O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
The	
  Very	
  Latest	
  in	
  Authorization	
  
Standards	
  and	
  Trends	
  
Cloud Identity Summit - 2014
Gerry Gebel
A...
Preamble	
  
Authorization v.Next
Cloud Identity Summit 2014
© 2014 Axiomatics AB 2
© 2014 Axiomatics AB 3
© 2014 Axiomatics AB 4
© 2014 Axiomatics AB 5
Having a policy
language is a key
differentiator for
ABAC/XACML
© 2014 Axiomatics AB
6
OAuth
UMA
JWT
XACML
Finding the
right
combination
Agenda	
  
§  Business trends that are influencing authorization requirements
§  Externalized Authorization and ABAC
§ ...
Business	
  Trends	
  &	
  AuthZ	
  
Cloud Identity Summit 2014
© 2014 Axiomatics AB 8
© 2014 Axiomatics AB 9
© 2014 Axiomatics AB 10
Next generation information security
= dynamic authorization
= attribute based access control
Legacy	
  access	
  controls	
  fail	
  in	
  
dynamic	
  environments	
  
	
  
© 2014 Axiomatics AB 11
ABAC	
  thrives	
 ...
© 2014 Axiomatics AB 12
Who
WhatSensitive /
business critical
Information
Grant or deny access
based on the following
attr...
© 2014 Axiomatics AB 13
By 2020, 70 percent of enterprises
will use ABAC as the dominant
mechanism to protect critical ass...
Externalized	
  Authorization	
  	
  
and	
  ABAC	
  
Cloud Identity Summit 2014
© 2014 Axiomatics AB 14
NIST	
  Special	
  Pub	
  800-­‐162	
  *	
  
§  “[ABAC] flexibility provides the greatest breadth of subjects to access
t...
Example	
  from	
  NIST	
  report	
  
§  Nurse Practitioners in the Cardiology Department can View the Records of
Heart P...
NIST	
  example	
  -­‐	
  expanded	
  
§  Nurse Practitioners can View the Records of Patients in the same Department
the...
Applying ABAC to every layer of your application
ADAF
© 2014 Axiomatics AB 18
REST,	
  JSON,	
  &	
  ALFA	
  
What’s new on the XACML standards front?
© 2014 Axiomatics AB 19
§  Profiles add functionality
§  REST
§  JSON
§  Export Control
§  IP Protection
§  Hierarchal Resources
§  Etc.
Wh...
The Request/Response format
•  Subject
User id = Alice
Role = Manager
•  Action
Action id = approve
•  Resource
Resource t...
XML encoding of an authZ request
<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-
ctx="u...
JSON encoding of an authZ request
{"subject":
{"attribute":[{
"attributeId":"username",
"value":"alice"}]},
"resource":
{"...
JSON vs. XML
0
10
20
30
40
50
Word count
XML
JSON
0
200
400
600
800
1000
1200
1400
Char. Count
XML
JSON
Size of a XACML re...
REST	
  Profile	
  
XML over HTTP
XML over HTTP
JSON over HTTP
JSON over HTTP
© 2014 Axiomatics AB 25
ALFA	
  –	
  Abbreviated	
  Language	
  for	
  Authorization	
  
§  Domain Specific Language (DSL) that provides an abstr...
A policy example, in English
/**
* A manager can approve a transaction if their approval limit is greater than
* the trans...
A policy example, in XACML (1)
<?xml version="1.0" encoding="UTF-8"?>
<!--This file was generated by the ALFA Plugin for E...
A policy example, in XACML (2)
</xacml3:Match>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">...
A policy example, in XACML (3)
</xacml3:Apply>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any"...
A policy example, in ALFA
policy allowTransaction{
target clause userRole=="manager" and actionId=="approve" and
resType==...
OAuth	
  &	
  XACML?	
  
Further	
  simplification	
  of	
  XACML?	
  
Prognostications
© 2014 Axiomatics AB 32
How	
  can	
  OAuth	
  and	
  XACML	
  complement	
  each	
  other?	
  
§  OAuth: popular authZ mechanism for API securit...
Easy	
  consumption	
  of	
  JWT	
  tokens	
  for	
  advanced	
  authorization	
  
via	
  XACML-­‐based	
  service	
  
© 2...
On	
  the	
  further	
  simplification	
  of	
  XACML 	
  	
  
§  REST and JSON profiles greatly simplify the developer ex...
© 2014 Axiomatics AB 36
SCIM + XACML
Questions?	
  
