CIS13: Externalized Authorization from the Developer’s Perspective
-
Upload
cloudidsummit -
Category
Technology
-
view
345 -
download
5
description
Transcript of CIS13: Externalized Authorization from the Developer’s Perspective
XACML for Developers
Updates, New Tools, & Pa:erns for the Eager #IAM Developer
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 1
eXtensible Access Control Markup Language
2
What is XACML?
Not guacamole
De facto standard
Defined at OASIS
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs
One of the several standards in the #IAM family
XACML in the IAM spectrum
SAML SPML
LDAP RBAC ABAC…
SCIM OpenID Oauth
WS-‐*
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 3
In a web 3.0 world where it’s about small apps and your data…
Why XACML?
Quick, call the plumber:
1-‐800-‐GO-‐XACML
it’s Ime to get leaks under control
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 4
What’s A:ribute-‐based Access Control?
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 5
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs
In the olden days, authorizaIon was about
Who?
6
AuthorizaIon should really be about…
When? What? How? Where? Who? Why?
7 #CISNapa -‐ @davidjbrossard -‐ @axiomaIcs
A car retail company has a web applicaIon that users can access to create, view, and approve
purchase orders, in accordance with policy rules
8
Example Scenario: Managing Purchase Orders
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs
A:ributes
Resource a>ributes
Resource type
PO amount
PO loca2on
PO creator
PO Status
Subject a>ributes
Iden2ty
Department
Loca2on
Approval limit
Role
AcBon a>ributes
Ac2on type
Environment a>ributes
Device type
IP address
Time of day
Profile designed by Sven Gabriel from The Noun Project Invisible designed by Andrew Cameron from The Noun Project
Wrench designed by John O’Shea from The Noun Project Clock designed by Brandon Hopkins from The Noun Project
PO Id
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 9
A simple rule
Anyone in the purchasing department can create purchase orders
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 10
A manager in the purchasing department can approve purchase orders
§ up to their approval limit
§ if and only if the PO locaIon and the manager locaIon are the same
§ if and only if the manager is not the PO creator
11
A richer rule
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs
XACML 101 – The Basics
12 #CISNapa -‐ @davidjbrossard -‐ @axiomaIcs
13
What does XACML contain?
XACML
Reference Architecture
Policy Language
Request / Response Protocol
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs
XACML Architecture & Flow
14
Decide Policy Decision Point
Manage Policy AdministraBon Point
Support Policy InformaBon Point Policy Retrieval Point
Enforce Policy Enforcement Point
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs
Access Document #123
Access Document #123
Can Alice access Document #123? Yes, Permit
Load XACML policies
Retrieve user role, clearance and document classificaIon
15
What does XACML contain?
XACML
Reference Architecture
Policy Language
Request / Response Protocol
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs
" 3 structural elements " PolicySet " Policy " Rule
" Root: either of PolicySet or Policy " PolicySets contain any number of PolicySets & Policies
" Policies contain Rules " Rules contain an Effect: Permit / Deny " Combining Algorithms
16
Language Elements of XACML
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs
Root Policy Set
PolicySet
Policy
Rule
Effect=Permit
Rule
Effect = Deny
PolicySet
Policy
Rule
Effect = Permit
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 17
Sample XACML Policy
18
Language Structure: Russian dolls
" PolicySet, Policy & Rule can contain " Targets " ObligaIons " Advice
" Rules can contain " CondiIons
Policy Set
Policy
Rule
Effect=Permit
Target
Target
Target
ObligaIon
ObligaIon
ObligaIon
CondiIon
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs
19
What does XACML contain?
XACML
Reference Architecture
Policy Language
Request / Response Protocol
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs
• Subject User id = Alice Role = Manager
• AcIon AcIon id = approve
• Resource Resource type = Purchase Order PO #= 12367
• Environment Device Type = Laptop
20
Structure of a XACML Request / Response
XACML Request XACML Response
Can Manager Alice approve Purchase Order 12367? Yes, she can
• Result Decision: Permit Status: ok
The core XACML specificaIon does not define any specific transport / communicaIon protocol: -‐ Developers can choose their own. -‐ The SAML profile defines a binding to send requests/responses over SAML asserIons
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs
So what’s in it for the developer?
