the number of authorizations
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 38
Entitlement Manager for SAP
GlobalConsolidation
Secure Collaboration
Regulatory Compliance
Data & IP Security
SAP Entitlement Manager
DC – Data Classification
DC – Data Classification
DS – Data SegregationDS – Data
SegregationAC – Access
ControlAC – Access
ControlRP – Rights Protection
RP – Rights Protection
AL - AuditAL - Audit
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 39
Secure data use
End-to-End Information Controls
Rights Management
Secure Data @ the Source
Secure external collaboration
Tech Data.d
wg
Project X
Deny Sharing Project X data outside Project X Team
Tech Data.d
wg
Allow Only Members of Project X to access Project X Data
Entitlement Management
Deny Copy/Paste of Project X DataEncrypt Project X Data on USB
Communication Control
Project X
Control Center Information Control Platform
Information Control Policy
Identity Controls Data
XACML
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 40
Enforcement DeveloperDocument EnforcementApplication Enforcement
NextLabs Information Risk Management Suite
Control Center Policy Platform
Information Control Automation
Information Control Enforcement
Data Classification
Data Segregation
Access ControlData
EncryptionCommunication
ControlActivity
Monitoring
Information Control Policy Model
Identity Data Events
XACML
SAP ERP
File Server (CIFS/NFS)
SAP CRM
Microsoft SharePoint
Microsoft Windows DAC
Dassault Enovia PLM
Siemens TeamcenterPLM
Rights Management Server
Rights Management ClientIBM FileNet P8SAP DMS
SOAP/REST
Java
C#, C++
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 41
SAP Endorsed Business Solutions (EBS)An SAP Ecosystem “By Invitation Only” Program
�����
�����
Endorsed Business Solutions
Application level integration with 3
month solution qualification to ensure
end-to-end business process
Complementary solutions selected by
SAP Product and Industry groups
Endorsed by SAP and sold by partners
Product roadmap guided by SAP based
on Cooperative Development Agreement
�����
�����
The use of NextLabs with SAP ERP enables customers to comply with export regulations such as ITAR and offers them greater flexibility in designing and enforcing IP security policies.
- Magnus BjorendahlGlobal Head of A&D IBU, SAP
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 42
Financial Services
High Technology
IndustrialManufacturing
ChemicalAerospace & DefenseWorld Class Customers
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 43
About NextLabs
NextLabs Entitlement Manager is an SAP-Endorsed Business Solution.Policy-driven, information risk management software for Global 5000 enterprises.Help companies achieve safer and more secure internal and external collaboration.Ensure proper access to applications and data.
FactsLocations� HQ: San Mateo, CA� Boston, MA� Hangzhou, PRC� Malaysia� Singapore40+ Patent PortfolioMajor go-to-market Partners: SAP, Microsoft, IBM, Deloitte, HCL-AXON
“We allow companies to preserve confidentiality, prevent data loss and ensure compliance across more channels and more points with a single unified solution with unmatched user acceptance and total cost of ownership.”
- Keng Lim, Chairman and CEO
NextLabs Overview
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
Thank youTim QuanDirector, SAP Industries & SolutionsNextLabs2 Waters Park Drive, Suite 250San Mateo, CA 94403T +1 650-577-9101E [email protected]