Thank you for listening
Próximos SlideShares
Carregando em…5
×

CIS14: The Very Latest in Authorization Standards

1.547 visualizações

Publicada em

Gerry Gebel, Axiomatics
Update on the latest trends and happenings regarding authorization standards and commentary on projections on this topic for the coming year, including status of the JSON and REST profiles for XACML (it’s not just XML anymore), scenarios where OAuth and XACML can coexist, and what NIST’s published report on ABAC is all about.

Publicada em: Tecnologia
  • Seja o primeiro a comentar

CIS14: The Very Latest in Authorization Standards

  1. 1. The  Very  Latest  in  Authorization   Standards  and  Trends   Cloud Identity Summit - 2014 Gerry Gebel Axiomatics gerry@axiomatics.com @ggebel © 2014 Axiomatics AB 1
  2. 2. Preamble   Authorization v.Next Cloud Identity Summit 2014 © 2014 Axiomatics AB 2
  3. 3. © 2014 Axiomatics AB 3
  4. 4. © 2014 Axiomatics AB 4
  5. 5. © 2014 Axiomatics AB 5 Having a policy language is a key differentiator for ABAC/XACML
  6. 6. © 2014 Axiomatics AB 6 OAuth UMA JWT XACML Finding the right combination
  7. 7. Agenda   §  Business trends that are influencing authorization requirements §  Externalized Authorization and ABAC §  Standards update §  JSON, REST, ALFA and more §  Prognostications Cloud Identity Summit 2014 © 2014 Axiomatics AB 7
  8. 8. Business  Trends  &  AuthZ   Cloud Identity Summit 2014 © 2014 Axiomatics AB 8
  9. 9. © 2014 Axiomatics AB 9
  10. 10. © 2014 Axiomatics AB 10 Next generation information security = dynamic authorization = attribute based access control
  11. 11. Legacy  access  controls  fail  in   dynamic  environments     © 2014 Axiomatics AB 11 ABAC  thrives  in  dynamic   environments
  12. 12. © 2014 Axiomatics AB 12 Who WhatSensitive / business critical Information Grant or deny access based on the following attributes When Where Why How
  13. 13. © 2014 Axiomatics AB 13 By 2020, 70 percent of enterprises will use ABAC as the dominant mechanism to protect critical assets, up from less than 5 percent today. “ ” Gartner Predicts, March 2014
  14. 14. Externalized  Authorization     and  ABAC   Cloud Identity Summit 2014 © 2014 Axiomatics AB 14
  15. 15. NIST  Special  Pub  800-­‐162  *   §  “[ABAC] flexibility provides the greatest breadth of subjects to access the greatest breadth of objects without specifying individual relationships between each subject and each object” © 2014 Axiomatics AB 15 * nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf
  16. 16. Example  from  NIST  report   §  Nurse Practitioners in the Cardiology Department can View the Records of Heart Patients §  Variables in the policy language enable very efficient policy structures – reducing the maintenance load §  Management of heart patient records is part of the business application – not an IT function §  Multiple attributes must be available for policy evaluation – either as part of the access request or retrieved from an authoritative source © 2014 Axiomatics AB 16
  17. 17. NIST  example  -­‐  expanded   §  Nurse Practitioners can View the Records of Patients in the same Department they are assigned to §  This rule can apply to all departments in the hospital §  Add a new department or change names of department and the rule does not change §  Rule compares department of the Nurse Practitioner to the department of the Patient §  Avoids the role explosion effect of RBAC models © 2014 Axiomatics AB 17
  18. 18. Applying ABAC to every layer of your application ADAF © 2014 Axiomatics AB 18
  19. 19. REST,  JSON,  &  ALFA   What’s new on the XACML standards front? © 2014 Axiomatics AB 19
  20. 20. §  Profiles add functionality §  REST §  JSON §  Export Control §  IP Protection §  Hierarchal Resources §  Etc. What’s in the XACML standard XACML Reference Architecture Policy Language Request / Response Protocol © 2014 Axiomatics AB 20
  21. 21. The Request/Response format •  Subject User id = Alice Role = Manager •  Action Action id = approve •  Resource Resource type = Purchase Order PO #= 12367 •  Environment Device Type = Laptop XACML Request Can Manager Alice approve Purchase Order 12367? XACML Response Yes, she can •  Result Decision: Permit Status: ok © 2014 Axiomatics AB 21
  22. 22. XML encoding of an authZ request <xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml- ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml- ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" > </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">hello</xacml- ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">say</xacml- ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> </xacml-ctx:Request> Can Alice Say Hello? © 2014 Axiomatics AB 22
