© 2014 Axiomatics AB 1

Building an effective API security framework using ABAC

Webinar: October 15, 2014

© 2014 Axiomatics AB 2

2:001:591:581:571:561:551:541:531:521:511:501:491:481:471:461:451:441:431:421:411:401:391:381:371:361:351:341:331:321:311:301:291:281:271:261:251:241:231:221:211:201:191:181:171:161:151:141:131:121:111:101:091:081:071:061:051:041:031:021:011:000:590:580:570:560:550:540:530:520:510:500:490:480:470:460:450:440:430:420:410:400:390:380:370:360:350:340:330:320:310:300:290:280:270:260:250:240:230:220:210:200:190:180:170:160:150:140:130:120:110:100:090:080:070:060:050:040:030:020:01NOWCount-down for webinar start:

Webinar: October 15, 2014

Building an effective API security framework using ABAC

© 2014 Axiomatics AB 3

Guidelines

You are muted centrally

The webinar is recorded

Slides available for

download

Q&A at the end

© 2014 Axiomatics AB 4

Today’s speakers

Alex GudanisPrincipal Solutions ArchitectAdvancive Technology Solutions

David BrossardVP Customer Relations Axiomatics

© 2014 Axiomatics AB 5

Agenda

API Security Framework

Demo

Q&A

© 2014 Axiomatics AB 6

Who is Axiomatics?Leading provider of ABAC - Attribute Based Access Control

Global deployments

200M+ users

100s of apps

Product and Innovation leader

© 2014 Axiomatics AB 7

2009US Federal CIO Council –(FICAM) Roadmap and Implementation Plan v1.0advocates ABAC

2011FICAM v2.0:ABAC is recommended access control model for promoting information sharing between diverseand disparate organizations

2014Gartner predicts:”By 2020, 70% of all businesses will use ABAC as the dominant mechanism to protectcritical assets,up from 5% today.”

2012National Strategy for Info Sharing & Safeguarding included a Priority Objective to implement FICAM roadmap

2014NIST Guide to ABACSP 800-162 published

2014KuppingerColeLeadership Compasson Dynamic Authorization

”Dynamic Authorization Management is arguably the most exciting area in identity and access management today.”

ABAC Timeline

© 2014 Axiomatics AB 8

A mode of externalized authorization

Authorization policies/rules are managed in a centralized service (deployment can be centralized/distributed/hybrid)

The Extensible Access Control Markup Language (XACML) is an example of an ABAC system

Policies utilize attributes to describe specific access rules, which is why it is called attribute based access control

What is Attribute Based Access Control (ABAC)?

© 2014 Axiomatics AB 9

Or put another way…

ABAC enables the Any-Depth Architecture

© 2014 Axiomatics AB 10

Axiomatics Data Access Filter

Integration with Layer 7 API

Gateway

Spring Security Integration

© 2014 Axiomatics AB 11

Who is Advancive?

Pasadena, CA

Bangalore, India

Established in May 2009

Headquartered in Southern California, with additional delivery center in Bangalore and serving clients globally

Consulting and systems integration firm with core competency in Identity & Access Management Solutions Design & Implementation

Serving clients in several key verticals, such as Financial, Healthcare, Telecom, High-Tech and Manufacturing

Case Study Overview• Clinical Decision Support System offered as a service

• Provides data access APIs to a variety of clients, including electronic health information exchange (HIE) networks and mobile applications

• Main goal – ensure that all the necessary controls are provided to meet project security and compliance requirements

• Key requirement – provide a flexible attribute based authorization framework that can be reused across all layers of the application architecture

© 2014 Axiomatics AB 12

© 2014 Axiomatics AB 13

Solution Architecture Overview

© 2014 Axiomatics AB 14

Reusable authorization framework and policies are built around HL7 Security and Privacy Ontology Use Cases (http://wiki.hl7.org/index.php?title=Security_and_Privacy_Ontology)

