Externalising or modularising access rules outside of the application in so called policies, represents a fundamental software engineering tactic. In this talk, we discuss ways how application developers can decouple access control rules from the application code and how this is done in current technologies. We also discuss the ways a security expert can express access control policies in an independent format and how he can manage these policies to align them with for example rules from different departments or enterprise-wide regulations.
8. Basic approach: rules in code
[....]
if (! (“manager” in user.roles
and doc.owner == user
and 8h00 < now() < 17h00 )) {
[...]
}
+ straightforward
+ you can encode almost
anything
- access rules are code
- no separation of concerns
- no modularity leads to audit challenge
- what if rules change?
▪ update application code
▪ updates all over the place
8
9. More advanced approach: modularization
@authz(user, “read”, result)
public Document getDoc(docId) { [...] }
+ central definition of rules
+ easier to audit
- access rules are code
- IT is still in charge
- no separation of concerns
- what if rules change?
▪ update application code
▪ updates all over the place
9
public boolean authz(
subject, action, resource) {
if (! (“manager” in user.roles and …)) { [...] }
10. Most advanced approach: policy-based
@authz(user, “read”, result)
public Document getDoc(docId) { [...] }
Policy
Decision
Point
Policy
+ central authorization logic
+ central definition of rules
+ easy to audit
+ access rules independent artifacts
+ clear separation of concerns
+ rule updates at run-time
10
21. 21
Decoupling from application logic is hard
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBuckets",
"Resource": "arn:aws:s3:::example_bucket"
}
}
s3:ListBucket
22. Open research challenges
● Improve performance & scalability of the PDP
● Interoperability across multiple applications
● Access rules for the database layer
● Conflict resolution in policies
● Management of policies
● Supporting organizational processes
22
24. Conclusions
24
Policy-based access control
● Enables exciting new opportunities
○ Allows decent access management processes
○ Keep access control system in sync with your business
● Technology-wise still some hurdles
● Be future-proof by modularizing authorization!
25. Policy-based
access control
Any further questions?
Contact us at
Willem.DeGroef@kuleuven.be
Interested in our events?
Subscribe here
http://bit.ly/DistrinetAccessControl