next generation access controls
TRANSCRIPT
Next Generation Access Control
Urban Söderström
© Axiomatics 2016 2
Access Control is as easy as in the Middle Ages
Only 2 options: • Store data safely & • control access
• Make data unusable
© Axiomatics 2016 3
But internal and external requirements makes the picture much more complex …..
And the outside world where data is used ….. has changed How ?
Collaboration
Regulatory Compliance and Governance
New business & mobile-driven interactions
Time-to-market
© Axiomatics 2016 4
1) Diligent 24 x 7 cyber crime professionals around
• Ransome ware for bitcoins • Advanced Persistent Threat • Spearfishing • National surveillance breaches
Night and day working on their Continuing Professional Education
© Axiomatics 2016 5
2) Population of computer users has changed
Expert engineers But also • Your grandma • Your todler • Your malware • Your fridge • ……… Everyone is a user With digital identity
© Axiomatics 2016 6
3) Identity ontology for every individual
My ID as a…. Customer Supplier Partner Private user Administrator Anonymous user Machine Fraudster, mule
Identity Federation E-ID E-Citizenship Mobil-ID Bank-ID …….
© Axiomatics 2016 7
4) Rapid evolving usability requirements – “seven any”
Any one Any time Any where Any device Any networg Any app
Across any value chain Easy and fast
© Axiomatics 2016 8
5) Purpose of data use has changed Internet of Things E-Municipality E-Government Smart cities Mobility Environment Commodities Medical Safety Living Drone delivery Robot distribution Physical surveillance
© Axiomatics 2016 9
6) Globalisation & data correlation Connectivity across Datasets Applications “Things” Value chains Companies Continents Jurisdictions Platforms Devices Clouds API´s interoperability
© Axiomatics 2016 10
7) Big data analytics Visual data discovery Automated decision-making 70% of large organizations Purchase external data 100% by 2019 (Forbes) 180.000 data analysts in US 2018 E.g. fraud detection Well combined with physical security tools This requires Access Management BaaS = Back-end of IoT as a service
© Axiomatics 2016 11
8) Increased control, legislation & regulation
Data protection - GDPR 1) Consistency across European Union
1) One-stop-shop for citizens and business 2) Scope: service providers outside Europe delivering EU services 3) Right to be forgotten-Right to erasure:
1) “Privacy by design” & “privacy by default” 2) Right to be forgotten also applicable to third parties
4) Notification of breach mandatory 1) High fines
5) Payment Services Directive II 1) Mandatory to share customers profiles and data with 3rd parties 2) On request (with customers consent & still adhering to the 3) data protecting regulation)
© Axiomatics 2016 12
Responding to all trends with old school static IAM ?
Transaction request
Authorisation Entitlements For the ID
Assets +
data
authentication Identity
+ properties
Password Token PIN Biometric Multifactor Behaviour
© Axioma)cs 2016 13
By 2020, 70 percent of enterprises will use ABAC as
the dominant mechanism to protect critical assets
“
70% ”
Gartner, 2013
NO ! - Dynamic and fine-grained IAM on data level required
© Axiomatics 2016 14
Application access = OUT Services, Big data, Federation = IN
Access control on application level falls short RBAC is too static Security is required on the level of datasets, data subject Data Centric Security Attibute Based Access Control
Transaction request
© Axiomatics 2016 15
Every single transaction request…
The only thing persistent is The request for a transaction
(with all its relevant properties)
© Axiomatics 2016 16
deserves an individual VIP treatment
Access decision engine” • real time • context aware • rule based • customised • flexible • fine-grained access decisions
© Axioma)cs 2016 17
⁃ Policies to protect assets / IP ⁃ Policies to prevent fraud ⁃ Policies to comply with external regulations ⁃ Policies to be more efficient ⁃ Policies to enable new business
