SlideShare uma empresa Scribd logo

PBAC Explained: Benefits and Challenges of Policy-Based Access Control

Elimity
Elimity

Externalising or modularising access rules outside of the application in so called policies, represents a fundamental software engineering tactic. In this talk, we discuss ways how application developers can decouple access control rules from the application code and how this is done in current technologies. We also discuss the ways a security expert can express access control policies in an independent format and how he can manage these policies to align them with for example rules from different departments or enterprise-wide regulations.

Tecnologia
1 de 25
Baixar para ler offline
Policy-based access control Willem De Groef, iMinds-DistriNet Willem.DeGroef@kuleuven.be
2
3
4 ● Software artifact ● Declarative specification of access rules ● Independent from enforcement mechanism
PBAC and what it can mean for your business Business policy Employees GovernanceOperational 5
Explaining PBAC 6
User Subject Principal Guard Protected resource Action 1. How and where to implement the guard 2. How to encode the access rules 7 General Access Control System
Basic approach: rules in code [....] if (! (“manager” in user.roles and doc.owner == user and 8h00 < now() < 17h00 )) { [...] } + straightforward + you can encode almost anything - access rules are code - no separation of concerns - no modularity leads to audit challenge - what if rules change? ▪ update application code ▪ updates all over the place 8
More advanced approach: modularization @authz(user, “read”, result) public Document getDoc(docId) { [...] } + central definition of rules + easier to audit - access rules are code - IT is still in charge - no separation of concerns - what if rules change? ▪ update application code ▪ updates all over the place 9 public boolean authz( subject, action, resource) { if (! (“manager” in user.roles and …)) { [...] }
Most advanced approach: policy-based @authz(user, “read”, result) public Document getDoc(docId) { [...] } Policy Decision Point Policy + central authorization logic + central definition of rules + easy to audit + access rules independent artifacts + clear separation of concerns + rule updates at run-time 10
Not all rainbows and unicorns 11
PBAC and what it can mean for your business Business policy Employees GovernanceOperational 12
<Policy PolicyId=“dynamic-separation-of-duty" RuleCombiningAlgId=“deny-overrides"> <Description>Dynamic separation of duty</Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="string-equal"> <AttributeValue DataType="string">doc123</AttributeValue> <ResourceAttributeDesignator AttributeId="resource:id" DataType="string"/> </ResourceMatch> </Resource> </Resources> </Target> <Rule RuleId="deny" Effect=“Deny"> <Description>Deny if viewed other doc</Description> <Condition> <Apply FunctionId="string-is-in"> <AttributeValue DataType="string">doc456</AttributeValue> <SubjectAttributeDesignator AttributeId="subject:historyy" DataType="string"/> </Apply> </Condition> </Rule> <Rule RuleId=“default-permit" Effect=“Permit"> </Rule> <Obligations> <Obligation ObligationId="append-attribute" FulfillOn="Permit"> <AttributeAssignment AttributeId="value" DataType="string"> <SubjectAttributeDesignator AttributeId="resource:id" DataType="string"/> </AttributeAssignment> <AttributeAssignment AttributeId="attribute-id" DataType="string">subject:history</AttributeAssignment> </Obligation> 13 Independent declarative policy specification
1. Easy-to-use Policy languages 14
15 XACML policy editor
16 IDE for ALFA policy language
Simple Tree-structured Attribute-based Policy Language 17https://goo.gl/F2RE8g val policy = Policy("e-health example") := when ((action.id === "view") & (resource.type_ === "patient-data") & ("physician" in subject.roles)) apply PermitOverrides to ( Rule("requirement-for-permit") := permit iff (resource.owner_id in subject.treated), Rule("default deny") := deny )
2. Correctness & completeness support 18
19
20 Only syntactically correctness checks
21 Decoupling from application logic is hard { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBuckets", "Resource": "arn:aws:s3:::example_bucket" } } s3:ListBucket
Open research challenges ● Improve performance & scalability of the PDP ● Interoperability across multiple applications ● Access rules for the database layer ● Conflict resolution in policies ● Management of policies ● Supporting organizational processes 22
Conclusions 23
Conclusions 24 Policy-based access control ● Enables exciting new opportunities ○ Allows decent access management processes ○ Keep access control system in sync with your business ● Technology-wise still some hurdles ● Be future-proof by modularizing authorization!
Policy-based access control Any further questions? Contact us at Willem.DeGroef@kuleuven.be Interested in our events? Subscribe here http://bit.ly/DistrinetAccessControl

