SlideShare une entreprise Scribd logo

CIS14: The Very Latest in Authorization Standards

CloudIDSummit
CloudIDSummit

Gerry Gebel, Axiomatics Update on the latest trends and happenings regarding authorization standards and commentary on projections on this topic for the coming year, including status of the JSON and REST profiles for XACML (it’s not just XML anymore), scenarios where OAuth and XACML can coexist, and what NIST’s published report on ABAC is all about.

Technologie
1  sur  37
Télécharger pour lire hors ligne
The  Very  Latest  in  Authorization   Standards  and  Trends   Cloud Identity Summit - 2014 Gerry Gebel Axiomatics gerry@axiomatics.com @ggebel © 2014 Axiomatics AB 1
Preamble   Authorization v.Next Cloud Identity Summit 2014 © 2014 Axiomatics AB 2
© 2014 Axiomatics AB 3
© 2014 Axiomatics AB 4
© 2014 Axiomatics AB 5 Having a policy language is a key differentiator for ABAC/XACML
© 2014 Axiomatics AB 6 OAuth UMA JWT XACML Finding the right combination
Agenda   §  Business trends that are influencing authorization requirements §  Externalized Authorization and ABAC §  Standards update §  JSON, REST, ALFA and more §  Prognostications Cloud Identity Summit 2014 © 2014 Axiomatics AB 7
Business  Trends  &  AuthZ   Cloud Identity Summit 2014 © 2014 Axiomatics AB 8
© 2014 Axiomatics AB 9
© 2014 Axiomatics AB 10 Next generation information security = dynamic authorization = attribute based access control
Legacy  access  controls  fail  in   dynamic  environments     © 2014 Axiomatics AB 11 ABAC  thrives  in  dynamic   environments
© 2014 Axiomatics AB 12 Who WhatSensitive / business critical Information Grant or deny access based on the following attributes When Where Why How
© 2014 Axiomatics AB 13 By 2020, 70 percent of enterprises will use ABAC as the dominant mechanism to protect critical assets, up from less than 5 percent today. “ ” Gartner Predicts, March 2014
Externalized  Authorization     and  ABAC   Cloud Identity Summit 2014 © 2014 Axiomatics AB 14
NIST  Special  Pub  800-­‐162  *   §  “[ABAC] flexibility provides the greatest breadth of subjects to access the greatest breadth of objects without specifying individual relationships between each subject and each object” © 2014 Axiomatics AB 15 * nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf
Example  from  NIST  report   §  Nurse Practitioners in the Cardiology Department can View the Records of Heart Patients §  Variables in the policy language enable very efficient policy structures – reducing the maintenance load §  Management of heart patient records is part of the business application – not an IT function §  Multiple attributes must be available for policy evaluation – either as part of the access request or retrieved from an authoritative source © 2014 Axiomatics AB 16
NIST  example  -­‐  expanded   §  Nurse Practitioners can View the Records of Patients in the same Department they are assigned to §  This rule can apply to all departments in the hospital §  Add a new department or change names of department and the rule does not change §  Rule compares department of the Nurse Practitioner to the department of the Patient §  Avoids the role explosion effect of RBAC models © 2014 Axiomatics AB 17
Applying ABAC to every layer of your application ADAF © 2014 Axiomatics AB 18
REST,  JSON,  &  ALFA   What’s new on the XACML standards front? © 2014 Axiomatics AB 19
§  Profiles add functionality §  REST §  JSON §  Export Control §  IP Protection §  Hierarchal Resources §  Etc. What’s in the XACML standard XACML Reference Architecture Policy Language Request / Response Protocol © 2014 Axiomatics AB 20
The Request/Response format •  Subject User id = Alice Role = Manager •  Action Action id = approve •  Resource Resource type = Purchase Order PO #= 12367 •  Environment Device Type = Laptop XACML Request Can Manager Alice approve Purchase Order 12367? XACML Response Yes, she can •  Result Decision: Permit Status: ok © 2014 Axiomatics AB 21
XML encoding of an authZ request <xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml- ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml- ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" > </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">hello</xacml- ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">say</xacml- ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> </xacml-ctx:Request> Can Alice Say Hello? © 2014 Axiomatics AB 22
JSON encoding of an authZ request {"subject": {"attribute":[{ "attributeId":"username", "value":"alice"}]}, "resource": {"attribute":[{ "attributeId":"resource-id", "value":"hello"}]}, "action": {"attribute":[{ "attributeId":"action-id", "value":"say"}]}} © 2014 Axiomatics AB 23
JSON vs. XML 0 10 20 30 40 50 Word count XML JSON 0 200 400 600 800 1000 1200 1400 Char. Count XML JSON Size of a XACML request © 2014 Axiomatics AB 24
REST  Profile   XML over HTTP XML over HTTP JSON over HTTP JSON over HTTP © 2014 Axiomatics AB 25
ALFA  –  Abbreviated  Language  for  Authorization   §  Domain Specific Language (DSL) that provides an abstraction over XACML §  Pseudo language is similar to C# or Java §  Author policies in Eclipse IDE, plug in automatically generates XACML © 2014 Axiomatics AB 26 Axiomatics has committed to submit ALFA as an XACML profile
A policy example, in English /** * A manager can approve a transaction if their approval limit is greater than * the transaction amount and if the risk is less than 5 */ Let’s take a look at this policy in XACML and ALFA © 2014 Axiomatics AB 27
A policy example, in XACML (1) <?xml version="1.0" encoding="UTF-8"?> <!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).> <xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="http://axiomatics.com/alfa/identifier/policing.principles.allowTransaction" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"> <xacml3:Description>Let a manager approve a transaction if their approval limit is greater than the transaction amount and if the risk is less than 5</xacml3:Description> <xacml3:PolicyDefaults> <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion> </xacml3:PolicyDefaults> <xacml3:Target> <xacml3:AnyOf> <xacml3:AllOf> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="userRole" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false" /> </xacml3:Match> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">approve</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" MustBePresent="false" /> © 2014 Axiomatics AB 28
A policy example, in XACML (2) </xacml3:Match> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">transaction</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="resourceType" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> </xacml3:Match> </xacml3:AllOf> </xacml3:AnyOf> </xacml3:Target> <xacml3:Rule Effect="Permit" RuleId="http://axiomatics.com/alfa/identifier/policing.principles.allowTransaction.allowIfLowRiskScore"> <xacml3:Description /> <xacml3:Target /> <xacml3:Condition> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:double-greater-than"/> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#double">5.0</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="transactionRiskScore" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> © 2014 Axiomatics AB 29
A policy example, in XACML (3) </xacml3:Apply> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any"> <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:double-less-than-or-equal"/> <xacml3:AttributeDesignator AttributeId="transactionAmount" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> <xacml3:AttributeDesignator AttributeId="userApprovalLimit" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false" /> </xacml3:Apply> </xacml3:Apply> </xacml3:Condition> </xacml3:Rule> </xacml3:Policy> © 2014 Axiomatics AB 30
A policy example, in ALFA policy allowTransaction{ target clause userRole=="manager" and actionId=="approve" and resType=="transaction" apply firstApplicable rule allowIfLowRiskScore{ condition (transactionRiskScore < 5) && (transactionAmount <= userApprovalLimit) permit } } © 2014 Axiomatics AB 31
OAuth  &  XACML?   Further  simplification  of  XACML?   Prognostications © 2014 Axiomatics AB 32
How  can  OAuth  and  XACML  complement  each  other?   §  OAuth: popular authZ mechanism for API security and consumer scenarios §  Missing from OAuth: declarative policy language © 2014 Axiomatics AB 33 §  XACML policies were used to control scopes for OAuth tokens What  if?  
Easy  consumption  of  JWT  tokens  for  advanced  authorization   via  XACML-­‐based  service   © 2014 Axiomatics AB 34 {"subject": {"attribute":[{ "attributeId":"username", "value":"alice"}]}, "resource": {"attribute":[{ "attributeId":"resource-id", "value":"hello"}]}, "action": {"attribute":[{ "attributeId":"action-id", "value":"say"}]}} JWT
On  the  further  simplification  of  XACML     §  REST and JSON profiles greatly simplify the developer experience §  See David Brossard’s workshop material from Sunday §  But what about the policy language? © 2014 Axiomatics AB 35
© 2014 Axiomatics AB 36 SCIM + XACML
Questions?   Thank you for listening

