attribute based access control for data protection webinar may 8

© 2014 Axiomatics AB 1

Attribute Based Access Controlfor Data Protection

Webinar: May 8, 2014


2:001:591:581:571:561:551:541:531:521:511:501:491:481:471:461:451:441:431:421:411:401:391:381:371:361:351:341:331:321:311:301:291:281:271:261:251:241:231:221:211:201:191:181:171:161:151:141:131:121:111:101:091:081:071:061:051:041:031:021:011:000:590:580:570:560:550:540:530:520:510:500:490:480:470:460:450:440:430:420:410:400:390:380:370:360:350:340:330:320:310:300:290:280:270:260:250:240:230:220:210:200:190:180:170:160:150:140:130:120:110:100:090:080:070:060:050:040:030:020:01NOWCount-down for webinar start:

Webinar: May 8, 2014

Attribute Based Access Controlfor Data Protection


Guidelines

You are muted centrally

The webinar is recorded

Slides available for

download

Q&A at the end


Today’s speakers

David BrossardAndrew Hindle


Agenda

The Data Protection Problem

Attribute Based Access Control

Introducing Data Filtering

Key benefits and next steps

Q&A

Information storage – global increase


The data protection problem

Based on: Hilbert and Lopez, 2011

86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07

300

250

200

150

100

50

0

~93% digital

~0,7% digital

DAC

MAC

RBAC

ABACIncreasing access control challenges


Protecting intellectual property Different types of users need access

to different types of data in different phases of Product Life Cycles

Organizations need to protect their own IP

They also act as the custodians of sensitive data from third parties



Protecting credit card numbers, financial data,accounts,etc.


Privacy regulations


Data protection problem



Big ResponsibilityEthical Regulatory

Big OpportunityOptimize Extend

Big DataInternal 3rd Party


ABACA new pattern



Role based access control (RBAC) – predominant now


Role

Informationassets

Users in role

Role Membership

Permissions


The RBAC sudoku



ABAC takes multiple factors into account

Not just user roles….

But also attributes in the language of the business defining what information assets users try to access, their actions, the context and so on

Policies define precise access rules

Attribute Based Access Control (ABAC)

WHO WHAT WHERE WHEN WHY HOWIt’s not just about

but also and


Corporate policy access controlExample:

"Project members may change project specification documents as long as the project is in the planning phase. Once the project is in a production phase, the project lead may change specifications if and only if there has been a change control board decision authorizing the change.“

Subject attributes

Action attributes

Resource attributes

Environment attributes



The ABAC trend 2014Gartner predicts:”By 2020, 70% of all businesses will use ABAC as the dominant mechanism to protect critical assets, up from 5% today.”

2011FICAM v2.0:ABAC recommended access control model for promoting informationsharing between diverse and disparate organizations.

2013XACML version 3.0

2014NIST Guide on ABAC



Data ProtectionA new approach

Data Protection


Data Protection: What you Want and Why it’s HardYou want to:

Provide access to the right data to the right person at the right time

Prevent data leakage

Quickly adapt to – and implement access policies for – new business requirements and regulations

Reliably apply policies across the entire application estate

Easily report and demonstrate compliance

It’s hard because You have lots of different applications – including legacy, external, and custom apps that

are hard & costly to refactor

Existing solutions inhibit you reacting rapidly enough to complex and evolving requirements

Data Protection


Current data protection landscape Data is usually protected by:

Encryption/Hashing

Masking

Application-level RBAC

But that leaves gaps… Encryption prevents everyone from seeing the data; hard to manage; blunt tool

Masking ‘hides’ the data – but you can still see that it existsMasking is sometimes used to hide data that has been retrieved from the database although the user should not have had access in the first place!

Role-based access control restricts data access to certain users… but managing that over time (especially with external users) is hard, and it’s a blunt tool (which is why the industry is moving to ABAC!)

Data Protection


Security Landscape

Data Protection

APIs

ABAC is normally implemented at the Application level…

People

Applications

Devices

Applications


Issues to Consider Applications need refactoring

Legacy applications may not be able to be updated

Application developers may not have the same concerns about data protection (lower priority)

API proliferation exacerbates the problem External applications are outside your control

How do you regain control?

Data Protection


Application Security Landscape

Data Protection

APIs

ABAC is normally implemented at the Application level…

Applications

Devices

Applications

…what if you could implement ABAC at the database level?

People


ADAFAxiomatics DataAccess Filter


Introducing ADAF Axiomatics Data Access Filter

Attribute-based data filtering

Filters data at source, applying your policies before data is returned

Key Benefits Standards-based (XACML)

Easy to deploy & maintain

Standalone; or part of a complete XACML deployment

High-performance, scalable and flexible

Axiomatics Data Access Filter


Understanding Data Filtering Rewrites query at runtime

Ensures only that data which policy permits is returned

Can be combined with other data protection mechanisms

Example: Sales Manager can see Commission for Sales Reps in their own teams



ADAF Filtering SELECT * FROM COMMISSION WHERE

TEAM = {filter_value}

Nick – North – $70

Annabelle – North – $700

Conventional masking SELECT * FROM COMMISSION

Jane – South – $xxx

Joe – South – $xxx

Nick – North – $70

Annabelle – North – $700

Filter vs. Mask




Application

SELECT * FROM table WHERE

username=‘bob’

SELECT * FROM table WHERE username=‘bob’ AND value<3000

{FILTERED DATA}

{FILTERED DATA}

XACML Policies & External PIP data


What Can We Filter


Row Level Managers can see all details, only for

their own regions

SELECT * FROM commissions WHERE region IS xxx

Column Level Sales Admins can see repnames and

regions, but only commissions for their admin region

SELECT repname, commissions FROM commissions WHERE region IS xxx

Combined to get Cell Level Regional HR can see commissions for

their own regions only

RepName Region Commission

Jane 1,2 $40,000

Mike 1 $20,000

Angela 2,3 $5,000

Bryan 3 $100,000

Samantha 2 $15,000

Kevin 1,3 $2,000


Key Capabilities Powerful Policy support

XACML 3.0

User attributes from any supported PIP store LDAP, SQL etc…

Multi-database capability

Enterprise-ready Fault-tolerant

High performance

Datacenter ready



Summary & Next Steps Big Data > Big Opportunity > Big Responsibility

Standards-based ABAC (XACML) is a key enabling platform

Look for quick business wins to support your long-term strategy

Don’t let application development/maintenance lifecycles hold you up

Protect data at source: if it doesn’t need to leave the data store, it shouldn’t leave the data store



Questions?Thank you for listening


Don’t miss out on these events! May 13th – 16th (Munich, Germany): European Identity Conference

May 21st (Stockholm, Sweden): Stockholm Breakfast Seminar – learn how Nordea is using Axiomatics to solve privacy issues

June 3rd – June 5th (Phoenix, AZ): Identity Relationship Management Summit

July 19th – July 23rd (Monterey, CA): Cloud Identity Summit

December 2nd – December 4th (Las Vegas, NV): Gartner Identity & Access Management Summit North America

Upcoming events & webinars

More at https://axiomatics.com/events

https://axiomatics.com/events

https://axiomatics.com/events

attribute based access control for data protection webinar may 8

Software