Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Next generation access controls

923 vues

Publié le

Presentation från GRC 2016 den 19 maj. Kontakta gärna talaren om du har några frågor.

Publié dans : Économie & finance
  • Soyez le premier à commenter

Next generation access controls

  1. 1. Next Generation Access Control Urban Söderström
  2. 2. © Axiomatics 2016 2 Access Control is as easy as in the Middle Ages Only 2 options: •  Store data safely & •  control access •  Make data unusable
  3. 3. © Axiomatics 2016 3 But internal and external requirements makes the picture much more complex ….. And the outside world where data is used ….. has changed How ? Collaboration Regulatory Compliance and Governance New business & mobile- driven interactions Time-to-market
  4. 4. © Axiomatics 2016 4 1) Diligent 24 x 7 cyber crime professionals around •  Ransome ware for bitcoins •  Advanced Persistent Threat •  Spearfishing •  National surveillance breaches Night and day working on their Continuing Professional Education
  5. 5. © Axiomatics 2016 5 2) Population of computer users has changed Expert engineers But also •  Your grandma •  Your todler •  Your malware •  Your fridge •  ……… Everyone is a user With digital identity
  6. 6. © Axiomatics 2016 6 3) Identity ontology for every individual My ID as a…. Customer Supplier Partner Private user Administrator Anonymous user Machine Fraudster, mule Identity Federation E-ID E-Citizenship Mobil-ID Bank-ID …….
  7. 7. © Axiomatics 2016 7 4) Rapid evolving usability requirements – “seven any” Any one Any time Any where Any device Any networg Any app Across any value chain Easy and fast
  8. 8. © Axiomatics 2016 8 5) Purpose of data use has changed Internet of Things E-Municipality E-Government Smart cities Mobility Environment Commodities Medical Safety Living Drone delivery Robot distribution Physical surveillance
  9. 9. © Axiomatics 2016 9 6) Globalisation & data correlation Connectivity across Datasets Applications “Things” Value chains Companies Continents Jurisdictions Platforms Devices Clouds API´s interoperability
  10. 10. © Axiomatics 2016 10 7) Big data analytics Visual data discovery Automated decision-making 70% of large organizations Purchase external data 100% by 2019 (Forbes) 180.000 data analysts in US 2018 E.g. fraud detection Well combined with physical security tools This requires Access Management BaaS = Back-end of IoT as a service
  11. 11. © Axiomatics 2016 11 8) Increased control, legislation & regulation Data protection - GDPR 1)  Consistency across European Union 1)  One-stop-shop for citizens and business 2)  Scope: service providers outside Europe delivering EU services 3)  Right to be forgotten-Right to erasure: 1)  “Privacy by design” & “privacy by default” 2)  Right to be forgotten also applicable to third parties 4)  Notification of breach mandatory 1)  High fines 5)  Payment Services Directive II 1)  Mandatory to share customers profiles and data with 3rd parties 2)  On request (with customers consent & still adhering to the 3)  data protecting regulation)
  12. 12. © Axiomatics 2016 12 Responding to all trends with old school static IAM ? Transaction request Authorisation Entitlements For the ID Assets + data authentication Identity + properties Password Token PIN Biometric Multifactor Behaviour
  13. 13. ©  Axioma)cs  2016   13   By 2020, 70 percent of enterprises will use ABAC as the dominant mechanism to protect critical assets “   70%   ”   Gartner, 2013 NO ! - Dynamic and fine-grained IAM on data level required
  14. 14. © Axiomatics 2016 14 Application access = OUT Services, Big data, Federation = IN Access control on application level falls short RBAC is too static Security is required on the level of datasets, data subject Data Centric Security Attibute Based Access Control Transaction request
  15. 15. © Axiomatics 2016 15 Every single transaction request… The only thing persistent is The request for a transaction (with all its relevant properties)
  16. 16. © Axiomatics 2016 16 deserves an individual VIP treatment Access decision engine” • real time • context aware • rule based • customised • flexible • fine-grained access decisions
