attribute based access control for data protection webinar may 8
DESCRIPTION
Webinar on May 8, 2014. In the past, protection of sensitive data has revolved around a patchwork of complementary methods and technologies. Transparency is compromised as complexity increases and the overall solution still suffers from severe blind spots. In a database stored procedures and triggers may be used to compensate for gaps created by the role based access control (RBAC) model of the application. Data masking may be used to filter out sensitive information after it has been retrieved from the database, (although the user didn't have sufficient permissions to view this in the first place). In the application, developers may need to introduce intricate application logic to balance the effects of a coarse-grained role model. In the end, the mutual dependencies between compensatory measures become yet another challenge. No one really knows how a change in one place impacts another. To read more, please visit www.axiomatics.com.TRANSCRIPT
© 2014 Axiomatics AB 1
Attribute Based Access Controlfor Data Protection
Webinar: May 8, 2014
© 2014 Axiomatics AB 2
2:001:591:581:571:561:551:541:531:521:511:501:491:481:471:461:451:441:431:421:411:401:391:381:371:361:351:341:331:321:311:301:291:281:271:261:251:241:231:221:211:201:191:181:171:161:151:141:131:121:111:101:091:081:071:061:051:041:031:021:011:000:590:580:570:560:550:540:530:520:510:500:490:480:470:460:450:440:430:420:410:400:390:380:370:360:350:340:330:320:310:300:290:280:270:260:250:240:230:220:210:200:190:180:170:160:150:140:130:120:110:100:090:080:070:060:050:040:030:020:01NOWCount-down for webinar start:
Webinar: May 8, 2014
Attribute Based Access Controlfor Data Protection
© 2014 Axiomatics AB 3
Guidelines
You are muted centrally
The webinar is recorded
Slides available for
download
Q&A at the end
© 2014 Axiomatics AB 4
Today’s speakers
David BrossardAndrew Hindle
© 2014 Axiomatics AB 5
Agenda
The Data Protection Problem
Attribute Based Access Control
Introducing Data Filtering
Key benefits and next steps
Q&A
Information storage – global increase
© 2013 Axiomatics AB 6
The data protection problem
Based on: Hilbert and Lopez, 2011
86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07
300
250
200
150
100
50
0
~93% digital
~0,7% digital
DAC
MAC
RBAC
ABACIncreasing access control challenges
© 2014 Axiomatics AB 7
Protecting intellectual property Different types of users need access
to different types of data in different phases of Product Life Cycles
Organizations need to protect their own IP
They also act as the custodians of sensitive data from third parties
The data protection problem
© 2014 Axiomatics AB 8
Protecting credit card numbers, financial data,accounts,etc.
The data protection problem
Privacy regulations
© 2013 Axiomatics AB 9
Data protection problem
© 2014 Axiomatics AB 10
The data protection problem
Big ResponsibilityEthical Regulatory
Big OpportunityOptimize Extend
Big DataInternal 3rd Party
© 2014 Axiomatics AB 11
ABACA new pattern
Attribute Based Access Control
© 2014 Axiomatics AB 12
Role based access control (RBAC) – predominant now
Attribute Based Access Control
Role
Informationassets
Users in role
Role Membership
Permissions
© 2014 Axiomatics AB 13
The RBAC sudoku
Attribute Based Access Control
© 2014 Axiomatics AB 14
ABAC takes multiple factors into account
Not just user roles….
But also attributes in the language of the business defining what information assets users try to access, their actions, the context and so on
Policies define precise access rules
Attribute Based Access Control (ABAC)
WHO WHAT WHERE WHEN WHY HOWIt’s not just about
but also and
© 2014 Axiomatics AB 15
Corporate policy access controlExample:
"Project members may change project specification documents as long as the project is in the planning phase. Once the project is in a production phase, the project lead may change specifications if and only if there has been a change control board decision authorizing the change.“
Subject attributes
Action attributes
Resource attributes
Environment attributes
Attribute Based Access Control (ABAC)
© 2014 Axiomatics AB 16
The ABAC trend 2014Gartner predicts:”By 2020, 70% of all businesses will use ABAC as the dominant mechanism to protect critical assets, up from 5% today.”
2011FICAM v2.0:ABAC recommended access control model for promoting informationsharing between diverse and disparate organizations.
