NextLabs: Beyond RBAC - SAP Forum Basel 2017 Base… · NextLabs: Beyond RBAC Tim Quan, Director...

NextLabs : Beyond RBACTim Quan, Director - SAP Industries & Solutions, NextLabs

March 2014

ABAC and Information Control Automation

© 2014 SAP AG or an SAP affiliate company. All rights reserved. 2

Agenda

● Common Challenges to Role Based Access Control (RBAC)

● Information Control Automation and Attribute Based Access Control (ABAC)

● Industry Frameworks for ABAC

● ABAC in SAP

● Demonstration Examples

● Benefits and Common Scenarios in SAP


Agenda




● ABAC in SAP




Product A Product B Product C Product D Product E

Supplier Granted Access

Challenge - Enforcement Granularity

“We can give her the role, but we can’t limit what data she can see”

Required Access

Leads to too much access, custom authorization logic and/or complex roles


Challenge - Discretionary Authorization

“Please have you manager approve access”

•Why should or shouldn’t you manager approve access?• Role purpose• Job function and assignments• Least privileges• Compliance requirements• Existing access• Trust

•When should your access be revoked?


Challenge - Role Explosion

Companies have multiple access drivers• Functional Roles• Compliance Regulations (e.g. ITAR, Trade Secrets, PII)

• IP Control Agreements (e.g. PIEA, NDA)• Multiple Applications and Systems (e.g. PLM, ERP, CRM)

Traditional role based access control (RBAC) explodes based on the number of variables

Number of Access Variables

Req

uire

d A

cces

s R

ules

“We have 10,000 users and 125,000 roles and growing ”


Information Control Enforcement Today

Policy Authorities

Business Authorizations

(e.g NDA, License)

Procedural Controls

(e.g. Access Review)

Systematic Controls

(e.g. Access Control)

90% 10%

Legal - Intellectual Property

Non-Disclosure Agreement

Acme Inc and Wiley Tech agree to share confidential information about Kaboom for 3 years. Materials marked “ACME Confidential” and destroyed at end of project.

Procedural ControlsIT• Create Wiley Tech Site• Manage Wiley Tech GroupEnd User• Get manager review• Mark confidential• Put data Wiley Tech

Confidential site Collaboration Portal

• Tell Wiley to Destroy

Systematic Controls

• Limit Access to Wiley Tech Site to users in Wiley Tech Group


Key Business Trends Impacting Information Risk

Industry Consolidation

• Continued M&A activity anticipated – 76% of executives anticipate at least one acquisition in 2013*

• Joint Ventures and partnerships on the raise

• Competitive threats keep companies on edge for IP Protection

Globalization

• Firms expanding footprint to international markets to drive revenue growth

• Trade and information exchange is crossing company and country borders

Anywhere.. Any device

• Firms looking for next frontier of operational efficiency gains

• Desire to minimize IT maintenance and support costs

• Firms look for enabling employees with required access to data from anywhere and through any device

* KPMG Survey on M&A Activity 2013


Increased Global Collaboration

Customers

My Company Customer Collaboration

Offshore SubsidiaryOutsourced Manufacturing

Supplier/Partner

Quality Collaboration

Supplier Collaboration

Quality Contractor


Secure Information Collaboration Challenge

Customers

My Company Customer Collaboration

Customer Collaboration

ForecastsPromotions

ReplenishmentASNs

Offshore SubsidiaryOutsourced Manufacturing

Outsourced Manufacturing

Sub Con POsASNs

InvoicesShipments

Work Order WIP

Supplier/Partner



ForecastsPurchase Orders

KanbanInvoices

Shipments


Quality Contractor


Quality Notifications


Business Authorization Dimensions

● Functional Access● Determine the actions a user can

perform

● Data Access● Determine the data a user can see

● Governance● Rules for access management

Functional Access

Dat

a A

cces

s


Authorization Layers


Information Control Policy

Information ControlsAudit

Data Classification

Access Control (ABAC)

Integrated Rights Management

Data Labeling and Marking

Communication Control

Application Control

Device Control

Network Control

Compliance Workflow

Policy Authorities

Business Authorizations

(e.g NDA, License)

Procedural Controls

(e.g. Access Review)

Systematic Controls

(e.g. Access Control)


90% 10%


Agenda




● ABAC in SAP





Attribute Driven PolicyAttribute Based Access Control (ABAC) enables dynamic authorization logic

Information CentricProtecting data across systems and applications

Built in Data Classification Services

Identity BasedDeep integration with common identity management systems and standards

Environment

InformationIdentity

ABAC


Policy Model

Allow only US Engineers to access Project X Specifications from US Offices

SubjectLocation = US AND Department = Engineering

ResourceProject = Project X AND Type = Specification

EnvironmentNetwork Address = 192.168.*

Attribute-based rule conveys business intentProvide fine-grain, data level control.