Recommandé

XACML - XML Amsterdam2011
XACML - XML Amsterdam2011XACML - XML Amsterdam2011
XACML - XML Amsterdam2011Ray Sinnema
 
New Features for Building Powerful Containerized Microservices on AWS - AWS O...
New Features for Building Powerful Containerized Microservices on AWS - AWS O...New Features for Building Powerful Containerized Microservices on AWS - AWS O...
New Features for Building Powerful Containerized Microservices on AWS - AWS O...Amazon Web Services
 
Restful Services
Restful ServicesRestful Services
Restful ServicesSHAKIL AKHTAR
 
Accelerate Database Migration to AWS with DB Best
Accelerate Database Migration to AWS with DB Best Accelerate Database Migration to AWS with DB Best
Accelerate Database Migration to AWS with DB BestAmazon Web Services
 
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)Pat Patterson
 
How Cardknox Migrated 1M+ Sensitive Records to AWS
How Cardknox Migrated 1M+ Sensitive Records to AWS How Cardknox Migrated 1M+ Sensitive Records to AWS
How Cardknox Migrated 1M+ Sensitive Records to AWSAmazon Web Services
 
An Agile Approach to Cloud Adoption_AWSPSSummit_Singapore
An Agile Approach to Cloud Adoption_AWSPSSummit_SingaporeAn Agile Approach to Cloud Adoption_AWSPSSummit_Singapore
An Agile Approach to Cloud Adoption_AWSPSSummit_SingaporeAmazon Web Services
 
[NEW LAUNCH!] Building modern applications using Amazon DynamoDB transactions...
[NEW LAUNCH!] Building modern applications using Amazon DynamoDB transactions...[NEW LAUNCH!] Building modern applications using Amazon DynamoDB transactions...
[NEW LAUNCH!] Building modern applications using Amazon DynamoDB transactions...Amazon Web Services
 