  17. 17. ©  Axioma)cs  2016   17   ⁃  Policies to protect assets / IP ⁃  Policies to prevent fraud ⁃  Policies to comply with external regulations ⁃  Policies to be more efficient ⁃  Policies to enable new business ⁃  CEOs, CIOs, CISOs, CDOs and other CXOs have responsibilities to define and implement these policies ⁃  Security and compliance are board-level issues: requires key policies in place to protect the Enterprise’s interests, IP and to safeguard their investments Modern Enterprises need to be policy-driven
  18. 18. © Axiomatics 2016 18 ⁃  Modern dynamic enterprises need modern dynamic authorization models to meet requirements for ease of change and centralization ⁃  Authorizations to… ⁃  Protect sensitive data ⁃  Protect critical assets ⁃  Protect critical transactions Attribute Based Access Control is the new dynamic model Access Policies
  19. 19. © Axiomatics 2016 19 Security everywhere Centralized Rules Management Data Layer Service Layer Process layer Presentation Layer Distributed rules enforcement
  20. 20. © Axiomatics 2016 20 Finegrained context aware access mmnt - building blocks user profile database identity federation trust level framework framework to manage interaction of rule sets e.g conflicting rules, hierarchy, veto, ownership rulesets in rule engines
  21. 21. © Axiomatics 2016 21 Attribute Based Access Control “Context Based”, or “Rule Based” Access Control: • Fine-grained • Additional authentication if reqiured (“step-up”) • Flexible – Easy access if possible, complex when required • Configuration of rules in IAM: short time-to-market (not programmed in applications) • Risk level on dataset or transaction • Trustlevel on authentication context • Immediate intervention in case of compromise (trustlevel attribute) • From RBAC to ABAC or hybrid (role is also a rule!)
  22. 22. © Axiomatics 2016 22 Attribute-Based Access Control A context-aware and dynamic authorization model Who? What? When? Where? Why? How?
  23. 23. © Axiomatics 2016 23 GDPR or PSD-2 is a opportunity to start using ABAC ⁃  DPR – GDPR requires changes in your rule and policy governance ⁃  By using ABAC you don´t have to rework your rule and policy governance in every application when changes are applied ⁃  You can include the Business in the process by using Business processes when creating new policys
  24. 24. © Axiomatics 2016 24 Compared to legacy RBAC models… ⁃  Permissions assigned to roles ⁃  Roles assigned to users ⁃  Applications handle access control intentionally
  25. 25. © Axiomatics 2016 25 Using ABAC to extend role definitions ⁃  ABAC uses attributes and policies to implement precise controls ⁃  ABAC extends roles with ⁃  Context and ⁃  Relationships ⁃  ABAC utilizes attributes of the user as well as the resource to represent relationships
  26. 26. ©  Axioma)cs  2016   26   Axiomatics provides enterprise software for access control
  27. 27. © Axiomatics 2016 27 Who we are… About Axiomatics... Offices in USA and Sweden Venture-backed since 2013 90% growth in 2015
  28. 28. © Axiomatics 2016 28 Our Customers ⁃  Fortune 500 ⁃  Government Agencies ⁃  Vertical market expertise ⁃  Financial services (banking, insurance) ⁃  Highly-regulated industries (pharmaceuticals, aerospace, automotive…) ⁃  Media companies
  29. 29. Success stories ⁃  Securing online payments for 200 million users ⁃  Securing exchange of clinical trial data in pharmaceutical research ⁃  Millions of transactions a day secured for one of the world’s largest banks ⁃  Protecting privacy for insurance company’s clients ⁃  Compliance with Export Control regulations for aircraft manufacturers ⁃  Copyright-protected streaming media for authorized users only ⁃  Improving speed and quality of health IT systems for veterans nationwide
  30. 30. © Axiomatics 2016 30 Axiomatics Solutions ⁃  Authorization for Applications ⁃  Business logic and middleware ⁃  APIs and web services ⁃  On-premise and cloud applications ⁃  Authorization for Databases ⁃  Relational databases ⁃  Big Data ⁃  Access Review on policies ⁃  Prove regulatory compliance and permissions of users or groups ⁃  Real-time review of dynamic authorization ⁃  Internal reporting and auditing needed at various levels of user ⁃  Review what your employees can do
  31. 31. © Axiomatics 2016 31 Structuring the Policies The Authorization Policy Lifecycle
  32. 32. © Axiomatics 2016 32 Deploy the architecture – Defence in Depth
  33. 33. © Axiomatics 2016 33 Questions?

×