Recomendados

Attribute based access control
Attribute based access controlAttribute based access control
Attribute based access controlElimity
 
Intro To Access Controls
Intro To Access ControlsIntro To Access Controls
Intro To Access ControlsHari Pudipeddi
 
Access Control: Principles and Practice
Access Control: Principles and PracticeAccess Control: Principles and Practice
Access Control: Principles and PracticeNabeel Yoosuf
 
01 database security ent-db
01 database security ent-db01 database security ent-db
01 database security ent-dbuncleRhyme
 
Keeping Private Data Private
Keeping Private Data PrivateKeeping Private Data Private
Keeping Private Data PrivateDobler Consulting
 
Database security copy
Database security copyDatabase security copy
Database security copyfika sweety
 
Defending broken access control in .NET
Defending broken access control in .NETDefending broken access control in .NET
Defending broken access control in .NETSupriya G
 
security and privacy in dbms and in sql database
security and privacy in dbms and in sql databasesecurity and privacy in dbms and in sql database
security and privacy in dbms and in sql databasegourav kottawar
 

Recomendados

Attribute based access control
Attribute based access controlAttribute based access control
Attribute based access controlElimity
 
Intro To Access Controls
Intro To Access ControlsIntro To Access Controls
Intro To Access ControlsHari Pudipeddi
 
Access Control: Principles and Practice
Access Control: Principles and PracticeAccess Control: Principles and Practice
Access Control: Principles and PracticeNabeel Yoosuf
 
01 database security ent-db
01 database security ent-db01 database security ent-db
01 database security ent-dbuncleRhyme
 
Keeping Private Data Private
Keeping Private Data PrivateKeeping Private Data Private
Keeping Private Data PrivateDobler Consulting
 
Database security copy
Database security copyDatabase security copy
Database security copyfika sweety
 
Defending broken access control in .NET
Defending broken access control in .NETDefending broken access control in .NET
Defending broken access control in .NETSupriya G
 
security and privacy in dbms and in sql database
security and privacy in dbms and in sql databasesecurity and privacy in dbms and in sql database
security and privacy in dbms and in sql databasegourav kottawar
 
Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Prosanta Ghosh
 
Database security and privacy
Database security and privacyDatabase security and privacy
Database security and privacyMd. Ahasan Hasib
 
Database modeling and security
Database modeling and securityDatabase modeling and security
Database modeling and securityNeeharika Nidadavolu
 
Database security
Database securityDatabase security
Database securityArpana shree
 
Database security
Database securityDatabase security
Database securitykeerthusandeepreddy
 
Database Security
Database SecurityDatabase Security
Database SecurityShingalaKrupa
 
Abac and the evolution of access control
Abac and the evolution of access controlAbac and the evolution of access control
Abac and the evolution of access controlAkbar Azwir, MM, PMP, PMI-SP, PSM I, CISSP
 
Chapter23
Chapter23Chapter23
Chapter23gourab87
 
Database and Database Security..
Database and Database Security..Database and Database Security..
Database and Database Security..Rehan Manzoor
 
Data base security
Data base securityData base security
Data base securitySara Nazir
 
Identity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsIdentity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsAlain Huet
 
Security of the database
Security of the databaseSecurity of the database
Security of the databasePratik Tamgadge
 
Information Assurance in an Enterprise Hosting Environment
Information Assurance in an Enterprise Hosting EnvironmentInformation Assurance in an Enterprise Hosting Environment
Information Assurance in an Enterprise Hosting Environmentwebhostingguy
 
2013 12 18 webcast - building the privileged identity management business case
2013 12 18 webcast - building the privileged identity management business case2013 12 18 webcast - building the privileged identity management business case
2013 12 18 webcast - building the privileged identity management business casepmcbrideva1
 
How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsTL Technologies - Thoughts Become Things
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101Jerod Brennen
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM MaturityJerod Brennen
 
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017Micro Focus
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Jack Forbes
 
Dell Password Manager Architecture - Components
Dell Password Manager Architecture - ComponentsDell Password Manager Architecture - Components
Dell Password Manager Architecture - ComponentsAidy Tificate
 
