CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements
-
Upload
cloudidsummit -
Category
Business
-
view
525 -
download
0
description
Transcript of CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements
![Page 1: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/1.jpg)
Policy Enabled Access Control Mee#ng ”Need to Share” Business Requirements Gerry Gebel, President Axioma#cs Americas ggebel@axioma#cs.com @ggebel #cisNAPA
![Page 2: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/2.jpg)
Se#ng the context
Opera0ng in a “need to share” world
#cisNAPA 2
![Page 3: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/3.jpg)
! Think more about aBributes ! Business metadata and
! And less about en0tlements ! IT metadata
Objec0ves for this session
#cisNAPA 3
![Page 4: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/4.jpg)
! Account managers can view/edit records of clients directly assigned to them
! Account managers can view records for all clients in their branch, except VIP clients
! Managers can view/edit records of clients assigned to their subordinates
Financial services
#cisNAPA 4
![Page 5: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/5.jpg)
! Nurse Prac00oners in the Cardiology Department can View the Records of Heart Pa0ents
! Billing administrators can view non-‐medical data for pa0ents in the same state
! Emergency access is permiBed, but logged
Electronic health records
NIST ABAC 800-‐162 #cisNAPA 5
![Page 6: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/6.jpg)
CRM
! Users can view customer cases for their LOB, country, region, role or if they created the case #
! Users with risk level != HIGH can approve cases ! For certain cases, e.g. Singapore, user must be domiciled in same country as the customer case
#cisNAPA 6
![Page 7: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/7.jpg)
#cisNAPA
In the olden days, authoriza0on was about
Who?
7
![Page 8: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/8.jpg)
Authoriza0on should really be about…
When? What? How? Where? Who? Why?
#cisNAPA 8
![Page 9: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/9.jpg)
! ABributes ! Are sets of labels or proper0es ! Describe all aspects of en00es that must be considered for authoriza0on purposes
! ABribute Based Access Control (ABAC) ! Uses aBributes as building blocks
It’s all about the ABributes!
#cisNAPA 9
![Page 10: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/10.jpg)
An Authoriza0on Service
De-coupled from
Applications
Standards-Compliant
Authoriza0on Service
Fine- Grained Context-Aware
Attribute-based Access Control Externalized
AuthZ
Policy-based Access Control
#cisNAPA 10
![Page 11: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/11.jpg)
Need to Share vs. Perimeters
Does the perimeter maBer?
#cisNAPA 11
![Page 12: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/12.jpg)
#cisNAPA 12
![Page 13: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/13.jpg)
Source: hBp://bit.ly/U9l7wg
#cisNAPA 13
![Page 14: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/14.jpg)
#cisNAPA 14
![Page 15: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/15.jpg)
#cisNAPA 15
![Page 16: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/16.jpg)
#cisNAPA 16
![Page 17: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/17.jpg)
Source: www.arrayguard.com #cisNAPA 17
![Page 18: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/18.jpg)
Implemen0ng the “need to share” model
Using aBributes, policies and standards
#cisNAPA 18
![Page 19: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/19.jpg)
! eXtensible Access Control Markup Language ! An OASIS standard
! The de facto standard for fine-‐grained access control ! Current version: 3.0
! XACML defines ! A policy language ! A request / response scheme
! XML, SOAP, REST & JSON
! A reference architecture
The XACML Standard
#cisNAPA 19
![Page 20: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/20.jpg)
The XACML Architecture
Manage Policy Administra;on Point
Decide Policy Decision Point
Support Policy Informa;on Point Policy Retrieval Point
Enforce Policy Enforcement Point
#cisNAPA 20
![Page 21: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/21.jpg)
#cisNAPA
Authoriza0on in depth & at the right layer
21
![Page 22: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/22.jpg)
XACML è Anywhere Authoriza0on Architecture
#cisNAPA 22
![Page 23: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/23.jpg)
ABributes and Governance
Ensuring high fidelity aBributes
#cisNAPA 23
![Page 24: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/24.jpg)
! See “garbage in, garbage out” principle ! Access policies rely on validity/assurance of aBribute values ! Some aBributes will be managed by aBribute governance solu0on – mostly IT data
! Other aBributes are managed by your business ac0vi0es – client data, research data, health records, etc.
The Importance of ABribute Governance
#cisNAPA 24
![Page 25: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/25.jpg)
! Governance tools keep track of “privilege gran0ng aBributes” ! Enhances repor0ng and aBesta0on
! Governance tools expose risk scores ! Has the user’s access been cer0fied on schedule? ! Does the user have a high risk profile?
! Authoriza0on system can incorporate risk data ! If $riskScore > $threshold Then DENY access
Governance – Authoriza0on possibili0es
#cisNAPA 25
![Page 26: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/26.jpg)
In Summary
#cisNAPA 26
![Page 27: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/27.jpg)
! Securely enable new and exis0ng business models ! Easier to manage applica0ons
! Decouple authoriza0on from applica0on – easier to implement changes to the system
! More secure applica0ons ! Consistently enforce policies across heterogeneous plasorms and systems at the level of granularity required
! Achieve audit and regulatory compliance ! Declara0ve policy language makes audi0ng and cer0fying applica0on access a straighsorward process
#cisNAPA
Benefits of Data Governance
27
![Page 28: CIS13: Policy Enabled Access Control: Meeting “Need to Share” Business Requirements](https://reader033.fdocuments.net/reader033/viewer/2022052821/5549e05bb4c90512488b4739/html5/thumbnails/28.jpg)
Ques0ons? Contact us at [email protected]