Next generation access controls
•
2 likes•1,573 views
Presentation från GRC 2016 den 19 maj. Kontakta gärna talaren om du har några frågor.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Next generation access controls
Similar to Next generation access controls (20)
More from Transcendent Group
More from Transcendent Group (18)
Recently uploaded
Recently uploaded (20)
Next generation access controls
- 1. Next Generation Access Control Urban Söderström
- 2. © Axiomatics 2016 2 Access Control is as easy as in the Middle Ages Only 2 options: • Store data safely & • control access • Make data unusable
- 3. © Axiomatics 2016 3 But internal and external requirements makes the picture much more complex ….. And the outside world where data is used ….. has changed How ? Collaboration Regulatory Compliance and Governance New business & mobile- driven interactions Time-to-market
- 4. © Axiomatics 2016 4 1) Diligent 24 x 7 cyber crime professionals around • Ransome ware for bitcoins • Advanced Persistent Threat • Spearfishing • National surveillance breaches Night and day working on their Continuing Professional Education
- 5. © Axiomatics 2016 5 2) Population of computer users has changed Expert engineers But also • Your grandma • Your todler • Your malware • Your fridge • ……… Everyone is a user With digital identity
- 6. © Axiomatics 2016 6 3) Identity ontology for every individual My ID as a…. Customer Supplier Partner Private user Administrator Anonymous user Machine Fraudster, mule Identity Federation E-ID E-Citizenship Mobil-ID Bank-ID …….
- 7. © Axiomatics 2016 7 4) Rapid evolving usability requirements – “seven any” Any one Any time Any where Any device Any networg Any app Across any value chain Easy and fast
- 8. © Axiomatics 2016 8 5) Purpose of data use has changed Internet of Things E-Municipality E-Government Smart cities Mobility Environment Commodities Medical Safety Living Drone delivery Robot distribution Physical surveillance
- 9. © Axiomatics 2016 9 6) Globalisation & data correlation Connectivity across Datasets Applications “Things” Value chains Companies Continents Jurisdictions Platforms Devices Clouds API´s interoperability
- 10. © Axiomatics 2016 10 7) Big data analytics Visual data discovery Automated decision-making 70% of large organizations Purchase external data 100% by 2019 (Forbes) 180.000 data analysts in US 2018 E.g. fraud detection Well combined with physical security tools This requires Access Management BaaS = Back-end of IoT as a service
- 11. © Axiomatics 2016 11 8) Increased control, legislation & regulation Data protection - GDPR 1) Consistency across European Union 1) One-stop-shop for citizens and business 2) Scope: service providers outside Europe delivering EU services 3) Right to be forgotten-Right to erasure: 1) “Privacy by design” & “privacy by default” 2) Right to be forgotten also applicable to third parties 4) Notification of breach mandatory 1) High fines 5) Payment Services Directive II 1) Mandatory to share customers profiles and data with 3rd parties 2) On request (with customers consent & still adhering to the 3) data protecting regulation)
- 12. © Axiomatics 2016 12 Responding to all trends with old school static IAM ? Transaction request Authorisation Entitlements For the ID Assets + data authentication Identity + properties Password Token PIN Biometric Multifactor Behaviour
- 13. © Axioma)cs 2016 13 By 2020, 70 percent of enterprises will use ABAC as the dominant mechanism to protect critical assets “ 70% ” Gartner, 2013 NO ! - Dynamic and fine-grained IAM on data level required
- 14. © Axiomatics 2016 14 Application access = OUT Services, Big data, Federation = IN Access control on application level falls short RBAC is too static Security is required on the level of datasets, data subject Data Centric Security Attibute Based Access Control Transaction request
- 15. © Axiomatics 2016 15 Every single transaction request… The only thing persistent is The request for a transaction (with all its relevant properties)
- 16. © Axiomatics 2016 16 deserves an individual VIP treatment Access decision engine” • real time • context aware • rule based • customised • flexible • fine-grained access decisions