Cover main areas of access control of an EHR system: Access Control Based on Category of Action Access Control Based on Category of Object Access Control Based on Category of Structural Role Access Control Based on Category of Functional Role Access Control Based on Multiple Role Values

Authorization Framework

© 2014 Axiomatics AB 15

Controls access to an object based on the type of action to be performed on it

A primary physician can CREATE patient’s progress note

A physician can UPDATE patient’s progress note that he/she wrote themselves

Access Control Based on Category of Action

© 2014 Axiomatics AB 16

Controls access to an object based on the type of object it is

A primary physician can have full access to patient’s ASSESSMENT

A primary physician can not access patient’s PAYMENT HISTORY without additional authorization

Access Control Based on Category of Object

© 2014 Axiomatics AB 17

Controls access to an object based on the structural role assigned to the user requesting access. A structural role reflects a human or organizational category

A PHYSICIAN can read medical records of all patients

An ADMISSIONS CLERK doesn’t have access to patients’ medical records without additional authorization

Access Control Based on Category of Structural Role

© 2014 Axiomatics AB 18

Controls access to an object based on the functional role assigned to the user requesting access. Functional roles are bound to the performance of actions carried out by an entity. The period of functional role assignment can be limited to the privileged access time interval

An alternate privileged healthcare professional can read or update patient’s medical record, including sensitive medical information, while that patient’s primary physician is on vacation

Access Control Based on Category of Functional Role

© 2014 Axiomatics AB 19

Controls access to an object based on a user being assigned more than one role attribute value

A staff physician, i.e. a user that has the roles of both PHYSICIAN and HOSPITAL STAFF MEMBER, can update patient’s care plan

Access Control Based on Multiple Role Values

© 2014 Axiomatics AB 20

Process of Defining an Authorization Policy

Analyze functional use

case

Develop natural language policies

(NLP)

Translate NLPs into executable

policies and attributes using policy authoring

tools

© 2014 Axiomatics AB 21

Actors

Sam Jones – Patient at the Hospital

Dr. Bob – Physician at the Hospital, primary physician for Sam Jones

Dr. Dan – Physician at the Hospital, who also treats Sam Jones

Example: Use Case

© 2014 Axiomatics AB 22

Basic Scenario

Dr. Bob examines Mr. Jones as part of an episode of care. Dr. Bob opens Mr. Jones’ medical record and reads his medical history. Dr. Bob notices a transcription error in a progress note he had made for Mr. Jones’ last hospital visit. Dr. Bob corrects the error and updates the progress note. Dr. Bob opens a new progress note, enters his observations of Mr. Jones’ condition and appends the results of a recent blood test to the progress note.

Example: Use Case

© 2014 Axiomatics AB 23

Post-Condition

A progress note regarding a past visit Mr. Jones’ made to the hospital has been updated and a new progress note has been created and appended to. This updated progress note becomes a part of his medical record.

Example: Use Case

© 2014 Axiomatics AB 24

Alternative Scenario

Dr. Bob examines Mr. Jones as part of an episode of care. Dr. Bob opens Mr. Jones’ medical record and reads his medical history. Dr. Bob notices a transcription error in a progress note Dr. Dan had made for Mr. Jones’ last hospital visit. Dr. Bob attempts to correct the error but is denied this privilege by the system.

Example: Use Case

© 2014 Axiomatics AB 25

Post-Condition

The progress note regarding Mr. Jones’ last hospital visit remains unchanged.

