overcoming role explosion challenges with attribute-based access control
TRANSCRIPT
© 2015 Axiomatics AB 1
Webinar: May 13, 2015
Role explosionCan ABAC be the solution?
© 2015 Axiomatics AB 2
Agenda From where do they all come –
all these roles?
Going ABAC – small steps
Example
Q&A
© 2015 Axiomatics AB 3
Agenda
21st century business scenarios – is RBAC becoming the problem?
Can we get more dynamic with attributes?
ABAC does not replace RBAC!!!
The importance of starting small
© 2015 Axiomatics AB 4
AuthorizationPermission to execute an action on a given information assets under certain conditions.
Governance, Risk and Compliance Management
Internal regulations for management and control within the organization.
© 2015 Axiomatics AB 5
Aligned with primary business objectives
High-level and general
Aligned with technical infrastructure
Detailed and specific
Business perspective on authorization
Technical perspective on authorization
Common issues
Poorly documented
Very generic
Very high-level
Well documented
Many details
Very system-specific and difficult to analyze
© 2015 Axiomatics AB 6
Business perspective on authorization
Technical perspective on authorization
Recurring driver
Jumping from
audit
to
audit
trying to avoid
risk
© 2015 Axiomatics AB 8
2014 2015
Every audit – same Sudoku
XK01 – Vendor management
ME21N – Creating a purchase order
Hmmm… potential fraud could come out of that
© 2015 Axiomatics AB 10
The SoD matrix
© 2015 Axiomatics AB 11
Split roles to cater for new SoD requirements
XK01Vendor management
ME21NCreating a PO
© 2015 Axiomatics AB 12
The elevator pitch
© 2015 Axiomatics AB 13
Focus on roles can hide the real danger: Instead of handling risks we handle roles
Not properly handling the risks may have some quite radically negative effects
How bad does it get?
Recent examples from clients:
Example 1: Financial institution in the APAC region7 000 wholesale customers:93 000 roles
Example 2: Large energy company50 people working full-time to continuously resolve SoD conflicts
Example 3: Financial institution in the EMEA region3000 roles in a single system causing a headache – after costly cleansing project 80% of them could be removed. (And then it starts all over…)
© 2015 Axiomatics AB 14
© 2015 Axiomatics AB 15
What to do?
FROM
Jumping from audit to audit
Focus on roles
Focus on the technical assignment of permissions
© 2015 Axiomatics AB 16
1. Making compliance to a continuous process
Dynamically adapt to changing needs
Focus on rules
Focus on policies to implement
TO
2. Analyze existing RBAC model
Does the permission to edit ANYvendor exclude you from creating ANY purchase order?
Business rule: SoD rules must ensure no single user can corrupt a business-critical process
Thus: No user should be able to create a new vendor and then register a purchase order for THAT specific vendor!
© 2015 Axiomatics AB 17
FROM TO
”A user who is authorized to edit master data to create a vendor should never be added to a role that gives permissions to create a purchase order”
”Whenever a user creates a purchase order, check to see if the same user was involved in the creation or modification of the vendor – if so, then DENY else PERMIT”
© 2015 Axiomatics AB 18
3. Could you use more fine-grained authorization?
© 2015 Axiomatics AB 19
FROM ROLES TO POLICIES AND RULES
ROLE 1: Permission X during normal business hours from within the LAN
ROLE 2: Permission X with limitations after business hours from within LAN
ROLE 3: Permission X with other limitations from mobile device
ROLE 4: Permission X with third set of limitations if channel is Y
ROLE 5: Permission X with yet moor limitations if….
PERMIT user with properties
U1, U2 , …. UN
to perform Action A with parameters
A1, A2, … ,AN
on Data of type D with properties
D1, D2, … ,DN
in the Context of
C1, C2, … ,CN
© 2015 Axiomatics AB 20
3. Can attributes serve as modifiers?
© 2015 Axiomatics AB 21
Change is an effortDo you have a business case to motivate change?