Recommandé

XACML - XML Amsterdam2011
XACML - XML Amsterdam2011XACML - XML Amsterdam2011
XACML - XML Amsterdam2011Ray Sinnema
 
New Features for Building Powerful Containerized Microservices on AWS - AWS O...
New Features for Building Powerful Containerized Microservices on AWS - AWS O...New Features for Building Powerful Containerized Microservices on AWS - AWS O...
New Features for Building Powerful Containerized Microservices on AWS - AWS O...Amazon Web Services
 
Restful Services
Restful ServicesRestful Services
Restful ServicesSHAKIL AKHTAR
 
Accelerate Database Migration to AWS with DB Best
Accelerate Database Migration to AWS with DB Best Accelerate Database Migration to AWS with DB Best
Accelerate Database Migration to AWS with DB BestAmazon Web Services
 
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)Pat Patterson
 
How Cardknox Migrated 1M+ Sensitive Records to AWS
How Cardknox Migrated 1M+ Sensitive Records to AWS How Cardknox Migrated 1M+ Sensitive Records to AWS
How Cardknox Migrated 1M+ Sensitive Records to AWSAmazon Web Services
 
An Agile Approach to Cloud Adoption_AWSPSSummit_Singapore
An Agile Approach to Cloud Adoption_AWSPSSummit_SingaporeAn Agile Approach to Cloud Adoption_AWSPSSummit_Singapore
An Agile Approach to Cloud Adoption_AWSPSSummit_SingaporeAmazon Web Services
 
[NEW LAUNCH!] Building modern applications using Amazon DynamoDB transactions...
[NEW LAUNCH!] Building modern applications using Amazon DynamoDB transactions...[NEW LAUNCH!] Building modern applications using Amazon DynamoDB transactions...
[NEW LAUNCH!] Building modern applications using Amazon DynamoDB transactions...Amazon Web Services
 
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...Amazon Web Services
 
AppSync and GraphQL on iOS
AppSync and GraphQL on iOSAppSync and GraphQL on iOS
AppSync and GraphQL on iOSAmazon Web Services
 
Getting Started on Your AWS Migration Journey - AWS Summit Sydney 2018
Getting Started on Your AWS Migration Journey - AWS Summit Sydney 2018Getting Started on Your AWS Migration Journey - AWS Summit Sydney 2018
Getting Started on Your AWS Migration Journey - AWS Summit Sydney 2018Amazon Web Services
 
Viadeo - The Kasper way
Viadeo - The Kasper wayViadeo - The Kasper way
Viadeo - The Kasper wayLoïc Dias Da Silva
 
OData: A Standard API for Data Access
OData: A Standard API for Data AccessOData: A Standard API for Data Access
OData: A Standard API for Data AccessPat Patterson
 
Streamlining Application Development with AWS Service Catalog (DEV328) - AWS ...
Streamlining Application Development with AWS Service Catalog (DEV328) - AWS ...Streamlining Application Development with AWS Service Catalog (DEV328) - AWS ...
Streamlining Application Development with AWS Service Catalog (DEV328) - AWS ...Amazon Web Services
 
Develop Integrations for Salesforce and AWS (API320) - AWS re:Invent 2018
Develop Integrations for Salesforce and AWS (API320) - AWS re:Invent 2018Develop Integrations for Salesforce and AWS (API320) - AWS re:Invent 2018
Develop Integrations for Salesforce and AWS (API320) - AWS re:Invent 2018Amazon Web Services
 
The Real AWS Migration Opportunity
The Real AWS Migration OpportunityThe Real AWS Migration Opportunity
The Real AWS Migration OpportunityAmazon Web Services
 
Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...
Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...
Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...Amazon Web Services
 
SAP ODATA Overview & Guidelines
SAP ODATA Overview & GuidelinesSAP ODATA Overview & Guidelines
SAP ODATA Overview & GuidelinesAshish Saxena
 
ENT206 Product Development in the Cloud
ENT206 Product Development in the CloudENT206 Product Development in the Cloud
ENT206 Product Development in the CloudAmazon Web Services
 
Architecting for GxP Compliance in Life Sciences (LFS316) - AWS re:Invent 2018
Architecting for GxP Compliance in Life Sciences (LFS316) - AWS re:Invent 2018Architecting for GxP Compliance in Life Sciences (LFS316) - AWS re:Invent 2018
Architecting for GxP Compliance in Life Sciences (LFS316) - AWS re:Invent 2018Amazon Web Services
 
How to Migrate SAP Applications to AWS While Maintaining Compliance with AWS ...
How to Migrate SAP Applications to AWS While Maintaining Compliance with AWS ...How to Migrate SAP Applications to AWS While Maintaining Compliance with AWS ...
How to Migrate SAP Applications to AWS While Maintaining Compliance with AWS ...Amazon Web Services
 
How Amazon.com Migrates Inventory Management Systems (DAT346) - AWS re:Invent...
How Amazon.com Migrates Inventory Management Systems (DAT346) - AWS re:Invent...How Amazon.com Migrates Inventory Management Systems (DAT346) - AWS re:Invent...
How Amazon.com Migrates Inventory Management Systems (DAT346) - AWS re:Invent...Amazon Web Services
 
