ABAC Non-Technical Challenge - APS 6.0

© 2014 Axiomatics AB 1

Handling the Access Control ObstaclesEnabling the shift to Attribute Based Access Control (ABAC) with Axiomatics Policy Server 6.0

Webinar: March 12, 2015


Agenda Attribute Based Access Control

(ABAC) introduction & drivers

Reducing the divide between business and IT – dealing with the non-technical challenges

APS 6.0: enabling a collaborate approach to ABAC management

Q&A

Too coarse grained hinder collaboration, lead to productivity and revenue loss

Unable to capture risks unnecessary risk exposure and potential loss

Unable to meet regulatory requirements compliance breaches, reputational loss, fines, etc.

Difficult to adapt information systems slow time-to-market

WE NEED TO GO ABAC!


Existing access control models fail

What is Attribute Based Access Control (ABAC)?

It uses centrally managed authorization policies/rules

(vs. current models based on code embedded differently in each application)

Policies use attributes to exactly define WHO should gain access to WHAT, WHERE, WHY, WHEN and HOW

(vs. current coarse-grained models based on roles to group users with similar needs)

It externalizes authorization from applications

(vs. current models based on authorization being built into each and every application)

It is standards-based – eXtensible Access Control Markup Language (XACML)

(vs. current models based on the skills and methods of software developers who implement business rules in C++, Java, C# etc.)



By 2020, 70 percent of enterprises

will use ABAC as the dominant

mechanism to protect critical assets,

up from less than 5 percent today.

“

”

Gartner Predicts, March 2014

Attribute Based Access Control (ABAC)


ABAC enables the Any-Depth Architecture



The ABAC shiftNon-technical vs. technical challenge

FROM RBAC

FROM COARSE-GRAINED

Many users in one role

TO ABAC

TO FINE-GRAINED

Many attributes per user/resource…


The ABAC shift

Role A

Purchase-to-pay: Process view vs. IT view


Based on: Audit-focused Mining – New Views on Integrating Process Mining and Internal Control, Martin Schultz, CISA, CIA, ISACA Journal Vol 3. 2014

Who is authorized to create PO?

Who is authorized to approve?

InvoicePOReceipt?

Who is authorized to verify delivery?

Who is authorized to approve payment?

Focus on policy rather than on role

Create PO Permit users to create POs without general restrictions. For individual cost centers authorized users may however be explicitly named.

Approve PO Managers level X or above can approve POs provided the amount is within their approval limits and the sum total of approved POs during the period does not exceed corresponding budget constraints

Verify goods receipt

The receipt of goods or services must be verified. Permit users to register a receipt provided…

Approvepayment

Permit an approval of a payment only if matching and approved PO-Receipt-Invoice exists and the user is…



Based on: Enhancing Governance with a Simplified Approach to Segregation of Duties, Kevin Kobelsky, PhD, CISA, CA, CPA, ISACA Journal Vol 4. 2014

Defining the access control policy



Abstract example use case

Data storage

Workflow phases

Control board

General public

Members

Create

Read

Update

Delete

Create

Read

Update

Delete

Planning Production


DEMO use case policy – English version

Defining the access control policy



A collaborative approach to Policy Life Cycle Managment


Domain 1Export control

specialist

Domain 2PLM

system owner

Domain 3DocMansystemowner

AxiomaticsPolicyserver

Sandbox 1 Sandbox 2 Sandbox 3

AuthZDomain 1

AuthZDomain 2

Lessons learned from customers

PolicyOwners

Attributegovernance

How to reduce the divide between IT & Business in ABACdeployments – did we shed some light?


Axiomatics Policy Server 6.0 addresses the non-technical challenge

New features in Axiomatics Policy Server 6.0

Rich, web-based policy editor for business users

Put the business in the driver’s seat

One-click deployment

Enhanced attribute dictionary

Introduction of namespaces

Easy developer integration: REST and JSON support



Live DemoAxiomatics Policy Server 6.0

The use case

Managers can view transactions

Employees can view transactions in their own region

The owner of a transaction can view the amount of the transaction.


Axiomatics Policy Server 6.0 Demo

Employees can view transactions in their own region

User attributes

Role == employee

Region

Action attributes

Action == view

Resource attributes

Object type == transaction

Region


Axiomatics Policy Server 6.0 Demo

Relationship

Let’s implement it in the policy editor

ABAC Non-Technical Challenge - APS 6.0

Software

Transcript of ABAC Non-Technical Challenge - APS 6.0