Costs for role explosion cleanup
© 2015 Axiomatics AB 22
”The expense for the authorizations subproject is between 10% and 15% of the overall scope for any project.
Otherwise the costs for retroactive cleansing processes and maintenance costs are considerably higher than these costs. A poorly set up authorization concept can incur significant additional costs in an upgrade project.”*
* Volker Lehnert, Katharina Bonit, Larry Justice, Authorizations in SAP® Software, Design and Configuration
Axiomatics customer assessments
© 2015 Axiomatics AB 23
Depending on project type and authorization complexity, the costs for authorization range between 10% and 40% of
overall project costs
The earlier a defect is detected, the lower the cost of repair. What happens when a defect is caused by regulation or policy changes?
© 2015 Axiomatics AB 25
The ABAC shiftCan you afford not to change?
© 2015 Axiomatics AB 26
By 2020, 70 percent of enterprises
will use ABAC as the dominant
mechanism to protect critical assets,
up from less than 5 percent today.
“
”
Gartner Predicts, March 2014
© 2015 Axiomatics AB 27
Attribute Based Access Control (ABAC)
© 2015 Axiomatics AB 28
ABAC enables the Any-Depth Architecture
FROM RBAC
FROM COARSE-GRAINED
Many users in one role
TO ABAC
TO FINE-GRAINED
Many attributes per user/resource…
© 2015 Axiomatics AB 29
The ABAC shift
Role A
Where do we start?Well, start small….
© 2015 Axiomatics AB 30
© 2015 Axiomatics AB 31
Use caseCustomer portal
Login for private clients, corporate clients or agents
© 2015 Axiomatics AB 32
Best Insurance internal
© 2015 Axiomatics AB 33
InsurancePolicies
Mother
Daughter>18Son<18
Staff member
New customer portal planned –extend existing RBAC model?
RBAC in internal systems
Role grants access to customer account
details
Can roles handle access in customer
portal?
Private client overview – including family members
© 2015 Axiomatics AB 34
Authorization:Is user allowed to see overview of other family members?
Family member viewing claims
© 2015 Axiomatics AB 35
Authorization:Is user allowed to list claims of other family members?
Corporate client
© 2015 Axiomatics AB 36
Authorization:Is Corporate Client Acme’s HR administrator allowed to see staff members’ financial data, medical data, other PII?
© 2015 Axiomatics AB 37
Internet
Portal
Backend
Web portal Mobile portal
API – Channel layer
Core backend systems
Agent/Partner
applications
Authentication
Authorization
Best Insurance internal
© 2015 Axiomatics AB 38
Policies
Mother
Daughter>18Son<18
Staff member
Customer portalExtend authorization with
Attribute Based Access Control(ABAC) Keep RBAC for
internal access
Role grants access to customer account
details
PERMIT if• relation to subject is…• data classification is …• data subject is…• device/channel is…
© 2015 Axiomatics AB 39
Internet
Portal
Backend
Web portal Mobile portal
API – channel layer
Core backend systems
Agent/Partner
applications
Web application firewall
API gateway
Conclusions
For decades, Role Based Access Control (RBAC) has been the dominant model for authorization, but 21st century business scenarios are not well handled
Attributes and policies offer dynamic and flexible method of authorization
Yet, ABAC does not replace RBAC!!!
Use ABAC to extend your investment in roles
As with any complex IAM project, start with smaller/well scoped projects
© 2015 Axiomatics AB 40
So does ABAC help handle role explosion issues?
Fine-grained authorization policies more precisely address the targeted risks. Instead of adding roles for each and every new condition (time of day, type of mobile device you are using, authentication strength, user’s relation to data subject, etc.) you add a logical condition to the policy
Policy-driven authorization helps shift the perspective towards a focus on what really matters: the control objectives of the business rather than indirectly derived roles.
© 2015 Axiomatics AB 41