Gerry Gebel, President, Axiomatics Americas
The most important, sensitive and valuable information your organization manages is exactly what your partners, customers and internal teams require access to. How do you implement this need-to-share business model without disclosing too much data and running afoul of laws, regulations or internal business rules? This session will describe how access policies and attributes are combined to provide a flexible and effective authorization solution.
CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements
1. Policy
Enabled
Access
Control
Mee#ng
”Need
to
Share”
Business
Requirements
Gerry
Gebel,
President
Axioma#cs
Americas
ggebel@axioma#cs.com
@ggebel
#cisNAPA
3. ! Think
more
about
aBributes
! Business
metadata
and
! And
less
about
en0tlements
! IT
metadata
Objec0ves
for
this
session
#cisNAPA
3
4. ! Account
managers
can
view/edit
records
of
clients
directly
assigned
to
them
! Account
managers
can
view
records
for
all
clients
in
their
branch,
except
VIP
clients
! Managers
can
view/edit
records
of
clients
assigned
to
their
subordinates
Financial
services
#cisNAPA
4
5. ! Nurse
Prac00oners
in
the
Cardiology
Department
can
View
the
Records
of
Heart
Pa0ents
! Billing
administrators
can
view
non-‐medical
data
for
pa0ents
in
the
same
state
! Emergency
access
is
permiBed,
but
logged
Electronic
health
records
NIST
ABAC
800-‐162
#cisNAPA
5
6. CRM
! Users
can
view
customer
cases
for
their
LOB,
country,
region,
role
or
if
they
created
the
case
#
! Users
with
risk
level
!=
HIGH
can
approve
cases
! For
certain
cases,
e.g.
Singapore,
user
must
be
domiciled
in
same
country
as
the
customer
case
#cisNAPA
6
9. ! ABributes
! Are
sets
of
labels
or
proper0es
! Describe
all
aspects
of
en00es
that
must
be
considered
for
authoriza0on
purposes
! ABribute
Based
Access
Control
(ABAC)
! Uses
aBributes
as
building
blocks
It’s
all
about
the
ABributes!
#cisNAPA
9
10. An
Authoriza0on
Service
De-coupled
from
Applications
Standards-
Compliant
Authoriza0on
Service
Fine-
Grained
Context-Aware
Attribute-based Access Control
Externalized
AuthZ
Policy-based Access Control
#cisNAPA
10
11. Need
to
Share
vs.
Perimeters
Does
the
perimeter
maBer?
#cisNAPA
11
18. Implemen0ng
the
“need
to
share”
model
Using
aBributes,
policies
and
standards
#cisNAPA
18
19. ! eXtensible
Access
Control
Markup
Language
! An
OASIS
standard
! The
de
facto
standard
for
fine-‐grained
access
control
! Current
version:
3.0
! XACML
defines
! A
policy
language
! A
request
/
response
scheme
! XML,
SOAP,
REST
&
JSON
! A
reference
architecture
The
XACML
Standard
#cisNAPA
19
20. The
XACML
Architecture
Manage
Policy
Administra;on
Point
Decide
Policy
Decision
Point
Support
Policy
Informa;on
Point
Policy
Retrieval
Point
Enforce
Policy
Enforcement
Point
#cisNAPA
20
24. ! See
“garbage
in,
garbage
out”
principle
! Access
policies
rely
on
validity/assurance
of
aBribute
values
! Some
aBributes
will
be
managed
by
aBribute
governance
solu0on
–
mostly
IT
data
! Other
aBributes
are
managed
by
your
business
ac0vi0es
–
client
data,
research
data,
health
records,
etc.
The
Importance
of
ABribute
Governance
#cisNAPA
24
25. ! Governance
tools
keep
track
of
“privilege
gran0ng
aBributes”
! Enhances
repor0ng
and
aBesta0on
! Governance
tools
expose
risk
scores
! Has
the
user’s
access
been
cer0fied
on
schedule?
! Does
the
user
have
a
high
risk
profile?
! Authoriza0on
system
can
incorporate
risk
data
! If
$riskScore
>
$threshold
Then
DENY
access
Governance
–
Authoriza0on
possibili0es
#cisNAPA
25
27. ! Securely
enable
new
and
exis0ng
business
models
! Easier
to
manage
applica0ons
! Decouple
authoriza0on
from
applica0on
–
easier
to
implement
changes
to
the
system
! More
secure
applica0ons
! Consistently
enforce
policies
across
heterogeneous
plasorms
and
systems
at
the
level
of
granularity
required
! Achieve
audit
and
regulatory
compliance
! Declara0ve
policy
language
makes
audi0ng
and
cer0fying
applica0on
access
a
straighsorward
process
#cisNAPA
Benefits
of
Data
Governance
27