Policy Structure

FOR Confidential – Top SecretON AccessBY NOT Employee Level 5

WHERE User.Authority = Resource.Authority

DO Allow, Log Access

Targetdetermines policy applicability

Conditiondetermines policy effect

EffectPolicy decision and obligations


Agenda




● ABAC in SAP




Gartner: Dynamic Attribute-based Authorization will be dominant

Attributes are now "how we role“

Context will play an ever-expanding role as people come to enterprise networks from all angles and devices. It will be a world of attribute-based access control, where an identity marketplace becomes a key provider of user attributes that build context and define access control decisions, especially for critical data, systems. Crafting policy definitions, however, will continue to present challenges.

Prediction: By 2020, 70% of all businesses will use attribute-based access control (ABAC) as the dominant mechanism to protect critical assets, up from <5% today.

Gartner Predicts 2014: Identity and Access Management(source 1, source 2)


Kuppinger: Dynamic Attribute-based Authorization is the future

Source: Kuppinger Cole Leadership Compass for Access Governance


NIST Cyber Security Framework

Source: Improving Critical Infrastructure Cybersecurity, Executive Order 13636, NIST, 2013




• SAP Identity Management• SAP GRC AC




• Centrally define corporate information security policies

• Segregate policy management by role

• Classify data based on policy• Enforce data segregation based on

policies• Control access and usage based

on multiple attributes, including user type, location, device type, media type

• Rights protect information based on multiple attributes

• Control how data is shared via email based on policy

• Monitor and log data access and usage based on policies

• Raise user awareness through context based messages


Agenda




● ABAC in SAP




NextLabs Solution Approach

Manage MonitorEducateEnforce

Audit

� Turns business requirements into enforceable controls

� Integrates with enterprise, cloud, and client applications

− Data Classification− Data Segregation− Access Control− Rights Protection− Communications

Control− Activity Logging

� Log and audit data and user activity


Policy-Driven Security Controls and Compliance Auto mation for SAP

UserAttributes

Data ClassificationContext

• Data-level and transaction-level security• Field-level security control• Virtualized data segregation

• Attribute-based Access Control and Access Segregation

• Encryption and DRM protection of data inside and outside of SAP

• Monitor or Deny modes• Audit and Reporting of all requested

access

“Allow only Project A Team Members in Site 1 to access Project A data for 6 months ”

NextLabs is a SAP Endorsed Business Solution Partner


Information Control Policy Model


Security Classification

•Centrally manages SAP Master data attributes

•Features• Granularity (Transaction & Master data)• Extensible Schema• Inheritance (e.g., Material to BOM)• Classification Lifecycle Management• Classification Automation• Integration with external Classification systems

(e.g., SAP GTS for Export Control)


Attribute Based Access Control

ACCESS DENIED: Only members of Project Y can access project data

ACCESS DENIED: ITAR Technical Data: Export Authorization Required


Integrated Rights Management for SAP

Protects data inside and outside SAP

Features� Automatic rights protection

– Long Text– Documents

� File type agnostic

� Persistence– Classification– Metadata– Rights


Policy Compliance Audit

Dashboards

� Role based dashboards for easy access to most critical analysis

Analytics

� Multi-dimensional summary analysis

� Trend Analysis

End to End Activity Audit

� Data access, use and distribution across applications

� Details required for Incident Investigation and Response

Compliance Audit

� Policy Enforcement

� Policy Based Activity Audit

Personal and Shared Reports

Integrates with Compliance Record Keeping


Agenda




● ABAC in SAP




RBAC vs. RBAC+ABAC in SAP

97% less roles using Attributes

Scenario RBAC RBAC + ABAC

50 Functional roles & 5 Subsidiaries

300 total roles:� 50 Functional roles� 5 derived company

code� 35 derived Plants

50 Functional roles

35 Plants under 5 subsidiaries

1840 Roles � 50 x 35 = 1,750� 1,750 + 5+ 35 + 50 =

1840 Roles

51 Authorizations� 50 Functional roles� 1 NextLabs policy

Benefit Baseline97% less than RBAC alone

1 Company

5 Subsidiaries

7 Plants/Subsidiary

= 35 Plants


• Accelerate and enable safe collaboration with external partners .

• Improve data access visibility within partner networks.

• Centrally define and enforce policies.

• Accelerate and enable safe collaboration with external partners .

• Improve data access visibility within partner networks.

• Centrally define and enforce policies.

Secure Collaboration IP and Data Security

NextLabs can help address Security & Compliance Cha llenges

• Accelerateconsolidation with dynamic authorization.

• Enable field level security without role explosion with attribute based access control (ABAC).

• Accelerateconsolidation with dynamic authorization.

• Enable field level security without role explosion with attribute based access control (ABAC).

Business Transformation

Automate tedious compliance processes and audit reporting for

• Export (ITAR/EAR, BAFA , Dual Use, …)

• Privacy (PCI, PII …)

• Others (ChemicalWeapons Convention, Nuclear Energy..)

Automate tedious compliance processes and audit reporting for

• Export (ITAR/EAR, BAFA , Dual Use, …)

• Privacy (PCI, PII …)

• Others (ChemicalWeapons Convention, Nuclear Energy..)

