fine grained access control for cloud-based services using abac and xacml

27
Fine-Grained Authorization for Cloud-based Services David Brossard Axiomatics @davidjbrossard - @axiomatics © 2012, Axiomatics AB 1

Upload: david-brossard

Post on 21-Jun-2015

655 views

Category:

Technology


0 download

DESCRIPTION

In this presentation we look at fine-grained attribute-based access control for cloud applications.

TRANSCRIPT

Page 1: Fine grained access control for cloud-based services using ABAC and XACML

© 2012, Axiomatics AB 1

Fine-Grained Authorization for Cloud-based Services

David BrossardAxiomatics

@davidjbrossard - @axiomatics

Page 2: Fine grained access control for cloud-based services using ABAC and XACML

© 2012, Axiomatics AB 2

3 strategies to extend authorization to the CloudWe’re in London, we definitely need this strategy

What it means forcustomersSaaS providers

What you will learn

Page 3: Fine grained access control for cloud-based services using ABAC and XACML

© 2012, Axiomatics AB 3

Access control or authorization (AuthZ)Who can do what?“The authorization function determines whether a particular entity is authorized to perform a given activity, typically inherited from authentication when logging on to an application or service.”

What’s authorization?

Page 4: Fine grained access control for cloud-based services using ABAC and XACML

© 2012, Axiomatics AB 4

Heard enough about SSO, federation and SAML?Authentication: Hi, I prove who I say I am

One-off processFocus: user’s identity and the proof of identityStandards: OpenID, OAUTH, SAML…

Authorization: Hi, can I transfer this amount?From code-driven to policy-drivenStandard: XACML

Authorization comes after Authentication

Page 5: Fine grained access control for cloud-based services using ABAC and XACML

© 2012, Axiomatics AB 5

The issue with Authorization today

The black box challenge

Page 6: Fine grained access control for cloud-based services using ABAC and XACML

© 2012, Axiomatics AB 6

System growth leads to AuthZ challenges

App

App

App

Cost

Brittleness

Static

Risk

Lack of visibility

Lack of audit

Violation of SoD

SaaS

SaaS

SaaS

Page 7: Fine grained access control for cloud-based services using ABAC and XACML

© 2012, Axiomatics AB 7

What happens to my data?Who can access which information?How do I comply with (what the auditor will ask for)

Regulations? E.g. Export Control

Contractual obligations?

Going to the cloud doesn’t make it easierDo I need a different approach for cloud?

The Authorization Challenge

Page 8: Fine grained access control for cloud-based services using ABAC and XACML

© 2012, Axiomatics AB 8

Export ControlKnow the user (citizenship, location, affiliation)Know the end use (end location, purpose of use)

Example: Manufacturing in the cloud

Page 9: Fine grained access control for cloud-based services using ABAC and XACML

© 2012, Axiomatics AB 9

Fine-grained authorization to the rescue

Attribute-based access controlXACML

Page 10: Fine grained access control for cloud-based services using ABAC and XACML

© 2012, Axiomatics AB 10

Authorization is nearly always about

Who?

Identity + role (+ group)

Role-based

Access

Control

Credits: all icons from the Noun Project | Invisible: Andrew Cameron

Page 11: Fine grained access control for cloud-based services using ABAC and XACML

© 2012, Axiomatics AB 11

Authorization should really be about…

When?What? How?Where?Who? Why?

Attribute-

based

Access

Control

Credits: all icons from the Noun Project | Invisible: Andrew Cameron, | Box: Martin Karachorov | Wrench: John O'Shea | Clock: Brandon Hopkins

Page 12: Fine grained access control for cloud-based services using ABAC and XACML

© 2012, Axiomatics AB 12

eXtensible Access Control Markup LanguageOASIS standardXACML is expressed as

A specification document (a PDF) andAn XML schema

Policy-based & attribute-based languageImplement authorization based on object relationsOnly employees of a given plant can see technical data linked to items assigned to the plant

Behold XACML, the standard for ABAC

Page 13: Fine grained access control for cloud-based services using ABAC and XACML

© 2012, Axiomatics AB 13

Refresher: the XACML architecture

DecidePolicy Decision Point

ManagePolicy Administration Point

SupportPolicy Information PointPolicy Retrieval Point

EnforcePolicy Enforcement Point

Page 14: Fine grained access control for cloud-based services using ABAC and XACML

© 2012, Axiomatics AB 14

XACML Transparent & Externalized AuthZCentrally managed policy: ”PERMIT user with clearance X to read document classified as ….”“DENY access to classified document if…”

User Application

Informationasset

I want…

PERMITorDENY?