Securing SaaS/Web and Windows Apps in a Hybrid Cloud World (SEC314-S) - AWS r...
Securing SaaS/Web and Windows Apps in a Hybrid Cloud World (SEC314-S) - AWS r...Securing SaaS/Web and Windows Apps in a Hybrid Cloud World (SEC314-S) - AWS r...
Securing SaaS/Web and Windows Apps in a Hybrid Cloud World (SEC314-S) - AWS r...Amazon Web Services
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...Amazon Web Services
 
SaaS Reference Architectures: Review of Real-World Patterns & Strategies (GPS...
SaaS Reference Architectures: Review of Real-World Patterns & Strategies (GPS...SaaS Reference Architectures: Review of Real-World Patterns & Strategies (GPS...
SaaS Reference Architectures: Review of Real-World Patterns & Strategies (GPS...Amazon Web Services
 
ENT202 Breaking Barriers: Move Enterprise SAP Customers to SAP HANA on AWS in...
ENT202 Breaking Barriers: Move Enterprise SAP Customers to SAP HANA on AWS in...ENT202 Breaking Barriers: Move Enterprise SAP Customers to SAP HANA on AWS in...
ENT202 Breaking Barriers: Move Enterprise SAP Customers to SAP HANA on AWS in...Amazon Web Services
 
5 Years Of Building SaaS On AWS
5 Years Of Building SaaS On AWS5 Years Of Building SaaS On AWS
5 Years Of Building SaaS On AWSChristian Beedgen
 
Discover & Migrate at Scale with AWS Migration Hub & Application Discovery Se...
Discover & Migrate at Scale with AWS Migration Hub & Application Discovery Se...Discover & Migrate at Scale with AWS Migration Hub & Application Discovery Se...
Discover & Migrate at Scale with AWS Migration Hub & Application Discovery Se...Amazon Web Services
 
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...ggebel
 
Axiomatics webinar 13 june 2013 shared
Axiomatics webinar 13 june 2013 sharedAxiomatics webinar 13 june 2013 shared
Axiomatics webinar 13 june 2013 sharedFinn Frisch
 

Contenu connexe

Tendances

Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...Amazon Web Services
 
Getting Started on Your AWS Migration Journey - AWS Summit Sydney 2018
Getting Started on Your AWS Migration Journey - AWS Summit Sydney 2018Getting Started on Your AWS Migration Journey - AWS Summit Sydney 2018
Getting Started on Your AWS Migration Journey - AWS Summit Sydney 2018Amazon Web Services
 
OData: A Standard API for Data Access
OData: A Standard API for Data AccessOData: A Standard API for Data Access
OData: A Standard API for Data AccessPat Patterson
 
Streamlining Application Development with AWS Service Catalog (DEV328) - AWS ...
Streamlining Application Development with AWS Service Catalog (DEV328) - AWS ...Streamlining Application Development with AWS Service Catalog (DEV328) - AWS ...
Streamlining Application Development with AWS Service Catalog (DEV328) - AWS ...Amazon Web Services
 
Develop Integrations for Salesforce and AWS (API320) - AWS re:Invent 2018
Develop Integrations for Salesforce and AWS (API320) - AWS re:Invent 2018Develop Integrations for Salesforce and AWS (API320) - AWS re:Invent 2018
Develop Integrations for Salesforce and AWS (API320) - AWS re:Invent 2018Amazon Web Services
 
The Real AWS Migration Opportunity
The Real AWS Migration OpportunityThe Real AWS Migration Opportunity
The Real AWS Migration OpportunityAmazon Web Services
 
Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...
Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...
Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...Amazon Web Services
 
SAP ODATA Overview & Guidelines
SAP ODATA Overview & GuidelinesSAP ODATA Overview & Guidelines
SAP ODATA Overview & GuidelinesAshish Saxena
 
ENT206 Product Development in the Cloud
ENT206 Product Development in the CloudENT206 Product Development in the Cloud
ENT206 Product Development in the CloudAmazon Web Services
 
Architecting for GxP Compliance in Life Sciences (LFS316) - AWS re:Invent 2018
Architecting for GxP Compliance in Life Sciences (LFS316) - AWS re:Invent 2018Architecting for GxP Compliance in Life Sciences (LFS316) - AWS re:Invent 2018
Architecting for GxP Compliance in Life Sciences (LFS316) - AWS re:Invent 2018Amazon Web Services
 
How to Migrate SAP Applications to AWS While Maintaining Compliance with AWS ...
How to Migrate SAP Applications to AWS While Maintaining Compliance with AWS ...How to Migrate SAP Applications to AWS While Maintaining Compliance with AWS ...
How to Migrate SAP Applications to AWS While Maintaining Compliance with AWS ...Amazon Web Services
 
How Amazon.com Migrates Inventory Management Systems (DAT346) - AWS re:Invent...
How Amazon.com Migrates Inventory Management Systems (DAT346) - AWS re:Invent...How Amazon.com Migrates Inventory Management Systems (DAT346) - AWS re:Invent...
How Amazon.com Migrates Inventory Management Systems (DAT346) - AWS re:Invent...Amazon Web Services
 