⁃ CEOs, CIOs, CISOs, CDOs and other CXOs have responsibilities to define and implement these policies
⁃ Security and compliance are board-level issues: requires key policies in place to protect the Enterprise’s interests, IP and to safeguard their investments
Modern Enterprises need to be policy-driven
© Axiomatics 2016 18
⁃ Modern dynamic enterprises need modern dynamic authorization models to meet requirements for ease of change and centralization
⁃ Authorizations to… ⁃ Protect sensitive data ⁃ Protect critical assets ⁃ Protect critical transactions
Attribute Based Access Control is the new dynamic model
Access Policies
© Axiomatics 2016 19
Security everywhere Centralized Rules Management
Data Layer
Service Layer
Process layer
Presentation Layer
Distributed rules enforcement
© Axiomatics 2016 20
Finegrained context aware access mmnt - building blocks
user profile database
identity federation trust level framework
framework to manage interaction of rule sets e.g conflicting rules, hierarchy, veto, ownership
rulesets in rule engines
© Axiomatics 2016 21
Attribute Based Access Control “Context Based”, or “Rule Based” Access Control: • Fine-grained • Additional authentication if reqiured (“step-up”) • Flexible – Easy access if possible, complex when required • Configuration of rules in IAM: short time-to-market (not programmed in applications) • Risk level on dataset or transaction • Trustlevel on authentication context • Immediate intervention in case of compromise (trustlevel attribute) • From RBAC to ABAC or hybrid (role is also a rule!)
© Axiomatics 2016 22
Attribute-Based Access Control A context-aware and dynamic authorization model
Who? What? When? Where? Why? How?
© Axiomatics 2016 23
GDPR or PSD-2 is a opportunity to start using ABAC ⁃ DPR – GDPR requires changes in your rule and policy
governance ⁃ By using ABAC you don´t have to rework your rule and policy
governance in every application when changes are applied ⁃ You can include the Business in the process by using Business
processes when creating new policys
© Axiomatics 2016 24
Compared to legacy RBAC models…
⁃ Permissions assigned to roles
⁃ Roles assigned to users
⁃ Applications handle access
control intentionally
© Axiomatics 2016 25
Using ABAC to extend role definitions
⁃ ABAC uses attributes and policies to implement precise controls
⁃ ABAC extends roles with ⁃ Context and ⁃ Relationships
⁃ ABAC utilizes attributes of the user as well as the resource to represent relationships
© Axioma)cs 2016 26
Axiomatics provides enterprise software for access control
© Axiomatics 2016 27
Who we are… About Axiomatics...
Offices in USA and Sweden
Venture-backed since 2013
90% growth in 2015
© Axiomatics 2016 28
Our Customers
⁃ Fortune 500 ⁃ Government Agencies ⁃ Vertical market expertise
⁃ Financial services (banking, insurance) ⁃ Highly-regulated industries (pharmaceuticals, aerospace, automotive…) ⁃ Media companies
Success stories
⁃ Securing online payments for 200 million users ⁃ Securing exchange of clinical trial data in
pharmaceutical research ⁃ Millions of transactions a day secured for one of the
world’s largest banks ⁃ Protecting privacy for insurance company’s clients ⁃ Compliance with Export Control regulations for aircraft
manufacturers ⁃ Copyright-protected streaming media for authorized users only ⁃ Improving speed and quality of health IT systems for
veterans nationwide
© Axiomatics 2016 30
Axiomatics Solutions ⁃ Authorization for Applications
⁃ Business logic and middleware ⁃ APIs and web services ⁃ On-premise and cloud applications
⁃ Authorization for Databases ⁃ Relational databases ⁃ Big Data
⁃ Access Review on policies ⁃ Prove regulatory compliance and
permissions of users or groups ⁃ Real-time review of dynamic authorization ⁃ Internal reporting and auditing needed at
various levels of user ⁃ Review what your employees can do
© Axiomatics 2016 31
31
Structuring the Policies The Authorization Policy Lifecycle
© Axiomatics 2016 32
Deploy the architecture – Defence in Depth
© Axiomatics 2016 33
Questions?