PERMITorDENY?

Page 15: Fine grained access control for cloud-based services using ABAC and XACML

© 2012, Axiomatics AB 15

XACML Anywhere AuthZ & Architecture

Datacenter

App AService A

Service D

Service E

Service M

Service O

SaaS SaaSPrivate Cloud

Page 16: Fine grained access control for cloud-based services using ABAC and XACML

© 2012, Axiomatics AB 16

Fine-grained Authorization for the Cloud

Three strategies for externalized authorization in the cloud

Page 17: Fine grained access control for cloud-based services using ABAC and XACML

© 2012, Axiomatics AB 17

A SaaS provider should offerFunctional APIs (their core business)Non-functional (Security) APIs

Let customers push their own XACML policiesApply the administrative delegation profile

http://docs.oasis-open.org/xacml/3.0/xacml-3.0-administration-v1-spec-en.html

Option #1 – tell your provider to adopt XACML

Page 18: Fine grained access control for cloud-based services using ABAC and XACML

SaaS provider

Option #1 – Architecture

Central IT:Company A

SaaS Admin delegates rights to manage access control provided to customer A. The rights are restricted to only the applications and resources provided to this particular customer’s users.

Customer A’s admin can manage access for their staff on its own by providing XACML policies and attributes

Customer A users use the SaaS application

18© 2012, Axiomatics AB

App#1

App#2

App#3

Func

tiona

l API

XACML Mgmt

API

1.

2.

3.

Page 19: Fine grained access control for cloud-based services using ABAC and XACML

© 2012, Axiomatics AB 19

ProsConsistent access controlFine-grainedRisk-awareFuture-proofSaaS vendor benefit

multi-tenancy

ConsNot many SaaS vendors support XACML today

Option #1 – Pros & Cons

Page 20: Fine grained access control for cloud-based services using ABAC and XACML

© 2012, Axiomatics AB 20

If you can restrict access to SaaS applications from within the corporate network…All access to SaaS apps could be made to tunnel through a proxy

Option #2 – Proxy your cloud connections

Page 21: Fine grained access control for cloud-based services using ABAC and XACML

© 2012, Axiomatics AB 21

Option #2 – Architecture

SaaS App #1

SaaS App #2

SaaS App #3

VPN

Page 22: Fine grained access control for cloud-based services using ABAC and XACML

© 2012, Axiomatics AB 22

ProsWorkaround current SaaS limitationsEasy to deployAvailable today

ConsNo direct access to SaaS app

Forces users to go via VPN

Access may not be as fine grained as Option #1

Lack of visibility into the SaaS data

Option #2 – Pros & Cons

Page 23: Fine grained access control for cloud-based services using ABAC and XACML

© 2012, Axiomatics AB 23

What if the provider is reluctant to adopt XACML?“If the application won’t go to XACML then XACML will go to the application”

Eve Maler, Forrester

You still getCentrally managed authorizationStandards-based (XACML)

ApproachConvert from XACML to expected SaaS formatPush via SaaS management APIs

Option #3 – Policy Provisioning based on XACML

Page 24: Fine grained access control for cloud-based services using ABAC and XACML

© 2012, Axiomatics AB 24

SaaS provider

Option #3 – Architecture

Central IT:Company A

Convert XACML policies to the native format expected by the SaaS provider

Customer A users use the SaaS application

App#1

App#2

App#3

Func

tiona

l API

Native API

Authorization constraints / permissions in the format expected by the SaaS provider

Page 25: Fine grained access control for cloud-based services using ABAC and XACML

© 2012, Axiomatics AB 25

ProsFeasible todayViable solutionExtends the customer’s XACML-based authorization system’s reach

ConsPossible loss of XACML richness in access controlLoss of dynamic nature

Option #3 – Pros & Cons

Page 26: Fine grained access control for cloud-based services using ABAC and XACML

© 2012, Axiomatics AB 26

Cloud requires eXtensible AuthorizationFine-grainedExternalized

Traditional approaches#1: tell your SaaS provider to adopt XACML.#2: proxy your cloud connections.

Extended approach#3: Policy Provisioning based on XACMLAlso works for business apps (SharePoint, Windows)

To summarize

Every cloud has a XACML lining

Page 27: Fine grained access control for cloud-based services using ABAC and XACML

Questions?Contact us at [email protected]