Securing SaaS/Web and Windows Apps in a Hybrid Cloud World (SEC314-S) - AWS r...
Securing SaaS/Web and Windows Apps in a Hybrid Cloud World (SEC314-S) - AWS r...Securing SaaS/Web and Windows Apps in a Hybrid Cloud World (SEC314-S) - AWS r...
Securing SaaS/Web and Windows Apps in a Hybrid Cloud World (SEC314-S) - AWS r...Amazon Web Services
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...Amazon Web Services
 
SaaS Reference Architectures: Review of Real-World Patterns & Strategies (GPS...
SaaS Reference Architectures: Review of Real-World Patterns & Strategies (GPS...SaaS Reference Architectures: Review of Real-World Patterns & Strategies (GPS...
SaaS Reference Architectures: Review of Real-World Patterns & Strategies (GPS...Amazon Web Services
 
ENT202 Breaking Barriers: Move Enterprise SAP Customers to SAP HANA on AWS in...
ENT202 Breaking Barriers: Move Enterprise SAP Customers to SAP HANA on AWS in...ENT202 Breaking Barriers: Move Enterprise SAP Customers to SAP HANA on AWS in...
ENT202 Breaking Barriers: Move Enterprise SAP Customers to SAP HANA on AWS in...Amazon Web Services
 
5 Years Of Building SaaS On AWS
5 Years Of Building SaaS On AWS5 Years Of Building SaaS On AWS
5 Years Of Building SaaS On AWSChristian Beedgen
 
Discover & Migrate at Scale with AWS Migration Hub & Application Discovery Se...
Discover & Migrate at Scale with AWS Migration Hub & Application Discovery Se...Discover & Migrate at Scale with AWS Migration Hub & Application Discovery Se...
Discover & Migrate at Scale with AWS Migration Hub & Application Discovery Se...Amazon Web Services
 

Tendances (20)

Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
 
AppSync and GraphQL on iOS
AppSync and GraphQL on iOSAppSync and GraphQL on iOS
AppSync and GraphQL on iOS
 
Getting Started on Your AWS Migration Journey - AWS Summit Sydney 2018
Getting Started on Your AWS Migration Journey - AWS Summit Sydney 2018Getting Started on Your AWS Migration Journey - AWS Summit Sydney 2018
Getting Started on Your AWS Migration Journey - AWS Summit Sydney 2018
 
Viadeo - The Kasper way
Viadeo - The Kasper wayViadeo - The Kasper way
Viadeo - The Kasper way
 
OData: A Standard API for Data Access
OData: A Standard API for Data AccessOData: A Standard API for Data Access
OData: A Standard API for Data Access
 
Streamlining Application Development with AWS Service Catalog (DEV328) - AWS ...
Streamlining Application Development with AWS Service Catalog (DEV328) - AWS ...Streamlining Application Development with AWS Service Catalog (DEV328) - AWS ...
Streamlining Application Development with AWS Service Catalog (DEV328) - AWS ...
 
Develop Integrations for Salesforce and AWS (API320) - AWS re:Invent 2018
Develop Integrations for Salesforce and AWS (API320) - AWS re:Invent 2018Develop Integrations for Salesforce and AWS (API320) - AWS re:Invent 2018
Develop Integrations for Salesforce and AWS (API320) - AWS re:Invent 2018
 
The Real AWS Migration Opportunity
The Real AWS Migration OpportunityThe Real AWS Migration Opportunity
The Real AWS Migration Opportunity
 
Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...
Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...
Proven Methodologies for Accelerating Your Cloud Journey (ENT308-S) - AWS re:...
 
SAP ODATA Overview & Guidelines
SAP ODATA Overview & GuidelinesSAP ODATA Overview & Guidelines
SAP ODATA Overview & Guidelines
 
ENT206 Product Development in the Cloud
ENT206 Product Development in the CloudENT206 Product Development in the Cloud
ENT206 Product Development in the Cloud
 
Architecting for GxP Compliance in Life Sciences (LFS316) - AWS re:Invent 2018
Architecting for GxP Compliance in Life Sciences (LFS316) - AWS re:Invent 2018Architecting for GxP Compliance in Life Sciences (LFS316) - AWS re:Invent 2018
Architecting for GxP Compliance in Life Sciences (LFS316) - AWS re:Invent 2018
 
How to Migrate SAP Applications to AWS While Maintaining Compliance with AWS ...
How to Migrate SAP Applications to AWS While Maintaining Compliance with AWS ...How to Migrate SAP Applications to AWS While Maintaining Compliance with AWS ...
How to Migrate SAP Applications to AWS While Maintaining Compliance with AWS ...
 
How Amazon.com Migrates Inventory Management Systems (DAT346) - AWS re:Invent...
How Amazon.com Migrates Inventory Management Systems (DAT346) - AWS re:Invent...How Amazon.com Migrates Inventory Management Systems (DAT346) - AWS re:Invent...
How Amazon.com Migrates Inventory Management Systems (DAT346) - AWS re:Invent...
 