Regulatory Compliance

• Protect and prevent loss of critical data inside and outside SAP Business Suite.

• Persistently protect IP data distributed with digital rights technology in and out of the enterprise.

• Protect and prevent loss of critical data inside and outside SAP Business Suite.

• Persistently protect IP data distributed with digital rights technology in and out of the enterprise.


SA

P E

CC

Policy Evaluation

• ACC = Project 01

Subject• userid=“carter”• Department = ‘Sales’• location= “US”

Action• Run

Resource• UI Function = Display• Mat = CRD-100-1• Exp Security = ITAR• IP = Proprietary• Export Lic = NA• ACC = Project 01

Query

ResponseEffect• Allow/Deny

Obligations• Show Message “ITAR

TECHNICAL DATA”

Control Center (PAP)

Deploy

Evaluate

SAP ServerSAP Server

Policies /Policy

Components

Policies /Policy

Components

AD/ LDAPAD/

LDAP

SAP CUASAP CUA

HRMSHRMS

IdMIdM

Po

licy

Co

ntr

oll

er

(PD

P)

Policy Bundle


Application

Policy Combining

AuthZ Concept

Policy Decision Point (PDP)

Policy Information Point (PIP)

PEPPIP

Policy 1(IP Control)

ALLOW

Data

Policy 2(Export

Compliance)ALLOW

Policy 3(National Security)

DENY

Andy Access Material A

DENY

Deny Override

Manage Access Rules Independently. Reduces the number of authorizations


Entitlement Manager for SAP

GlobalConsolidation

Secure Collaboration

Regulatory Compliance

Data & IP Security

SAP Entitlement Manager

DC – Data Classification

DC – Data Classification

DS – Data SegregationDS – Data

SegregationAC – Access

ControlAC – Access

ControlRP – Rights Protection

RP – Rights Protection

AL - AuditAL - Audit


Secure data use

End-to-End Information Controls

Rights Management

Secure Data @ the Source

Secure external collaboration

Tech Data.d

wg

Project X

Deny Sharing Project X data outside Project X Team

Tech Data.d

wg

Allow Only Members of Project X to access Project X Data

Entitlement Management

Deny Copy/Paste of Project X DataEncrypt Project X Data on USB

Communication Control

Project X

Control Center Information Control Platform


Identity Controls Data

XACML


Enforcement DeveloperDocument EnforcementApplication Enforcement

NextLabs Information Risk Management Suite

Control Center Policy Platform

Information Control Automation

Information Control Enforcement

Data Classification

Data Segregation

Access ControlData

EncryptionCommunication

ControlActivity

Monitoring

Information Control Policy Model

Identity Data Events

XACML

SAP ERP

File Server (CIFS/NFS)

SAP CRM

Microsoft SharePoint

Microsoft Windows DAC

Dassault Enovia PLM

Siemens TeamcenterPLM

Rights Management Server

Rights Management ClientIBM FileNet P8SAP DMS

SOAP/REST

Java

C#, C++


SAP Endorsed Business Solutions (EBS)An SAP Ecosystem “By Invitation Only” Program

��

��

Endorsed Business Solutions

Application level integration with 3

month solution qualification to ensure

end-to-end business process

Complementary solutions selected by

SAP Product and Industry groups

Endorsed by SAP and sold by partners

Product roadmap guided by SAP based

on Cooperative Development Agreement

��

��

The use of NextLabs with SAP ERP enables customers to comply with export regulations such as ITAR and offers them greater flexibility in designing and enforcing IP security policies.

- Magnus BjorendahlGlobal Head of A&D IBU, SAP


Financial Services

High Technology

IndustrialManufacturing

ChemicalAerospace & DefenseWorld Class Customers


About NextLabs

NextLabs Entitlement Manager is an SAP-Endorsed Business Solution.Policy-driven, information risk management software for Global 5000 enterprises.Help companies achieve safer and more secure internal and external collaboration.Ensure proper access to applications and data.

FactsLocations� HQ: San Mateo, CA� Boston, MA� Hangzhou, PRC� Malaysia� Singapore40+ Patent PortfolioMajor go-to-market Partners: SAP, Microsoft, IBM, Deloitte, HCL-AXON

“We allow companies to preserve confidentiality, prevent data loss and ensure compliance across more channels and more points with a single unified solution with unmatched user acceptance and total cost of ownership.”

- Keng Lim, Chairman and CEO

NextLabs Overview

© 2013 SAP AG or an SAP affiliate company. All rights reserved.

Thank youTim QuanDirector, SAP Industries & SolutionsNextLabs2 Waters Park Drive, Suite 250San Mateo, CA 94403T +1 650-577-9101E [email protected]

NextLabs: Beyond RBAC - SAP Forum Basel 2017 Base… · NextLabs: Beyond RBAC Tim Quan, Director...

Documents

Transcript of NextLabs: Beyond RBAC - SAP Forum Basel 2017 Base… · NextLabs: Beyond RBAC Tim Quan, Director...