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...apidays
 
Does DITA need XML? Lightweight DITA and HTML5
Does DITA need XML? Lightweight DITA and HTML5Does DITA need XML? Lightweight DITA and HTML5
Does DITA need XML? Lightweight DITA and HTML5Michael Priestley
 

Mais conteúdo relacionado

Mais procurados

Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Prosanta Ghosh
 
Database security and privacy
Database security and privacyDatabase security and privacy
Database security and privacyMd. Ahasan Hasib
 
Database and Database Security..
Database and Database Security..Database and Database Security..
Database and Database Security..Rehan Manzoor
 
Data base security
Data base securityData base security
Data base securitySara Nazir
 
Identity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsIdentity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsAlain Huet
 
Security of the database
Security of the databaseSecurity of the database
Security of the databasePratik Tamgadge
 
Information Assurance in an Enterprise Hosting Environment
Information Assurance in an Enterprise Hosting EnvironmentInformation Assurance in an Enterprise Hosting Environment
Information Assurance in an Enterprise Hosting Environmentwebhostingguy
 
2013 12 18 webcast - building the privileged identity management business case
2013 12 18 webcast - building the privileged identity management business case2013 12 18 webcast - building the privileged identity management business case
2013 12 18 webcast - building the privileged identity management business casepmcbrideva1
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101Jerod Brennen
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM MaturityJerod Brennen
 
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017Micro Focus
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Jack Forbes
 
Dell Password Manager Architecture - Components
Dell Password Manager Architecture - ComponentsDell Password Manager Architecture - Components
Dell Password Manager Architecture - ComponentsAidy Tificate
 

Mais procurados (20)

Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013
 
Database security and privacy
Database security and privacyDatabase security and privacy
Database security and privacy
 
Database modeling and security
Database modeling and securityDatabase modeling and security
Database modeling and security
 
Database security
Database securityDatabase security
Database security
 
Database security
Database securityDatabase security
Database security
 
Database Security
Database SecurityDatabase Security
Database Security
 
Abac and the evolution of access control
Abac and the evolution of access controlAbac and the evolution of access control
Abac and the evolution of access control
 
Chapter23
Chapter23Chapter23
Chapter23
 
Database and Database Security..
Database and Database Security..Database and Database Security..
Database and Database Security..
 
Data base security
Data base securityData base security
Data base security
 
Identity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsIdentity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling concepts
 
Security of the database
Security of the databaseSecurity of the database
Security of the database
 
Information Assurance in an Enterprise Hosting Environment
Information Assurance in an Enterprise Hosting EnvironmentInformation Assurance in an Enterprise Hosting Environment
Information Assurance in an Enterprise Hosting Environment
 
2013 12 18 webcast - building the privileged identity management business case
2013 12 18 webcast - building the privileged identity management business case2013 12 18 webcast - building the privileged identity management business case
2013 12 18 webcast - building the privileged identity management business case
 
How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systems
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM Maturity
 
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)
 
Dell Password Manager Architecture - Components
Dell Password Manager Architecture - ComponentsDell Password Manager Architecture - Components
Dell Password Manager Architecture - Components
 

Semelhante a PBAC Explained: Benefits and Challenges of Policy-Based Access Control

apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...apidays
 
Does DITA need XML? Lightweight DITA and HTML5
Does DITA need XML? Lightweight DITA and HTML5Does DITA need XML? Lightweight DITA and HTML5
Does DITA need XML? Lightweight DITA and HTML5Michael Priestley
 
TechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security FeaturesTechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security FeaturesTrivadis
 
MySQL Enterprise Monitor
MySQL Enterprise MonitorMySQL Enterprise Monitor
MySQL Enterprise MonitorTed Wennmark
 
7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodrom7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodromDoina Draganescu
 
Practical_Business_Rules_Development_and_Use
Practical_Business_Rules_Development_and_UsePractical_Business_Rules_Development_and_Use
Practical_Business_Rules_Development_and_UseMichael Cook
 
Building The Agile Database
Building The Agile DatabaseBuilding The Agile Database
Building The Agile Databaseelliando dias
 
Building Ranking Infrastructure: Data-Driven, Lean, Flexible - Sergii Khomenk...
Building Ranking Infrastructure: Data-Driven, Lean, Flexible - Sergii Khomenk...Building Ranking Infrastructure: Data-Driven, Lean, Flexible - Sergii Khomenk...
Building Ranking Infrastructure: Data-Driven, Lean, Flexible - Sergii Khomenk...Sergii Khomenko
 