Securing SaaS/Web and Windows Apps in a Hybrid Cloud World (SEC314-S) - AWS r...
Securing SaaS/Web and Windows Apps in a Hybrid Cloud World (SEC314-S) - AWS r...Securing SaaS/Web and Windows Apps in a Hybrid Cloud World (SEC314-S) - AWS r...
Securing SaaS/Web and Windows Apps in a Hybrid Cloud World (SEC314-S) - AWS r...
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
 
SaaS Reference Architectures: Review of Real-World Patterns & Strategies (GPS...
SaaS Reference Architectures: Review of Real-World Patterns & Strategies (GPS...SaaS Reference Architectures: Review of Real-World Patterns & Strategies (GPS...
SaaS Reference Architectures: Review of Real-World Patterns & Strategies (GPS...
 
ENT202 Breaking Barriers: Move Enterprise SAP Customers to SAP HANA on AWS in...
ENT202 Breaking Barriers: Move Enterprise SAP Customers to SAP HANA on AWS in...ENT202 Breaking Barriers: Move Enterprise SAP Customers to SAP HANA on AWS in...
ENT202 Breaking Barriers: Move Enterprise SAP Customers to SAP HANA on AWS in...
 
5 Years Of Building SaaS On AWS
5 Years Of Building SaaS On AWS5 Years Of Building SaaS On AWS
5 Years Of Building SaaS On AWS
 
Discover & Migrate at Scale with AWS Migration Hub & Application Discovery Se...
Discover & Migrate at Scale with AWS Migration Hub & Application Discovery Se...Discover & Migrate at Scale with AWS Migration Hub & Application Discovery Se...
Discover & Migrate at Scale with AWS Migration Hub & Application Discovery Se...
 

Similaire à CIS14: The Very Latest in Authorization Standards

Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...ggebel
 
Axiomatics webinar 13 june 2013 shared
Axiomatics webinar 13 june 2013 sharedAxiomatics webinar 13 june 2013 shared
Axiomatics webinar 13 june 2013 sharedFinn Frisch
 
Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...David Brossard
 
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the PuzzleAuthorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the PuzzleNordic APIs
 
How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...
How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...
How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...Amazon Web Services
 
Building a SaaS using WSO2 Stratos
Building a SaaS using WSO2 StratosBuilding a SaaS using WSO2 Stratos
Building a SaaS using WSO2 StratosWSO2
 
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...David Brossard
 
Authorization - it's not just about who you are
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you areDavid Brossard
 
AWS Enterprise Summit Netherlands - Creating a Landing Zone
AWS Enterprise Summit Netherlands - Creating a Landing ZoneAWS Enterprise Summit Netherlands - Creating a Landing Zone
AWS Enterprise Summit Netherlands - Creating a Landing ZoneAmazon Web Services
 
Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...David Brossard
 
Preparing for Data Residency and Custom Domains
Preparing for Data Residency and Custom DomainsPreparing for Data Residency and Custom Domains
Preparing for Data Residency and Custom DomainsAtlassian
 
Hands-On Lab: Improve large network visibility and operational efficiency wit...
Hands-On Lab: Improve large network visibility and operational efficiency wit...Hands-On Lab: Improve large network visibility and operational efficiency wit...
Hands-On Lab: Improve large network visibility and operational efficiency wit...CA Technologies
 
Avere & AWS Enterprise Solution with Special Bundle Pricing Offer
Avere & AWS Enterprise Solution with Special Bundle Pricing OfferAvere & AWS Enterprise Solution with Special Bundle Pricing Offer
Avere & AWS Enterprise Solution with Special Bundle Pricing OfferAvere Systems
 
AWS Marketplace on Reaching Enterprises
AWS Marketplace on Reaching EnterprisesAWS Marketplace on Reaching Enterprises
AWS Marketplace on Reaching EnterprisesAmazon Web Services
 
Top Ten Reasons Why Developers Don't Adopt ABAC
Top Ten Reasons Why Developers Don't Adopt ABACTop Ten Reasons Why Developers Don't Adopt ABAC
Top Ten Reasons Why Developers Don't Adopt ABACForgeRock
 
Best Practices for API Design to Keep Your App Secure, Scalable & Efficient
Best Practices for API Design to Keep Your App Secure, Scalable & EfficientBest Practices for API Design to Keep Your App Secure, Scalable & Efficient
Best Practices for API Design to Keep Your App Secure, Scalable & EfficientNordic APIs
 
GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...
GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...
GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...Amazon Web Services
 

Similaire à CIS14: The Very Latest in Authorization Standards (20)

Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
 
Axiomatics webinar 13 june 2013 shared
Axiomatics webinar 13 june 2013 sharedAxiomatics webinar 13 june 2013 shared
Axiomatics webinar 13 june 2013 shared
 
Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...
 
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the PuzzleAuthorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
 
How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...
How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...
How Can I Build a Landing Zone & Extend my Operations into AWS to Support my ...
 
Building a SaaS using WSO2 Stratos
Building a SaaS using WSO2 StratosBuilding a SaaS using WSO2 Stratos
Building a SaaS using WSO2 Stratos
 
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
 
Authorization - it's not just about who you are
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you are
 
AWS Enterprise Summit Netherlands - Creating a Landing Zone
AWS Enterprise Summit Netherlands - Creating a Landing ZoneAWS Enterprise Summit Netherlands - Creating a Landing Zone
AWS Enterprise Summit Netherlands - Creating a Landing Zone
 
AWS Summit Auckland Keynote
AWS Summit Auckland KeynoteAWS Summit Auckland Keynote
AWS Summit Auckland Keynote
 
Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...
 