- 17. © Axioma)cs 2016 17 ⁃ Policies to protect assets / IP ⁃ Policies to prevent fraud ⁃ Policies to comply with external regulations ⁃ Policies to be more efficient ⁃ Policies to enable new business ⁃ CEOs, CIOs, CISOs, CDOs and other CXOs have responsibilities to define and implement these policies ⁃ Security and compliance are board-level issues: requires key policies in place to protect the Enterprise’s interests, IP and to safeguard their investments Modern Enterprises need to be policy-driven
- 18. © Axiomatics 2016 18 ⁃ Modern dynamic enterprises need modern dynamic authorization models to meet requirements for ease of change and centralization ⁃ Authorizations to… ⁃ Protect sensitive data ⁃ Protect critical assets ⁃ Protect critical transactions Attribute Based Access Control is the new dynamic model Access Policies
- 19. © Axiomatics 2016 19 Security everywhere Centralized Rules Management Data Layer Service Layer Process layer Presentation Layer Distributed rules enforcement
- 20. © Axiomatics 2016 20 Finegrained context aware access mmnt - building blocks user profile database identity federation trust level framework framework to manage interaction of rule sets e.g conflicting rules, hierarchy, veto, ownership rulesets in rule engines
- 21. © Axiomatics 2016 21 Attribute Based Access Control “Context Based”, or “Rule Based” Access Control: • Fine-grained • Additional authentication if reqiured (“step-up”) • Flexible – Easy access if possible, complex when required • Configuration of rules in IAM: short time-to-market (not programmed in applications) • Risk level on dataset or transaction • Trustlevel on authentication context • Immediate intervention in case of compromise (trustlevel attribute) • From RBAC to ABAC or hybrid (role is also a rule!)
- 22. © Axiomatics 2016 22 Attribute-Based Access Control A context-aware and dynamic authorization model Who? What? When? Where? Why? How?
- 23. © Axiomatics 2016 23 GDPR or PSD-2 is a opportunity to start using ABAC ⁃ DPR – GDPR requires changes in your rule and policy governance ⁃ By using ABAC you don´t have to rework your rule and policy governance in every application when changes are applied ⁃ You can include the Business in the process by using Business processes when creating new policys
- 24. © Axiomatics 2016 24 Compared to legacy RBAC models… ⁃ Permissions assigned to roles ⁃ Roles assigned to users ⁃ Applications handle access control intentionally
- 25. © Axiomatics 2016 25 Using ABAC to extend role definitions ⁃ ABAC uses attributes and policies to implement precise controls ⁃ ABAC extends roles with ⁃ Context and ⁃ Relationships ⁃ ABAC utilizes attributes of the user as well as the resource to represent relationships
- 26. © Axioma)cs 2016 26 Axiomatics provides enterprise software for access control
- 27. © Axiomatics 2016 27 Who we are… About Axiomatics... Offices in USA and Sweden Venture-backed since 2013 90% growth in 2015
- 28. © Axiomatics 2016 28 Our Customers ⁃ Fortune 500 ⁃ Government Agencies ⁃ Vertical market expertise ⁃ Financial services (banking, insurance) ⁃ Highly-regulated industries (pharmaceuticals, aerospace, automotive…) ⁃ Media companies
- 29. Success stories ⁃ Securing online payments for 200 million users ⁃ Securing exchange of clinical trial data in pharmaceutical research ⁃ Millions of transactions a day secured for one of the world’s largest banks ⁃ Protecting privacy for insurance company’s clients ⁃ Compliance with Export Control regulations for aircraft manufacturers ⁃ Copyright-protected streaming media for authorized users only ⁃ Improving speed and quality of health IT systems for veterans nationwide
- 30. © Axiomatics 2016 30 Axiomatics Solutions ⁃ Authorization for Applications ⁃ Business logic and middleware ⁃ APIs and web services ⁃ On-premise and cloud applications ⁃ Authorization for Databases ⁃ Relational databases ⁃ Big Data ⁃ Access Review on policies ⁃ Prove regulatory compliance and permissions of users or groups ⁃ Real-time review of dynamic authorization ⁃ Internal reporting and auditing needed at various levels of user ⁃ Review what your employees can do
- 31. © Axiomatics 2016 31 Structuring the Policies The Authorization Policy Lifecycle
- 32. © Axiomatics 2016 32 Deploy the architecture – Defence in Depth
- 33. © Axiomatics 2016 33 Questions?