We will discuss the Good, the Bad and the Ugly of Role Based Access Control. We will review access control in systems where multiple roles are fulfilled and compare MAC, DAC and RBAC.
We will present the "next generation" authorization model that provides dynamic, context-aware and risk-intelligent access control. We will discuss Identity Management, Data Discovery, AI, policy-based access control (PBAC), claims-based access control (CBAC) and key standards, including XACML and ALFA.
3. 1. Head of Innovation at TokenEx
2. Chief Technology Officer at
• Protegrity
• Atlantic BT
• Compliance Engineering
3. Developer at IBM Research and Development
4. Inventor of more than 70 issued/awarded US Patents
5. Products and Services
• Data Encryption, Tokenization, and Data Discovery,
• Robotics and Applications in Manufacturing,
• Cloud Application Security Brokers, and Web Application Firewalls,
• Managed Security Services, and Security Operation Centers,
• Contributed to the development of PCI DSS and ANSI X9
• Security and Privacy Benchmarking/Gap-analysis for Financial Industry
Ulf Mattsson
3
10. Source: wikipedia
DAC is the way to go to let people manage the content they own.
• DAC is very good to let users of an online social network choose who accesses their data.
• It allows people to revoke or forward privileges easily and immediately
RBAC is a form of access control which as you said is suitable to separate responsibilities in a
system where multiple roles are fulfilled.
• This is obviously true in corporations (often along with compartmentalization e.g. Brewer
and Nash or MCS) but can also be used on a single user operating system to implement the
principle of least privilege.
• RBAC is designed for separation of duties by letting users select the roles they need for a
specific task.
MAC in itself is vague, there are many ways to implement it for many systems.
• In practice, you'll often use a combination of different paradigms.
• For instance, a UNIX system mostly uses DAC but the root account bypasses DAC privileges
10
MAC, DAC, and RBAC
11. Issues with a Role-based access control (RBAC)
1. RBAC employs pre-defined roles that carry a specific set of privileges
2. Lack of policies that express a complex Boolean rule set that can evaluate many different
attributes.
3. Lack of "next generation" authorization model with no dynamic, context-aware and risk-
intelligent access control to resources allowing access control policies that include specific
attributes from many different information systems
4. Implementation may take 2 year and cost $10 million in a large organization
11
13. IDMWORKS
What is Attribute Based Access Control (ABAC)?
ABAC is an effort to shift the paradigm of granting resource access to a specific user to
granting access based on the value of a user’s attributes.
• While user authentication is still required the access is no longer granted via a
specific ACL.
• Instead at the point of authentication a decision is made based on the value of
specific attributes whether or not access should be granted.
This approach significantly decreases the administration required to maintain data
security. It also ensures that data is available real time to those who need it and are
authorized to view/use it.
• No longer are provisioning request required in order to gain access to the data since
access is evaluated and granted real time.
ABAC provides particular advantages when it is deployed in a Federated environment.
• Access is determined by the agreement between the two entities (business,
organizations, governments, etc…) and then is enforced by the Policy Enforcement
Point (PEP) at the time of access. Each entity maintains autonomous control of their
identities.
13
14. Source: wikipedia
Attribute-based access control (ABAC)
1. Defines an access control paradigm whereby access rights are granted to users through the use of policies
which combine attributes together.
2. The policies can use any type of attributes (user attributes, resource attributes, object, environment
attributes etc.).
3. This model supports Boolean logic, in which rules contain "IF, THEN" statements about who is making the
request, the resource, and the action.
4. Unlike role-based access control (RBAC), which employs pre-defined roles that carry a specific set of
privileges associated with them and to which subjects are assigned, the key difference with ABAC is the
concept of policies that express a complex Boolean rule set that can evaluate many different attributes.
5. ABAC is considered a "next generation" authorization model because it provides dynamic, context-aware
and risk-intelligent access control to resources allowing access control policies that include specific attributes
from many different information systems to be defined to resolve an authorization and achieve an efficient
regulatory compliance, allowing enterprises flexibility in their implementations based on their existing
infrastructures.