TechDays 2013 Jari Kallonen: What's New WebForms 4.5
TechDays 2013 Jari Kallonen: What's New WebForms 4.5TechDays 2013 Jari Kallonen: What's New WebForms 4.5
TechDays 2013 Jari Kallonen: What's New WebForms 4.5Tieturi Oy
 
01_Team_03_CS_591_Project
01_Team_03_CS_591_Project01_Team_03_CS_591_Project
01_Team_03_CS_591_Projectharsh mehta
 
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & ImplementationsThousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & ImplementationsOracle
 
Expedite the development lifecycle with MongoDB and serverless - DEM02 - Sant...
Expedite the development lifecycle with MongoDB and serverless - DEM02 - Sant...Expedite the development lifecycle with MongoDB and serverless - DEM02 - Sant...
Expedite the development lifecycle with MongoDB and serverless - DEM02 - Sant...Amazon Web Services
 
The way from DB-driven development to DDD
The way from DB-driven development to DDDThe way from DB-driven development to DDD
The way from DB-driven development to DDDProvectus
 
Data Services and the Modern Data Ecosystem (ASEAN)
Data Services and the Modern Data Ecosystem (ASEAN)Data Services and the Modern Data Ecosystem (ASEAN)
Data Services and the Modern Data Ecosystem (ASEAN)Denodo
 
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in OracleProtect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in OracleNelson Calero
 

Semelhante a PBAC Explained: Benefits and Challenges of Policy-Based Access Control (20)

apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
 
Does DITA need XML? Lightweight DITA and HTML5
Does DITA need XML? Lightweight DITA and HTML5Does DITA need XML? Lightweight DITA and HTML5
Does DITA need XML? Lightweight DITA and HTML5
 
TechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security FeaturesTechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security Features
 
Aspects of 10 Tuning
Aspects of 10 TuningAspects of 10 Tuning
Aspects of 10 Tuning
 
MySQL Enterprise Monitor
MySQL Enterprise MonitorMySQL Enterprise Monitor
MySQL Enterprise Monitor
 
7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodrom7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodrom
 
Vpd
VpdVpd
Vpd
 
Practical_Business_Rules_Development_and_Use
Practical_Business_Rules_Development_and_UsePractical_Business_Rules_Development_and_Use
Practical_Business_Rules_Development_and_Use
 
Building The Agile Database
Building The Agile DatabaseBuilding The Agile Database
Building The Agile Database
 
Building Ranking Infrastructure: Data-Driven, Lean, Flexible - Sergii Khomenk...
Building Ranking Infrastructure: Data-Driven, Lean, Flexible - Sergii Khomenk...Building Ranking Infrastructure: Data-Driven, Lean, Flexible - Sergii Khomenk...
Building Ranking Infrastructure: Data-Driven, Lean, Flexible - Sergii Khomenk...
 
DB2 LUW Auditing
DB2 LUW AuditingDB2 LUW Auditing
DB2 LUW Auditing
 
TechDays 2013 Jari Kallonen: What's New WebForms 4.5
TechDays 2013 Jari Kallonen: What's New WebForms 4.5TechDays 2013 Jari Kallonen: What's New WebForms 4.5
TechDays 2013 Jari Kallonen: What's New WebForms 4.5
 
01_Team_03_CS_591_Project
01_Team_03_CS_591_Project01_Team_03_CS_591_Project
01_Team_03_CS_591_Project
 
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & ImplementationsThousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
 
Expedite the development lifecycle with MongoDB and serverless - DEM02 - Sant...
Expedite the development lifecycle with MongoDB and serverless - DEM02 - Sant...Expedite the development lifecycle with MongoDB and serverless - DEM02 - Sant...
Expedite the development lifecycle with MongoDB and serverless - DEM02 - Sant...
 