2013XACML version 3.0
2014NIST Guide on ABAC
Attribute Based Access Control (ABAC)
© 2014 Axiomatics AB 17
Data ProtectionA new approach
Data Protection
© 2014 Axiomatics AB 18
Data Protection: What you Want and Why it’s HardYou want to:
Provide access to the right data to the right person at the right time
Prevent data leakage
Quickly adapt to – and implement access policies for – new business requirements and regulations
Reliably apply policies across the entire application estate
Easily report and demonstrate compliance
It’s hard because You have lots of different applications – including legacy, external, and custom apps that
are hard & costly to refactor
Existing solutions inhibit you reacting rapidly enough to complex and evolving requirements
Data Protection
© 2014 Axiomatics AB 19
Current data protection landscape Data is usually protected by:
Encryption/Hashing
Masking
Application-level RBAC
But that leaves gaps… Encryption prevents everyone from seeing the data; hard to manage; blunt tool
Masking ‘hides’ the data – but you can still see that it existsMasking is sometimes used to hide data that has been retrieved from the database although the user should not have had access in the first place!
Role-based access control restricts data access to certain users… but managing that over time (especially with external users) is hard, and it’s a blunt tool (which is why the industry is moving to ABAC!)
Data Protection
© 2014 Axiomatics AB 20
Security Landscape
Data Protection
APIs
ABAC is normally implemented at the Application level…
People
Applications
Devices
Applications
© 2014 Axiomatics AB 21
Issues to Consider Applications need refactoring
Legacy applications may not be able to be updated
Application developers may not have the same concerns about data protection (lower priority)
API proliferation exacerbates the problem External applications are outside your control
How do you regain control?
Data Protection
© 2014 Axiomatics AB 22
Application Security Landscape
Data Protection
APIs
ABAC is normally implemented at the Application level…
Applications
Devices
Applications
…what if you could implement ABAC at the database level?
People
© 2014 Axiomatics AB 23
ADAFAxiomatics DataAccess Filter
© 2014 Axiomatics AB 24
Introducing ADAF Axiomatics Data Access Filter
Attribute-based data filtering
Filters data at source, applying your policies before data is returned
Key Benefits Standards-based (XACML)
Easy to deploy & maintain
Standalone; or part of a complete XACML deployment
High-performance, scalable and flexible
Axiomatics Data Access Filter
© 2014 Axiomatics AB 25
Understanding Data Filtering Rewrites query at runtime
Ensures only that data which policy permits is returned
Can be combined with other data protection mechanisms
Example: Sales Manager can see Commission for Sales Reps in their own teams
Axiomatics Data Access Filter
© 2014 Axiomatics AB 26
ADAF Filtering SELECT * FROM COMMISSION WHERE
TEAM = {filter_value}
Nick – North – $70
Annabelle – North – $700
Conventional masking SELECT * FROM COMMISSION
Jane – South – $xxx
Joe – South – $xxx
Nick – North – $70
Annabelle – North – $700
Filter vs. Mask
Axiomatics Data Access Filter
© 2014 Axiomatics AB 27
Axiomatics Data Access Filter
Application
SELECT * FROM table WHERE
username=‘bob’
SELECT * FROM table WHERE username=‘bob’ AND value<3000
{FILTERED DATA}
{FILTERED DATA}
XACML Policies & External PIP data
© 2014 Axiomatics AB 28
What Can We Filter
Axiomatics Data Access Filter
Row Level Managers can see all details, only for
their own regions
SELECT * FROM commissions WHERE region IS xxx
Column Level Sales Admins can see repnames and
regions, but only commissions for their admin region
SELECT repname, commissions FROM commissions WHERE region IS xxx
Combined to get Cell Level Regional HR can see commissions for
their own regions only
RepName Region Commission
Jane 1,2 $40,000
Mike 1 $20,000
Angela 2,3 $5,000
Bryan 3 $100,000
Samantha 2 $15,000
Kevin 1,3 $2,000
© 2014 Axiomatics AB 29
Key Capabilities Powerful Policy support
XACML 3.0
User attributes from any supported PIP store LDAP, SQL etc…
Multi-database capability
Enterprise-ready Fault-tolerant
High performance
Datacenter ready
Axiomatics Data Access Filter
© 2014 Axiomatics AB 30
Summary & Next Steps Big Data > Big Opportunity > Big Responsibility
Standards-based ABAC (XACML) is a key enabling platform
Look for quick business wins to support your long-term strategy
Don’t let application development/maintenance lifecycles hold you up
Protect data at source: if it doesn’t need to leave the data store, it shouldn’t leave the data store
Axiomatics Data Access Filter
© 2014 Axiomatics AB 31
Questions?Thank you for listening
© 2014 Axiomatics AB 32
Don’t miss out on these events! May 13th – 16th (Munich, Germany): European Identity Conference
May 21st (Stockholm, Sweden): Stockholm Breakfast Seminar – learn how Nordea is using Axiomatics to solve privacy issues
June 3rd – June 5th (Phoenix, AZ): Identity Relationship Management Summit
July 19th – July 23rd (Monterey, CA): Cloud Identity Summit
December 2nd – December 4th (Las Vegas, NV): Gartner Identity & Access Management Summit North America
Upcoming events & webinars
More at https://axiomatics.com/events