6. Attribute-based access control is sometimes referred to as policy-based access control (PBAC) or claims-
based access control (CBAC).
14
22. Source: wikipedia
XACML (eXtensible Access Control Markup Language)
1. The standard defines a declarative fine-grained, attribute-based access control policy
language, an architecture, and a processing model describing how to evaluate access
requests according to the rules defined in policies.
2. XACML is primarily an attribute-based access control system (ABAC), where attributes
(bits of data) associated with a user or action or resource.
3. Role-based access control (RBAC) can also be implemented in XACML as a specialization
of ABAC.
4. The XACML model supports and encourages the separation of the access decision from
the point of use. When the client is decoupled from the access decision, authorization
policies can be updated on the fly and affect all clients immediately.
5. ALFA has three structural elements: Like in XACML, a PolicySet can contain PolicySet and
Policy elements. A Policy can contain Rule elements. A Rule contains a decision.
22
31. Discovery, Mapping, Analysis and Risk Mitigation
Source: BigID 31
Article 30 - Records of processing activities - EU General Data Protection
Regulation (EU-GDPR)
32. Automate Consent Tracking And Data Governance
1. Advanced ML PII & PI Discovery & Access Intelligence For Security
& Privacy. Petabyte Scale. ML Driven. Structured & Unstructured.
Data Subject Rights.
2. Artificial Intelligence (AI) is prevalent in everything from
autocorrect to music recommendations, from Frankenstein’s
monster to replicants and paranoid robots.
3. Formalized in the 1950s, AI has moved past speculative fiction and
is an inescapable part of our everyday lives.
4. The past few years have seen a significant rise in software projects
that use Artificial Intelligence and Machine Learning.
5. Although often used interchangeably, Artificial Intelligence (AI) and
Machine Learning (ML) are not the same.
6. Think of AI as intelligence, and ML as knowledge.
Source: BigID and Groundlabs
32
35. Artificial Intelligence
• At the core of most, if not all, advanced artificial intelligence or
machine learning systems is optimization problems.
• Machine learning is an incredibly iterative process, and utilizes
huge data sets to learn and evolve to figure out improved
approaches to the problem at hand.
• Novel quantum algorithms could dramatically accelerate the
underlying processing required for machine learning.
The strange, nearly metaphysical nature that governs how qubits
operate in quantum computing, not only hold the key for better
and faster artificial intelligence, but may also be the secret to
true artificial intelligence.
35
36. The Difference Between Artificial Intelligence and Machine
Learning
• Artificial Intelligence describes the ability of machines to perform tasks
that are typically associated with human activity and intelligence:
reasoning, learning, natural language processing, perception, etc. Any
“smart” activity performed by a machine falls under AI.
• Artificial Intelligence is the capability of a machine to imitate intelligent
human behavior.
• Machine Learning is a subset of AI.
• ML is a set of algorithms that are built to achieve AI: those algorithms
require the ability to learn from data, modify themselves when exposed
to more data, and are able to achieve a goal without being explicitly
programmed.
Source: BigID and Groundlabs
36
40. EU GDPR Fines
• When French regulators cited Europe's fledgling General Data Protection Act (GDPR) in
fining Google $57 million earlier this year for playing fast and loose with consumer data
in personalizing ads, experts called what was then the biggest fine issued under the new
law the "tip of the iceberg.“
• The U.K.'s Information Commissioner's Office (ICO) on July 8 cited GDPR in announcing
it would seek a $230 million fine against British Airways (equal to 1.5 percent of the
company's annual revenue) for a September 2018 breach in which attackers accessed
the protected data of nearly 500,000 customers through the airline's website and mobile
applications.
• The ICO alleged that ineffective security practices were to blame.
• ICO added Marriott to the list, saying it intends to seek nearly $124 million from
Marriott (or 3 percent of its annual revenue) for a breach that saw hackers maintain
access to the Starwood guest reservation database between 2014 and 2018,
compromising 383 million customer records.
Source: rsaconference.com
43. PII Inventory
• Locating sensitive PII is essential to protecting it.
• However data maps alone can't provide a complete protection or privacy
picture.
