© 2014 Axiomatics AB 1

Attribute Based Access Control (ABAC) and Authorising Data Access

Webinar: August 6, 2014

© 2014 Axiomatics AB 2

Today’s speakers

John Havers

Gerry Gebel

David Brossard

@axiomatics@fpgidentity#ABAC#XACML

© 2014 Axiomatics AB 3

Twitter

© 2014 Axiomatics AB 4

IntroductionOverview and preamble

Business drivers – why organizations invested in ABAC

Business challenges – what problems they solved

Business values – what benefits they gained

© 2014 Axiomatics AB 5

© 2014 Axiomatics AB 6

Next generation information security

= dynamic authorization

= attribute based access control

© 2014 Axiomatics AB 7

Who

What Sensitive /business critical Information

Grant or deny access based on the following attributes

When

Where

Why

How

Why organizations invested in ABAC technology

© 2014 Axiomatics AB 8

Consolidated infrastructure

Enhanced security

Business enabler

Compliance

Expose data and APIsto customers and

partners

Write once, Enforce everywhere

Consistent authorization

enforcement across applications

Implement legal frameworks

Innovating in the digital economy

© 2014 Axiomatics AB 9

Business enabler

Expose data and APIsto customers and

partners

ABAC Value Proposition

Use Cases:• Context aware information management• ABAC database filtering, the key to

unlocking identity aware legacy data

The importance of ABAC in a modern information security and digital strategy

© 2014 Axiomatics AB 10

By 2020, 70 percent of enterprises

will use ABAC as the dominant

mechanism to protect critical assets,

up from less than 5 percent today.

“

”Gartner Predicts, March 2014

© 2014 Axiomatics AB 11

Due to the emerging nature of the Dynamic

Authorization Management market, innovation is

a key capability. Innovation drives customer

satisfaction when they receive new releases

that meet their developing requirements.

Axiomatics leads this sector.

“

”KuppingerCole AnalystsDynamic Authorization

Management Report 2014

© 2014 Axiomatics AB 12

Business ChallengesProblems solved

Benefits gained

© 2014 Axiomatics AB 13

Secure collaboration

Rapid and secure transactions

Compliance and governance

Timely IT service delivery

© 2014 Axiomatics AB 14

Secure collaboration

…depends on efficientinformation sharing…

… which depends onprecision in access controls.

Legacy access controls fail in dynamic environments

© 2014 Axiomatics AB 15

ABAC thrives in dynamic environments

© 2014 Axiomatics AB 16

The ABAC factorThe information highways can be opened again. Information can now be shared securely between the right people under the right conditions.

© 2014 Axiomatics AB 17

Rapid and secure transactions…depend on efficientdelegation of powers…

… while losses due to fraud or excessive risk taking are minimized.

© 2014 Axiomatics AB 18

Choose between speed and security…

..or choose both

© 2014 Axiomatics AB19

The ABAC factor More people can be empowered to securely execute transactions.

The transaction approval process can be considerably speeded up, according to your risk appetite.

© 2014 Axiomatics AB 20

Effective compliance

and governance…depend on efficientIT governance …

…which in turn depends on correct and verifiable authorizations.

Internal controls matrix and manual checklists

Centrally maintained policies enforced across applications

© 2014 Axiomatics AB 21

Authorization service

© 2014 Axiomatics AB 22

The ABAC factor

By enforcing regulations and proving that your organization is compliant you can avoid fines and other punishment, as well as damage to the organization’s reputation.

© 2014 Axiomatics AB 23

Timely servicedelivery

…depends on efficientsoftware development…

…and change management not causing delays.

© 2014 Axiomatics AB 24

Hundreds or thousands of If-clauses scattered all over your code

Write your policy once & automate enforcement wherever needed

Write once use many times

If project X is in

planning phase then…

else…

If the user is member of project X then … else …

If user is project lead

then … else …If project X is in production phase

then … else …

If project X change control board decision has been made then … else …

During the p

roject plann

ing

phase all pr

oject member

s may

change proje

ct specifica

tion

documents. I

n the produc

tion

phase specif

ications can

only

be changed b

y project le

ads

if and only

if a change

control boar

d decision

authorize th

em to do so.

The ABAC factor

© 2014 Axiomatics AB 25

Software development10%-40% cost savings – the more complex authorization rules you have, the greater the saving. Write access control code once and use over and over instead of maintaining thousands of ”if”-clauses in your code.

Change ManagementUp to 30% savings. No changes in applications when new business requirements or regulations mandate change access control policies.

So how do we do this?

Dynamic authorization for applications, enterprise APIs, and web services

Policies

Attribute Sources

1. Access request is intercepted

2. A query is sent to the external authorization service

3. The authorization engine evaluates the relevant policies

4. It may also need to query external attribute sources for more info

5. The decision – PERMIT or DENY is returned and enforced

User: Bob Application

Can Bob access record #22 PERMIT/DENY

AuthorizationService

Dynamic authorization for data filtering

Policies

Attribute Sources

1. SQL statement is intercepted

2. A query is sent to the external authorization service

3. The authorization engine evaluates the relevant policies

4. It may also need to query external attribute sources for more info

5. The result: SQL statement is dynamically modified and only authorized data is returned to user

Application Data storage

User Bob wants to SELECT * from table T

SELECT A,B FROM TABLE T

WHERE…

AuthorizationService

Filtereddata

© 2014 Axiomatics AB

© 2014 Axiomatics AB 31

Conclusions

© 2014 Axiomatics AB 32

Attribute Based Access Control (ABAC) objectives

Get competitive advantage and create new revenue streams

Minimize the risk of fraud with dynamic, real-time access control

Meet global regulatory and privacy requirements

Cut time to market and streamline internal development

© 2014 Axiomatics AB 33

Attribute Based Access Control (ABAC) benefits

Enabling secure collaboration

Delegating execution powers for fast and secure financial transactions

Compliance, compliance, and compliance

Faster service delivery, reduced development costs

© 2014 Axiomatics AB 34

Meet us on site Schedule time to meet with First Point Global and Axiomatics

During the weeks of August 25th and September 1st

Contact Damon Jones (djones@firstpointglobal.com)

or

Barry Metzger (bmetzger@firstpointglobal.com)

© 2014 Axiomatics AB 35

Questions?Thank you for listening