Attribute  Based  Access  Control  What  is  it?    What  is  the  value?  How  is  it  implemented?  

 

Milwaukee  IAM  meet  up  –  September  17,  2015  

Gartner  IAM  Summit,  December  2014  

“By 2020, 70% of all businesses will use attribute-based access control (ABAC) as the dominant mechanism to protect critical assets, up from <5% today.”

Gregg Kreizman, Gartner

“Roles Make Way for Other Attributes”

© 2015 Axiomatics AB

What  is  ABAC?  

Attribute Based Access Control

© 2015 Axiomatics AB

What  is  Attribute  Based  Access  Control  (ABAC)?  §  A mode of externalized authorization

§  Authorization policies/rules are managed in a centralized service (deployment can be centralized/distributed/hybrid)

§  Policies utilize attributes to describe specific access rules, which is why it is called attribute based access control

© 2015 Axiomatics AB

Reading  material  

§ NIST Guide to Attribute Based Access Control (ABAC) Definition and Considerations § nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.

800-162.pdf

© 2015 Axiomatics AB

Example  from  NIST  report  §  “This flexibility [of ABAC] provides the greatest breadth of subjects to access

the greatest breadth of objects without specifying individual relationships between each subject and each object”

§  Nurse Practitioners in the Cardiology Department can View the Records of Heart Patients §  Variables in the policy language enable very efficient policy structures – reducing the

maintenance load §  Management of heart patient records is part of the business application – not an IT

function §  Multiple attributes must be available for policy evaluation – either as part of the access

request or retrieved from source

© 2015 Axiomatics AB

NIST  example  -­‐  expanded  §  Nurse Practitioners can View the Records of Patients in the same Department

they are assigned to §  This rule can apply to all departments in the hospital §  Add a new department or change names of department and the rule does not change §  Rule compares department of the Nurse Practitioner to the department of the Patient §  Avoids the role explosion effect of RBAC models

© 2015 Axiomatics AB

Corporate  policy  à  access  control  Example:

§  "Project members may change project specification documents as long as the project is in the planning phase. Once the project is in a production phase, the project lead may change specifications if there has been a change control board decision authorizing the change.“

§  Subject attributes

§  Action attributes

§  Resource attributes

§  Environment attributes

© 2015 Axiomatics AB

ABAC  takes  multiple  factors  into  account  

§  Not just user roles….

§  But also attributes in the language of the business defining what information assets users try to access, their actions, the context and so on

§  Policies define precise access rules

WHO WHAT WHERE WHEN WHY HOW It’s not just about but also and

© 2015 Axiomatics AB

The  RBAC  Sudoku  A

B

C

© 2015 Axiomatics AB

Not  a  zero  sum  game  

© 2015 Axiomatics AB

What  is  the  value?  

Attribute Based Access Control

© 2015 Axiomatics AB

   §  Risks are high – and the bottom line is in jeopardy §  Data loss and leakage; Data theft and fraud §  Damage to reputation §  Loss of competitive advantage §  Regulatory penalties §  Financial impact

§  Industries across the Fortune 500 face data access control challenges daily

Data access control is a challenge across industries

© 2015 Axiomatics AB

Secure  collaboration  

…depends on efficient information sharing…

… which depends on precision in access controls.

© 2015 Axiomatics AB

Legacy  access  controls  fail  in  dynamic  environments    

ABAC  thrives  in  dynamic  environments

© 2015 Axiomatics AB

How  is  it  implemented?  

Attribute Based Access Control

© 2015 Axiomatics AB

Hundreds or thousands of If-clauses scattered all over your code

If the user is member of project X then … else …

If user is project lead

then … else …

If project X is in production phase

then … else … If project X change control board decision has been made then … else …

Examples of “internal” authorization

© 2015 Axiomatics AB

Policies

Attribute Sources

1.  Access request is intercepted

2.  A query is sent to the external authorization service

3.  The authorization engine evaluates the relevant policies

4.  It may also need to query external attribute sources for more info

5.  The decision – PERMIT or DENY is returned and enforced

User: Bob Application

Can Bob access record #22 PERMIT/DENY

Authorization Service

Externalize the authorization

© 2015 Axiomatics AB

Policies

Attribute Sources

1.  SQL statement is intercepted

2.  A query is sent to the external authorization service

3.  The authorization engine evaluates the relevant policies

4.  It may also need to query external attribute sources for more info

5.  The result: SQL statement is dynamically modified and only authorized data is returned to user

Application Data storage

User Bob wants to SELECT A,B from table T

SELECT A,B FROM TABLE T

WHERE…

Authorization Service

Filtered data

ABAC for Data-centric Authorization

© 2015 Axiomatics AB

Technical  Activities  for  an  ABAC  Deployment  §  Policy authoring

§  Application integration

§  Attribute sourcing

Getting Started with ABAC

© 2015 Axiomatics AB

Non-­‐technical  considerations  §  Prioritizing which applications should be migrated to ABAC

§  Identifying stakeholders for the project

§  Where does the budget come from?

Getting Started with ABAC

© 2015 Axiomatics AB

Authorization  scenario  

Brokers can view the insurance policies of a customer if the broker is assigned to the customer

Role==broker

Action==view

Resource==insurance policy This is the relationship

userId == customer.assignedBroker

A user with the role == broker can do the action == view on resources of type == insurance policy if the user id == the customer’s assigned broker id.

Policy Authoring

© 2015 Axiomatics AB

Applying ABAC to every layer of your application

ADAF

© 2015 Axiomatics AB

Where  do  I  get  the  attributes?  §  Policies and rules contain references to attributes

§  Access request messages are comprised of attributes from the user session

§  ABAC system can look up any additional attributes needed to complete policy evaluation process

© 2015 Axiomatics AB

Using virtualization to consolidate attribute sources

VDS

Directories

Databases Active Directory

Applications

© 2015 Axiomatics AB

Applying ABAC to every layer of your application

ADAF

© 2015 Axiomatics AB

ABAC  at  the  presentation  tier  §  Hide or reveal menu items, drop down lists, widgets, etc.

§  Activate/deactivate portal buttons

§  Implement with any application framework or programming language §  Java, .NET, Ruby, Python, PHP, Spring, etc.

§  Utilize SDKs for SOAP/XML format for Java and .NET §  Or REST/JSON for these and other programming languages

© 2015 Axiomatics AB

ABAC  at  the  business  /  API  tier  

API Application

Client

Gateway acts as PEP

Licensing site

Licensing site

Licensing site

© 2015 Axiomatics AB

Questions?  Thank you for listening