Preparing for Data Residency and Custom Domains
Preparing for Data Residency and Custom DomainsPreparing for Data Residency and Custom Domains
Preparing for Data Residency and Custom Domains
 
Hands-On Lab: Improve large network visibility and operational efficiency wit...
Hands-On Lab: Improve large network visibility and operational efficiency wit...Hands-On Lab: Improve large network visibility and operational efficiency wit...
Hands-On Lab: Improve large network visibility and operational efficiency wit...
 
Application Migrations
Application MigrationsApplication Migrations
Application Migrations
 
Exploring the Salesforce REST API
Exploring the Salesforce REST APIExploring the Salesforce REST API
Exploring the Salesforce REST API
 
Avere & AWS Enterprise Solution with Special Bundle Pricing Offer
Avere & AWS Enterprise Solution with Special Bundle Pricing OfferAvere & AWS Enterprise Solution with Special Bundle Pricing Offer
Avere & AWS Enterprise Solution with Special Bundle Pricing Offer
 
AWS Marketplace on Reaching Enterprises
AWS Marketplace on Reaching EnterprisesAWS Marketplace on Reaching Enterprises
AWS Marketplace on Reaching Enterprises
 
Top Ten Reasons Why Developers Don't Adopt ABAC
Top Ten Reasons Why Developers Don't Adopt ABACTop Ten Reasons Why Developers Don't Adopt ABAC
Top Ten Reasons Why Developers Don't Adopt ABAC
 
Best Practices for API Design to Keep Your App Secure, Scalable & Efficient
Best Practices for API Design to Keep Your App Secure, Scalable & EfficientBest Practices for API Design to Keep Your App Secure, Scalable & Efficient
Best Practices for API Design to Keep Your App Secure, Scalable & Efficient
 
GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...
GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...
GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...
 

Plus de CloudIDSummit

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content HighlightsCloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016CloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCloudIDSummit
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...CloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCloudIDSummit
 

Plus de CloudIDSummit (20)

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content Highlights
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean Deuby
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of Things
 

Dernier

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 

Dernier (20)