The way from DB-driven development to DDD
The way from DB-driven development to DDDThe way from DB-driven development to DDD
The way from DB-driven development to DDD
 
Less11 Security
Less11 SecurityLess11 Security
Less11 Security
 
Data Services and the Modern Data Ecosystem (ASEAN)
Data Services and the Modern Data Ecosystem (ASEAN)Data Services and the Modern Data Ecosystem (ASEAN)
Data Services and the Modern Data Ecosystem (ASEAN)
 
A lightweight DITA update
A lightweight DITA updateA lightweight DITA update
A lightweight DITA update
 
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in OracleProtect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
 

Último

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Último (20)

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

PBAC Explained: Benefits and Challenges of Policy-Based Access Control

  • 1. Policy-based access control Willem De Groef, iMinds-DistriNet Willem.DeGroef@kuleuven.be
  • 2. 2
  • 3. 3
  • 4. 4 ● Software artifact ● Declarative specification of access rules ● Independent from enforcement mechanism
  • 5. PBAC and what it can mean for your business Business policy Employees GovernanceOperational 5
  • 7. User Subject Principal Guard Protected resource Action 1. How and where to implement the guard 2. How to encode the access rules 7 General Access Control System
  • 8. Basic approach: rules in code [....] if (! (“manager” in user.roles and doc.owner == user and 8h00 < now() < 17h00 )) { [...] } + straightforward + you can encode almost anything - access rules are code - no separation of concerns - no modularity leads to audit challenge - what if rules change? ▪ update application code ▪ updates all over the place 8
  • 9. More advanced approach: modularization @authz(user, “read”, result) public Document getDoc(docId) { [...] } + central definition of rules + easier to audit - access rules are code - IT is still in charge - no separation of concerns - what if rules change? ▪ update application code ▪ updates all over the place 9 public boolean authz( subject, action, resource) { if (! (“manager” in user.roles and …)) { [...] }
  • 10. Most advanced approach: policy-based @authz(user, “read”, result) public Document getDoc(docId) { [...] } Policy Decision Point Policy + central authorization logic + central definition of rules + easy to audit + access rules independent artifacts + clear separation of concerns + rule updates at run-time 10
  • 11. Not all rainbows and unicorns 11
  • 12. PBAC and what it can mean for your business Business policy Employees GovernanceOperational 12
  • 13. <Policy PolicyId=“dynamic-separation-of-duty" RuleCombiningAlgId=“deny-overrides"> <Description>Dynamic separation of duty</Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="string-equal"> <AttributeValue DataType="string">doc123</AttributeValue> <ResourceAttributeDesignator AttributeId="resource:id" DataType="string"/> </ResourceMatch> </Resource> </Resources> </Target> <Rule RuleId="deny" Effect=“Deny"> <Description>Deny if viewed other doc</Description> <Condition> <Apply FunctionId="string-is-in"> <AttributeValue DataType="string">doc456</AttributeValue> <SubjectAttributeDesignator AttributeId="subject:historyy" DataType="string"/> </Apply> </Condition> </Rule> <Rule RuleId=“default-permit" Effect=“Permit"> </Rule> <Obligations> <Obligation ObligationId="append-attribute" FulfillOn="Permit"> <AttributeAssignment AttributeId="value" DataType="string"> <SubjectAttributeDesignator AttributeId="resource:id" DataType="string"/> </AttributeAssignment> <AttributeAssignment AttributeId="attribute-id" DataType="string">subject:history</AttributeAssignment> </Obligation> 13 Independent declarative policy specification
  • 14. 1. Easy-to-use Policy languages 14
  • 16. 16 IDE for ALFA policy language
  • 17. Simple Tree-structured Attribute-based Policy Language 17https://goo.gl/F2RE8g val policy = Policy("e-health example") := when ((action.id === "view") & (resource.type_ === "patient-data") & ("physician" in subject.roles)) apply PermitOverrides to ( Rule("requirement-for-permit") := permit iff (resource.owner_id in subject.treated), Rule("default deny") := deny )
  • 18. 2. Correctness & completeness support 18
  • 19. 19
  • 21. 21 Decoupling from application logic is hard { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBuckets", "Resource": "arn:aws:s3:::example_bucket" } } s3:ListBucket
  • 22. Open research challenges ● Improve performance & scalability of the PDP ● Interoperability across multiple applications ● Access rules for the database layer ● Conflict resolution in policies ● Management of policies ● Supporting organizational processes 22
  • 24. Conclusions 24 Policy-based access control ● Enables exciting new opportunities ○ Allows decent access management processes ○ Keep access control system in sync with your business ● Technology-wise still some hurdles ● Be future-proof by modularizing authorization!
  • 25. Policy-based access control Any further questions? Contact us at Willem.DeGroef@kuleuven.be Interested in our events? Subscribe here http://bit.ly/DistrinetAccessControl