Example: Use Case

© 2014 Axiomatics AB 26

Example: Natural Language Policies

Policy ID

Policy

1 A primary physician can create and update a patient’s progress note

2 A physician can update a patient’s progress note if he or she is the author of that progress note

© 2014 Axiomatics AB 27

namespace user{

attribute role{

category = subjectCat

id = "com.axiomatics.hl7.user.role"

type = string

}

attribute requestorId{

category = subjectCat

id = "com.axiomatics.hl7.user.requestorId"

type = string

}

}

namespace action{

attribute action{

category = actionCat

id = "com.axiomatics.hl7.action.id"

type = string

}

}

Example: ALFA Policy

© 2014 Axiomatics AB 28

namespace object{

attribute author{

category = resourceCat

id = "com.axiomatics.hl7.object.author"

type = string

}

}

namespace patient{

attribute primaryPhysician{

category = resourceCat

id = "com.axiomatics.hl7.patient.primaryPhysician"

type = string

}

}

Example: ALFA Policy

© 2014 Axiomatics AB 29

policyset global{

apply firstApplicable

progressNotes

}

policy progressNotes{

target clause objectType=="progress note"

apply firstApplicable

rule createNote{

target clause role=="physician" and action=="create"

condition primaryPhysician==requestorId

permit

}

rule updateNote{

target clause role=="physician" and action=="update"

condition author==requestorId

permit

}

}

Example: ALFA Policy

© 2014 Axiomatics AB 30

REST style API using XML payload

Can also be implemented as a SOAP web service or REST/JSON API

HTTP POST to: /HL7/patient/create/progressnote /HL7/patient/update/progressnote

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<progressNote>

<id>11</id>

<patentid>1001</patentid>

<patientRecordId>1</patientRecordId>

<physicianid>A101</physicianid>

<note>Patient is suffering from headache</note>

<sensitive>false</sensitive>

<visitedDate>2013-12-01T00:00:00-08:00</visitedDate>

</progressNote>

Implementation: API specification

© 2014 Axiomatics AB 31

Active Directory – hospital staff accounts along with their role information

Oracle Database – backend data tables for API implementation ACTORS – hospital staff information

PATIENT – patient information

PATIENT_MEDICALHISTORY – patient medical records

PATIENT_PROGRESSNOTE – patient progress notes

Implementation: Data Sources

© 2014 Axiomatics AB 32

Public API definition

Request and schema validation, API threat protection

Request authorization via Axiomatics PDP No XACML PEP as a pre-built component, but can be

implemented as a reusable policy fragment, using out of the box HTTP request routing capability

Build XACML request from API request attributes and payload and analyze XACML response for authorization decision

Supplies a portion of required policy attributes, others are evaluated by Axiomatics policy server via Attribute Connectors

Implementation: Layer 7 Configuration

© 2014 Axiomatics AB 33

Additional authorization checks can be performed on the app layer as well

Can be the same set of policies or a more fine-grained subset

For Java applications, a good fit would be to implement XACML PEP as a custom PermissionEvaluator within Spring Security framework Decouples authorization from application logic, which provides

for reuse and consistent enforcement Allows for declarative security using annotations in the method

definition, such as:@PreAuthorize("hasPermission(#progressnote,'progress note', 'create')")

Authorization on the App Layer

© 2014 Axiomatics AB 34

We can effectively use ABAC, XACML and Axiomatics to build API security frameworks

Axiomatics policy server can be integrated with a variety of platforms, including API gateways, such as Layer 7

Decouple authorization logic from API implementation

Provide consistent policy enforcement across multiple APIs and layers of application architecture

Summary

© 2014 Axiomatics AB 35

Questions?Thank you for listening

© 2014 Axiomatics AB 36

Headquarters201 South Lake Avenue | Suite 703 | Pasadena, CA 91101 | www.advancivetech.com

Art Poghosyan, Managing Director

E: artyom.poghosyan@advancivetech.com

T: 213.915.4142

Alex Gudanis, Principal Solutions Architect/CTO

E: alex.gudanis@advancivetech.com

T: 714.388.5565

Sameer Hiremath, Director (India Operations)

E: sameer.hiremath@advancivetech.com

T: 9180 4216239

Advancive Key Contacts

© 2014 Axiomatics AB 37

Don’t miss out on these webinars!

Oct 30: ABAC: ready, steady, go!

Nov 30: Securing data is a four letter word

Upcoming events & webinars

Register on www.axiomatics.com/events