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

CIS14: The Very Latest in Authorization Standards

  • 1. The  Very  Latest  in  Authorization   Standards  and  Trends   Cloud Identity Summit - 2014 Gerry Gebel Axiomatics gerry@axiomatics.com @ggebel © 2014 Axiomatics AB 1
  • 2. Preamble   Authorization v.Next Cloud Identity Summit 2014 © 2014 Axiomatics AB 2
  • 5. © 2014 Axiomatics AB 5 Having a policy language is a key differentiator for ABAC/XACML
  • 6. © 2014 Axiomatics AB 6 OAuth UMA JWT XACML Finding the right combination
  • 7. Agenda   §  Business trends that are influencing authorization requirements §  Externalized Authorization and ABAC §  Standards update §  JSON, REST, ALFA and more §  Prognostications Cloud Identity Summit 2014 © 2014 Axiomatics AB 7
  • 8. Business  Trends  &  AuthZ   Cloud Identity Summit 2014 © 2014 Axiomatics AB 8
  • 10. © 2014 Axiomatics AB 10 Next generation information security = dynamic authorization = attribute based access control
  • 11. Legacy  access  controls  fail  in   dynamic  environments     © 2014 Axiomatics AB 11 ABAC  thrives  in  dynamic   environments
  • 12. © 2014 Axiomatics AB 12 Who WhatSensitive / business critical Information Grant or deny access based on the following attributes When Where Why How
  • 13. © 2014 Axiomatics AB 13 By 2020, 70 percent of enterprises will use ABAC as the dominant mechanism to protect critical assets, up from less than 5 percent today. “ ” Gartner Predicts, March 2014
  • 14. Externalized  Authorization     and  ABAC   Cloud Identity Summit 2014 © 2014 Axiomatics AB 14
  • 15. NIST  Special  Pub  800-­‐162  *   §  “[ABAC] flexibility provides the greatest breadth of subjects to access the greatest breadth of objects without specifying individual relationships between each subject and each object” © 2014 Axiomatics AB 15 * nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf
  • 16. Example  from  NIST  report   §  Nurse Practitioners in the Cardiology Department can View the Records of Heart Patients §  Variables in the policy language enable very efficient policy structures – reducing the maintenance load §  Management of heart patient records is part of the business application – not an IT function §  Multiple attributes must be available for policy evaluation – either as part of the access request or retrieved from an authoritative source © 2014 Axiomatics AB 16
  • 17. NIST  example  -­‐  expanded   §  Nurse Practitioners can View the Records of Patients in the same Department they are assigned to §  This rule can apply to all departments in the hospital §  Add a new department or change names of department and the rule does not change §  Rule compares department of the Nurse Practitioner to the department of the Patient §  Avoids the role explosion effect of RBAC models © 2014 Axiomatics AB 17
  • 18. Applying ABAC to every layer of your application ADAF © 2014 Axiomatics AB 18
  • 19. REST,  JSON,  &  ALFA   What’s new on the XACML standards front? © 2014 Axiomatics AB 19
  • 20. §  Profiles add functionality §  REST §  JSON §  Export Control §  IP Protection §  Hierarchal Resources §  Etc. What’s in the XACML standard XACML Reference Architecture Policy Language Request / Response Protocol © 2014 Axiomatics AB 20
  • 21. The Request/Response format •  Subject User id = Alice Role = Manager •  Action Action id = approve •  Resource Resource type = Purchase Order PO #= 12367 •  Environment Device Type = Laptop XACML Request Can Manager Alice approve Purchase Order 12367? XACML Response Yes, she can •  Result Decision: Permit Status: ok © 2014 Axiomatics AB 21
  • 22. XML encoding of an authZ request <xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml- ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml- ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" > </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">hello</xacml- ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">say</xacml- ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> </xacml-ctx:Request> Can Alice Say Hello? © 2014 Axiomatics AB 22
  • 23. JSON encoding of an authZ request {"subject": {"attribute":[{ "attributeId":"username", "value":"alice"}]}, "resource": {"attribute":[{ "attributeId":"resource-id", "value":"hello"}]}, "action": {"attribute":[{ "attributeId":"action-id", "value":"say"}]}} © 2014 Axiomatics AB 23
  • 24. JSON vs. XML 0 10 20 30 40 50 Word count XML JSON 0 200 400 600 800 1000 1200 1400 Char. Count XML JSON Size of a XACML request © 2014 Axiomatics AB 24
  • 25. REST  Profile   XML over HTTP XML over HTTP JSON over HTTP JSON over HTTP © 2014 Axiomatics AB 25
  • 26. ALFA  –  Abbreviated  Language  for  Authorization   §  Domain Specific Language (DSL) that provides an abstraction over XACML §  Pseudo language is similar to C# or Java §  Author policies in Eclipse IDE, plug in automatically generates XACML © 2014 Axiomatics AB 26 Axiomatics has committed to submit ALFA as an XACML profile
  • 27. A policy example, in English /** * A manager can approve a transaction if their approval limit is greater than * the transaction amount and if the risk is less than 5 */ Let’s take a look at this policy in XACML and ALFA © 2014 Axiomatics AB 27
  • 28. A policy example, in XACML (1) <?xml version="1.0" encoding="UTF-8"?> <!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).> <xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="http://axiomatics.com/alfa/identifier/policing.principles.allowTransaction" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"> <xacml3:Description>Let a manager approve a transaction if their approval limit is greater than the transaction amount and if the risk is less than 5</xacml3:Description> <xacml3:PolicyDefaults> <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion> </xacml3:PolicyDefaults> <xacml3:Target> <xacml3:AnyOf> <xacml3:AllOf> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="userRole" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false" /> </xacml3:Match> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">approve</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" MustBePresent="false" /> © 2014 Axiomatics AB 28
  • 29. A policy example, in XACML (2) </xacml3:Match> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">transaction</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="resourceType" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> </xacml3:Match> </xacml3:AllOf> </xacml3:AnyOf> </xacml3:Target> <xacml3:Rule Effect="Permit" RuleId="http://axiomatics.com/alfa/identifier/policing.principles.allowTransaction.allowIfLowRiskScore"> <xacml3:Description /> <xacml3:Target /> <xacml3:Condition> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:double-greater-than"/> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#double">5.0</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="transactionRiskScore" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> © 2014 Axiomatics AB 29
  • 30. A policy example, in XACML (3) </xacml3:Apply> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any"> <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:double-less-than-or-equal"/> <xacml3:AttributeDesignator AttributeId="transactionAmount" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> <xacml3:AttributeDesignator AttributeId="userApprovalLimit" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false" /> </xacml3:Apply> </xacml3:Apply> </xacml3:Condition> </xacml3:Rule> </xacml3:Policy> © 2014 Axiomatics AB 30
  • 31. A policy example, in ALFA policy allowTransaction{ target clause userRole=="manager" and actionId=="approve" and resType=="transaction" apply firstApplicable rule allowIfLowRiskScore{ condition (transactionRiskScore < 5) && (transactionAmount <= userApprovalLimit) permit } } © 2014 Axiomatics AB 31
  • 32. OAuth  &  XACML?   Further  simplification  of  XACML?   Prognostications © 2014 Axiomatics AB 32
  • 33. How  can  OAuth  and  XACML  complement  each  other?   §  OAuth: popular authZ mechanism for API security and consumer scenarios §  Missing from OAuth: declarative policy language © 2014 Axiomatics AB 33 §  XACML policies were used to control scopes for OAuth tokens What  if?  
  • 34. Easy  consumption  of  JWT  tokens  for  advanced  authorization   via  XACML-­‐based  service   © 2014 Axiomatics AB 34 {"subject": {"attribute":[{ "attributeId":"username", "value":"alice"}]}, "resource": {"attribute":[{ "attributeId":"resource-id", "value":"hello"}]}, "action": {"attribute":[{ "attributeId":"action-id", "value":"say"}]}} JWT
  • 35. On  the  further  simplification  of  XACML     §  REST and JSON profiles greatly simplify the developer experience §  See David Brossard’s workshop material from Sunday §  But what about the policy language? © 2014 Axiomatics AB 35
  • 36. © 2014 Axiomatics AB 36 SCIM + XACML
  • 37. Questions?   Thank you for listening