• New privacy protection regulations mandate an individual's right to
access their own data, the right-tobe-forgotten, the right to port their
data and the right to be notified of a breach.
Source: BigID (TokenEx partner)
43
44. Source: Verizon 2019 DBIR, data-breach-investigations-report
Term clusters in criminal forum and marketplace posts
44
45. Pseudonymisation Under the GDPR
Within the text of the GDPR, there are multiple references to
pseudonymisation as an appropriate mechanism for protecting personal
data.
Pseudonymisation—replacing identifying or sensitive data with
pseudonyms, is synonymous with tokenization—replacing identifying or
sensitive data with tokens.
Article 4 – Definitions
• (1) ‘personal data’ means any information relating to an identified
or identifiable natural person (‘data subject’); …such as a name, an
identification number, location data, an online identifier…
• (5) ‘pseudonymisation’ means the processing personal data in such
a manner that the data can no longer be attributed to a specific
data subject without the use of additional information, provided that
such additional information is kept separately…
What is Personal Data according to EU GDPR?
45
47. Data sources
Data
Warehouse
In Italy
Complete policy-
enforced de-
identification of
sensitive data across
all bank entities
Tokenization for Cross Border Data-centric Security (EU GDPR)
• Protecting Personally Identifiable Information
(PII), including names, addresses, phone, email,
policy and account numbers
• Compliance with EU Cross Border Data
Protection Laws
• Utilizing Data Tokenization, and centralized
policy, key management, auditing, and
reporting
47
48. Type of
Data
Use
Case
I
Structured
How Should I Secure Different Types of Data?
I
Un-structured
Simple –
Complex –
PCI
PHI
PII
Encryption
of Files
Card
Holder
Data
Tokenization
of Fields
Protected
Health
Information
Personally Identifiable Information
48
49. Application of Data Security and Privacy techniques On-premises, in Public, and Private Clouds
Vault-based tokenization
(VBT)
Suitable for cloud deployment and centralized token generation. CPU impact and latency is typically similar
to a database lookup query transaction.
Vault-less tokenization
(VLT)
Suitable for on-premises deployment and distributed token generation. Suitable for high performance
requirements, including transaction switches and Datawarehouse databases. CPU impact is typically similar
to AES encryption.
Format Preserving
Encryption (FPE)
Suitable for any deployment model. CPU impact is typically 10 times more than AES encryption
Homomorphic Encryption
(HE)
Suitable for public cloud based computation with operations on encrypted data values is required. CPU
impact for asymmetric crypto operational can be significant compared to AES and other symmetric crypto
algorithms.
Masking
Since masking is a one-way process, not reversable, it may be less suitable in operational transaction
systems.
Server Model
Suitable for cloud deployment models. CPU impact for cleaning the database similar to a database scan with
change transactions.
Local Model
Suitable for client side of any deployment model. CPU impact for cleaning the database is similar to a
database scan with change transactions.
L-diversity
Suitable for privacy for any deployment model. CPU impact for cleaning the database similar to a database
scan with change transactions.
T-closeness
Suitable for privacy in any deployment model. CPU impact for cleaning the database similar to a database
scan with change transactions.
Tokenization (T)
Privacy enhancing data de-identification terminology and
classification of techniques
Cryptographic
tools (CT)
Formal privacy
measurement models
(PMM)
Differential
Privacy (DP)
K-anonymity
model
De-identification
techniques (DT)
Data Security and Privacy techniques
49
50. Data Security and Privacy Standard
Source: INTERNATIONAL STANDARD ISO/IEC 20889
Encrypted data
has the same
format
Server model Local model
Differential
Privacy (DP)
Formal privacy measurement models
(PMM)
De-identification techniques
(DT)
Cryptographic tools
(CT)
Format
Preserving
Encryption (FPE)
Homomorphic
Encryption
(HE)
Two values
encrypted can
be combined*
K-anonymity
model
Responses to queries
are only able to be
obtained through a
software component
or “middleware”,
known as the
“curator**”
The entity
receiving the
data is looking
to reduce risk
Ensures that for
each identifier there
is a corresponding
equivalence class
containing at least K
records
*: Multi Party Computation (MPC)
**: Example Apple and Google
50
53. Definition: DataOps is a collaborative data management practice focused on improving the communication, integration
and automation of data flows between data managers and consumers across an organization. The goal of DataOps is to
create predictable delivery and change management of data, data models and related artifacts. DataOps uses technology to
automate data delivery with the appropriate levels of security, quality and metadata to improve the use and value of
data in a dynamic environment.
