2. Please note:
• IBM’s statements regarding its plans, directions, and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
• Information regarding potential future products is intended to outline
our general product direction and it should not be relied on in making a
purchasing decision.
• The information mentioned regarding potential future products is not a
commitment, promise, or legal obligation to deliver any material, code or
functionality. Information about potential future products may not be
incorporated into any contract. The development, release, and timing of
any future features or functionality described for our products remains at
our sole discretion.
• Performance is based on measurements and projections using standard
IBM benchmarks in a controlled environment. The actual throughput or
performance that any user will experience will vary depending upon 2
many factors, including considerations such as the amount of
3. Agenda
Changing business environment
• Solution Approach
• Access using Context
• Patterns of Enforcement
• Use Cases
3
4. Changing Business Environment
The business environment is changing in three major ways:
Mobile:
BYOD, untrusted locations/networks, easily lost / stolen
Cloud:
Services and infrastructure are being hosted in the cloud.
Social:
User’s are no longer connecting in one way, multiple personas, data leakage
prevention, relationship data, targeted marketing.
4
5. Agenda
Changing business environment
Solution Approach
• Access using Context
• Patterns of Enforcement
• Use Cases
5
6. Solution Approach
• Traditional access control environments use static credential details like group
and role membership and extended profile attributes to make a policy decision.
• Using context (device, environment, identity, resource, and behavioral patterns)
takes it to the next level.
Context
Risk?
e xt
o nt
• C
Risk-based access complements the existing traditional access control by using
contextual elements to allow for a more dynamic policy decision.
Gateway Resource
6
8. Agenda
Changing business environment
Solution approach
Access using Context
• Patterns of Enforcement
• Use Cases
8
9. Access using Context
• The following are the five main context sources:
Endpoints:
There are various unique attributes (device fingerprint).
Screen depth/resolution, Fonts, OS, Browser, Browser plug-in, TCP timings
Identity:
Groups, roles, credential attributes, organization, ancestry
(parents, siblings, grandparents)
Environment:
Geographic location, network, local time, catastrophic
event . . . etc
Resource / Action:
The application being requested and what is being done.
Behavior:
Analytics of user historical and current resource usage.
User activity monitoring, specific business activity monitoring
9
10. Agenda
Changing business environment
Solution approach
Access using Context
Patterns of Enforcement
• Use Cases
10
11. Patterns of Enforcement
• The following are common patterns of enforcement:
Intermediary-level integration:
Web Security gateways, XML Firewalls, Web services gateways,
Enterprise Service Bus, Business Process Management, HTTP proxy
Container-level integration:
J2EE, .NET, Portals (e.g. SharePoint, WebSphere Portal)
Enforcement at the container-level, without modifying the application
Application-level integration:
JACC, XACML/SOAP
Modify the application to call standard-based decision engines
11
12. Agenda
Changing business environment
Solution approach
Access using Context
Patterns of Enforcement
Use Cases
12
13. Use Cases
• There are many use cases, here are some common ones:
B2E:
With BYOD and employees connecting from anywhere to many enterprise
business application the need for context based access control becomes a
must. Knowing which devices are registered to what user’s and what
locations and networks are considered ‘trusted’ is vital to know the level of
risk with the current transaction.
B2C (remove barriers of entry):
Providing protection but without creating unnecessary barriers of entry. Strong
authentication is important but can cause end users frustration. Completing a
risk assessment on the transaction can decrease the need to further
authentication the end user.
B2C / B2B / B2E (strong authentication may not be sufficient):
Using context to as input to an authorization decision is a step further than just
stronger authentication.
13
14. Agenda
Changing business environment
Solution approach
Access using Context
Patterns of Enforcement
Use Cases
14
Mobile: - BYOD – Bring Your Own Device. Cloud: - Services are being hosted in the cloud. Social: You may want to stop certain things. You may want to limit data from certain social events. You may want to limit access.
When, Where and Who is important. Give examples: User is located in Austin, but the local time is 2am and they usually use the system at 10am on Fridays. The user was located in Chicago just 10 minutes ago and now they are in Moscow.
How do you get context information? Client HTTP headers, client-side javascript, cliet-side flash, client-side plug-ins, DP (PIP) call outs to databases, business applications.