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 21
#1 A single authorizaIon model & framework
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 22
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 23
#1.a working across all layers
#1.b and across different technology stacks
Java
C
ObjecIve-‐C
C++
C#
PHP
Python
(Visual) Basic
Perl
Ruby
JavaScript
Visual Basic .NET
Lisp
Pascal
Delphi/Object Pascal
Share of programming languages (Feb 2013)
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 24
#2 A rich language to express many scenarios
ACLs
RBAC
Whitelists
SegregaBon-‐of-‐Duty
RelaBon-‐based
Trust ElevaBon
Device-‐based
Break the glass
Privacy protecBon
ABAC
Rich business flows
Data redacBon
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 25
" The REST profile of XACML " OASIS XACML profile " Designed by Remon Sinnema of EMC2
#3 Developer-‐friendly APIs
XML over HTTP XML over HTTP
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 26
JSON over HTTP JSON over HTTP
#3. Developer-‐friendly APIs (cont’d)
Drop the…
Use curl, Perl, and Python with the REST API
curl -‐X POST -‐H 'Content-‐type:text/xml' -‐T xacml-‐request.xml h:p://foo:8443/asm-‐pdp/pdp
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 27
" Use the JSON profile of XACML " Idea
" Remove the verbose aspects of XACML " Focus on the key points " Make a request easy to read
#4 Simplified request/response
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 28
#4 Sample XACML Before JSON (cont’d)
<xacml-‐ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-‐ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-‐17"> <xacml-‐ctx:A:ributes Category="urn:oasis:names:tc:xacml:1.0:subject-‐category:access-‐subject" > <xacml-‐ctx:A:ribute A:ributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-‐id" IncludeInResult="true"> <xacml-‐ctx:A:ributeValue DataType="h:p://www.w3.org/2001/XMLSchema#string">Alice</xacml-‐ctx:A:ributeValue> </xacml-‐ctx:A:ribute> </xacml-‐ctx:A:ributes> <xacml-‐ctx:A:ributes Category="urn:oasis:names:tc:xacml:3.0:a:ribute-‐category:environment" > </xacml-‐ctx:A:ributes> <xacml-‐ctx:A:ributes Category="urn:oasis:names:tc:xacml:3.0:a:ribute-‐category:resource" > <xacml-‐ctx:A:ribute A:ributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-‐id" IncludeInResult="true"> <xacml-‐ctx:A:ributeValue DataType="h:p://www.w3.org/2001/XMLSchema#string">hello</xacml-‐ctx:A:ributeValue> </xacml-‐ctx:A:ribute> </xacml-‐ctx:A:ributes> <xacml-‐ctx:A:ributes Category="urn:oasis:names:tc:xacml:3.0:a:ribute-‐category:acIon" > <xacml-‐ctx:A:ribute A:ributeId="urn:oasis:names:tc:xacml:1.0:acIon:acIon-‐id" IncludeInResult="true"> <xacml-‐ctx:A:ributeValue DataType="h:p://www.w3.org/2001/XMLSchema#string">say</xacml-‐ctx:A:ributeValue> </xacml-‐ctx:A:ribute> </xacml-‐ctx:A:ributes> </xacml-‐ctx:Request>
Can Alice Say
Hello?
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 29
#4 Sample XACML using JSON (cont’d)
{"subject": {"a:ribute":[{ "a:ributeId":"username", "value":"alice"}]},
"resource": {"a:ribute":[{ "a:ributeId":"resource-‐id", "value":"hello"}]},
"acIon": {"a:ribute":[{ "a:ributeId":"acIon-‐id", "value":"say"}]}}
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 30
#4 JSON & XML Side-‐by-‐side comparison
0
10
20
30
40
50
Word count
XML
JSON
0
200
400
600
800
1000
1200
1400
Char. Count
XML
JSON
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 31
Size of a XACML request
" Natural language authoring " AxiomaIcs Language for AuthorizaIon (ALFA) " Research iniIaIve from TSSG " And many more coming…
#5 Easy authoring tools
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 32
Provide the right tools for
Easy Authoring Of XACML policies
#5 AxiomaIcs Language For AuthZ (cont’d)
Plugs into Eclipse IDE
High-‐level syntax
Auto-‐complete
AutomaBc TranslaBon to XACML 3.0 #CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 33
Wrapping up
Benefits for the developer
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 34
" One consistent authorizaIon model " Many different applicaIons " Decide once, enforce everywhere
Benefits of using XACML #1
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 35
" Adios endless if, else statements " Hello simple if(authorized())
Benefits of using XACML #2
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 36
0
5000
10000
15000
20000
25000
30000
10 20 30 40 50 60 70 80 90 100 110 120 130 140 150 160 170
Developer Happiness Increase
Number of if / else statements terminated
Developer Happiness Index
" Security potholes are a thing of the past " XACML is the concrete that fills in the cracks in your authorizaIon wall
Benefits of using XACML #3
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 37
" Let developers do what they know best " Offload audiIng, info security to security architects & auditors by externalizing authorizaIon
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 38
Benefits of using XACML #4
Happy developer
Happy auditor
#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 39
Next steps?
Download XACML SDK
Download ALFA plugin
Download Eclipse
Code in your favorite language
QuesIons? Contact us at [email protected] Q&A