  23. 23. JSON encoding of an authZ request {"subject": {"attribute":[{ "attributeId":"username", "value":"alice"}]}, "resource": {"attribute":[{ "attributeId":"resource-id", "value":"hello"}]}, "action": {"attribute":[{ "attributeId":"action-id", "value":"say"}]}} © 2014 Axiomatics AB 23
  24. 24. JSON vs. XML 0 10 20 30 40 50 Word count XML JSON 0 200 400 600 800 1000 1200 1400 Char. Count XML JSON Size of a XACML request © 2014 Axiomatics AB 24
  25. 25. REST  Profile   XML over HTTP XML over HTTP JSON over HTTP JSON over HTTP © 2014 Axiomatics AB 25
  26. 26. ALFA  –  Abbreviated  Language  for  Authorization   §  Domain Specific Language (DSL) that provides an abstraction over XACML §  Pseudo language is similar to C# or Java §  Author policies in Eclipse IDE, plug in automatically generates XACML © 2014 Axiomatics AB 26 Axiomatics has committed to submit ALFA as an XACML profile
  27. 27. A policy example, in English /** * A manager can approve a transaction if their approval limit is greater than * the transaction amount and if the risk is less than 5 */ Let’s take a look at this policy in XACML and ALFA © 2014 Axiomatics AB 27
  28. 28. A policy example, in XACML (1) <?xml version="1.0" encoding="UTF-8"?> <!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).> <xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="http://axiomatics.com/alfa/identifier/policing.principles.allowTransaction" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"> <xacml3:Description>Let a manager approve a transaction if their approval limit is greater than the transaction amount and if the risk is less than 5</xacml3:Description> <xacml3:PolicyDefaults> <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion> </xacml3:PolicyDefaults> <xacml3:Target> <xacml3:AnyOf> <xacml3:AllOf> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="userRole" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false" /> </xacml3:Match> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">approve</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" MustBePresent="false" /> © 2014 Axiomatics AB 28
  29. 29. A policy example, in XACML (2) </xacml3:Match> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">transaction</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="resourceType" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> </xacml3:Match> </xacml3:AllOf> </xacml3:AnyOf> </xacml3:Target> <xacml3:Rule Effect="Permit" RuleId="http://axiomatics.com/alfa/identifier/policing.principles.allowTransaction.allowIfLowRiskScore"> <xacml3:Description /> <xacml3:Target /> <xacml3:Condition> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:double-greater-than"/> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#double">5.0</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="transactionRiskScore" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> © 2014 Axiomatics AB 29
  30. 30. A policy example, in XACML (3) </xacml3:Apply> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any"> <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:double-less-than-or-equal"/> <xacml3:AttributeDesignator AttributeId="transactionAmount" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> <xacml3:AttributeDesignator AttributeId="userApprovalLimit" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false" /> </xacml3:Apply> </xacml3:Apply> </xacml3:Condition> </xacml3:Rule> </xacml3:Policy> © 2014 Axiomatics AB 30
  31. 31. A policy example, in ALFA policy allowTransaction{ target clause userRole=="manager" and actionId=="approve" and resType=="transaction" apply firstApplicable rule allowIfLowRiskScore{ condition (transactionRiskScore < 5) && (transactionAmount <= userApprovalLimit) permit } } © 2014 Axiomatics AB 31
  32. 32. OAuth  &  XACML?   Further  simplification  of  XACML?   Prognostications © 2014 Axiomatics AB 32
  33. 33. How  can  OAuth  and  XACML  complement  each  other?   §  OAuth: popular authZ mechanism for API security and consumer scenarios §  Missing from OAuth: declarative policy language © 2014 Axiomatics AB 33 §  XACML policies were used to control scopes for OAuth tokens What  if?  
  34. 34. Easy  consumption  of  JWT  tokens  for  advanced  authorization   via  XACML-­‐based  service   © 2014 Axiomatics AB 34 {"subject": {"attribute":[{ "attributeId":"username", "value":"alice"}]}, "resource": {"attribute":[{ "attributeId":"resource-id", "value":"hello"}]}, "action": {"attribute":[{ "attributeId":"action-id", "value":"say"}]}} JWT
  35. 35. On  the  further  simplification  of  XACML     §  REST and JSON profiles greatly simplify the developer experience §  See David Brossard’s workshop material from Sunday §  But what about the policy language? © 2014 Axiomatics AB 35
  36. 36. © 2014 Axiomatics AB 36 SCIM + XACML
  37. 37. Questions?   Thank you for listening

×