Position and Adoption Speed Justification: Currently, there are no standards or known frameworks for DataOps. Today's
loose interpretation makes it difficult to know where to begin, what success looks like, or if organizations are even "doing
DataOps" at all. This lack of a documented discipline will likely inhibit adoption of the practice over the next 12 to 18
months, feeding the confusion and driving hype further. A growing number of technology providers are adopting the
DataOps terminology and even claiming to offer DataOps solutions. At the same time, Gartner sees early-stage interest
from data and analytics teams asking about the concepts. Given the tremendous pressure to achieve faster delivery of new
and enhanced data analytics capabilities, DataOps will quickly traverse the first half of the Hype Cycle.
User Advice: As a new practice, DataOps will be most successful on projects targeting a small scope with some level of
executive sponsorship, primarily from the CDO or other top data and analytics leader. Executive sponsorship will be key as
DataOps represents a new way of delivering data to consumers. Practitioners will have to overcome the resistance to
change existing practices as they introduce this concept.
53
Gartner - DataOps
54. DataOps is NOT Just DevOps for Data
• One common misconception about DataOps is that it is just DevOps applied
to data analytics.
• It communicates that data analytics can achieve what software
development attained with DevOps.
• DataOps can yield an order of magnitude improvement in quality and cycle
time when data teams utilize new tools and methodologies.
• The specific ways that DataOps achieves these gains reflect the unique
people, processes and tools characteristic of data teams (versus software
development teams using DevOps).
Source: datakitchen
54
56. On Premise tokenization
• Limited PCI DSS scope reduction - must still maintain a
CDE with PCI data
• Higher risk – sensitive data still resident in environment
• Associated personnel and hardware costs
Cloud-Based tokenization
• Significant reduction in PCI DSS scope
• Reduced risk – sensitive data removed from the
environment
• Platform-focused security
• Lower associated costs – cyber insurance, PCI audit,
maintenance
Total Cost and Risk of Tokenization
Example: 50% Lower Total Cost
56
60. #3 Self-Sovereign Identity (SSI)
YOU
CONNECTION
PEER
DISTRIBUTED LEDGER (BLOCKCHAIN)
Source: Sovrin.org
The Sovrin Network is the first public-permissioned blockchain designed as a global public utility exclusively to
support self-sovereign identity and verifiable claims. Recent advancements in blockchain technology now allow
every public key to have its own address, which is called a decentralized identifier (DID).
61. #3 Self-Sovereign Identity (SSI)
PEER
DISTRIBUTED LEDGER (BLOCKCHAIN)
DIGITAL
WALLET
CONNECTION
GET CREDENTIAL
SHOW CREDENTIAL
1 DIDs
2 DKMS
3 DID AUTH
4
Verifiable
Credentials
Source: Sovrin.org
62. OpenID
Source: https://openid.net/
What is OpenID Connect?
OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 family of specifications.
It uses straightforward REST/JSON message flows with a design goal of “making simple things simple and complicated
things possible”.
It’s uniquely easy for developers to integrate, compared to any preceding Identity protocol.
OpenID Connect lets developers authenticate their users across websites and apps without having to own and
manage password files.
For the app builder, it provides a secure verifiable, answer to the question: “What is the identity of the person
currently using the browser or native app that is connected to me?”
The OpenID Foundation (OIDF) promotes, protects and nurtures the OpenID community and technologies.
The OpenID Foundation is a non-profit international standardization organization of individuals and companies
committed to enabling, promoting and protecting OpenID technologies. Formed in June 2007, the foundation serves
as a public trust organization representing the open community of developers, vendors, and users.