Securing Data is a Four letter Word
-
Upload
axiomatics-ab -
Category
Software
-
view
271 -
download
4
Transcript of Securing Data is a Four letter Word
© 2014 Axiomatics AB 1
Securing data is a four letter wordNext GenerationData Centric Securityis ABAC-powered
Webinar December 11, 2014
Today’s speakers
© 2014 Axiomatics AB 2
Finn FrischDavid Brossard
Agenda
Data Centric Security
Business Drivers
Technology Solutions
Attribute Based Access Control (ABAC) powering Data Centric Security
DEMO
© 2014 Axiomatics AB 3
Avsnittsrubrik
© 2014 Axiomatics AB 4
© 2014 Axiomatics AB 5
B2B
B-2-cloud-B
Organization YOrganization X
The new normal
© 2014 Axiomatics AB 6
Gobal connectivity
Collaboration
Mobility
Data sharing
Cloud
Big data
6
How to protect confidentialityin this new landscape?
”The Death of Least Privilege”
© 2014 Axiomatics AB 7
“By 2020, over 80% of enterprises will allow unrestricted access to noncritical assets, up from <5% today, reducing spending on IAM by 25%.“
Gregg Kreizman, Gartner
How about critical assets?
© 2014 Axiomatics AB 8
“By 2020, 70% of all businesses will use attribute-based access control (ABAC) as the dominant mechanism to protect critical assets, up from <5% today.”
Gregg Kreizman, Gartner
“Roles Make Way for Other Attributes”
© 2014 Axiomatics AB 9
$3.5m
$300,000
Average cost to a company due to data breaches
Average cost for a single successful cyber attack
3.5m - 2014 Ponemon Institute: 2014 Cost of Data Breach Study300,000 – IBMX-Force 2012 mid-year trend and risk report
© 2014 Axiomatics AB 10
94m$194 The average cost per lost or breached record
Estimated number of citizen records lost by government agencies between 2009 and 2012
+
=
$18,000,000,00094 - 2012 Rapid7 report on Data Breaches in the Government Sector.
194 - Ponemon Institute’s 2011 Cost of Data Breach Study.
DBMS security focus in the past Default accounts
Users and roles
Exposed passwords
Patching
Privileges and permissions
Parameter settings
Password management
Profiles
Auditing
Listener security
© 2014 Axiomatics AB 11
Data Centric Security
Tokenization3678-4263-2321-0002 3678-6342-2527-0002
Element encryption3678-4263-2321-0002 &s#f=z¤VA(cCi][%TXy
Data MaskingJohn Adams, March 13 1972 Pete Smith, February 11 1972
© 2014 Axiomatics AB 12
Focus on sensitive content:Credit Card NumbersSocial Security Numbers
NextGen Data Centric Security: ABAC
User attributesdetermine WHO the user is
Attributes for context,database objects and actions determine WHAT, WHERE, WHEN, and HOW access is requested
Access control policiesPERMIT or DENY
© 2014 Axiomatics AB 13
WYSIWAG: What you seeis what you are authorizedto get
ADAF MD 1+1>2
Combininging two existing, robust and proven technology approaches:
Data Centric SecurityThe same core engine as in the market leading Data Masking solution is usedas a SQL Proxy.
Attribute Based Access Control (ABAC)Axiomatics core technology with Reverse Query enhancement.
Result: Next generation database security integrates data access control with corporate Identity & Access Management.
© 2014 Axiomatics AB 14
Data Centric Security – ABAC based authorization
© 2014 Axiomatics AB 15
Policies
Attribute Sources
1. SQL statement is intercepted
2. A query is sent to the external authorization service
3. The authorization engine evaluates the relevant policies
4. It may also need to query external attribute sources for more info
5. The result: SQL statement is dynamically modified and only authorized data is returned to user
Application Data storage
User Bob wants to SELECT A,B from table T
SELECT A,BFROM TABLE T WHERE…
AuthorizationService
Filtereddata
1. SQL Proxy intercepts SQL query
2. SQL Proxy queriesSQL Filter service
3. SQL Filter evaluates requestagainst policies and may need to query further attribute sources
4. SQL Proxy rewrites SQL basedon SQL Filter conditions
5. RESULT: Filtered data returnedto application
Axiomatics Data Access Filter MD
Oracle MS SQL Server
Databases
Applications
Attribute Sources
Attributes for use data access policies
Clients
SSN FName LName Amount CreditCard Country
528-11-2543 Greg Miller $ 17 300 Visa4532 9965 5798 3440
USA
441-40-3329 Melissa Sanders $ 18 500 Mastercard5526 2777 6929 2069
UK
665-03-3478 Betty Roark $ 16 300 Visa4929 7639 2645 8194
Germany
043-04-5684 Gail Dandrea $ 14 500 Mastercard5196 7330 7610 9809
Italy
025-12-6134 Dorothy Scott $ 19 200 Mastercard5542 6593 8399 5146
UK
413-23-1218 Kristine Gamble $17 300 Visa4485 4810 9116 1750
Germany
Table(”Table=Clients”)
Column(”Column=CreditCard”)
Col/Row Valueexamples:(” Country=UK”)or(“Amount<17000”)
ActionSELECT, UPDATE, INSERT, DELETE
© 2014 Axiomatics AB 17
Axiomatics Data Access Filter
Manager can see Clients but not SSN and CreditCard
Clients
SSN FName LName Amount CreditCard Country
528-11-2543 Greg Miller $ 17 300 Visa4532 9965 5798 3440
USA
441-40-3329 Melissa Sanders $ 18 500 Mastercard5526 2777 6929 2069
UK
665-03-3478 Betty Roark $ 16 300 Visa4929 7639 2645 8194
Germany
043-04-5684 Gail Dandrea $ 14 500 Mastercard5196 7330 7610 9809
Italy
025-12-6134 Dorothy Scott $ 19 200 Mastercard5542 6593 8399 5146
UK
413-23-1218 Kristine Gamble $17 300 Visa4485 4810 9116 1750
Germany
User ID: Greg MillerRole: Manager
SQL statementSELECT Fname, Lname, AmountFROM Clients
ResultAs reqeusted
© 2014 Axiomatics AB 18
Axiomatics Data Access Filter
Manager can see Clients but not SSN and CreditCard
Clients
SSN FName LName Amount CreditCard Country
528-11-2543 Greg Miller $ 17 300 Visa4532 9965 5798 3440
USA
441-40-3329 Melissa Sanders $ 18 500 Mastercard5526 2777 6929 2069
UK
665-03-3478 Betty Roark $ 16 300 Visa4929 7639 2645 8194
Germany
043-04-5684 Gail Dandrea $ 14 500 Mastercard5196 7330 7610 9809
Italy
025-12-6134 Dorothy Scott $ 19 200 Mastercard5542 6593 8399 5146
UK
413-23-1218 Kristine Gamble $17 300 Visa4485 4810 9116 1750
Germany
User ID: Greg MillerRole: Manager
SQL statementSELECT Fname, Lname, Amount,SSN FROM Clients
ResultNo records retrieved
© 2014 Axiomatics AB 19
Axiomatics Data Access Filter
Manager sees Clients but only own SSN and CreditCard
Clients
SSN FName LName Amount CreditCard Country
528-11-2543 Greg Miller $ 17 300 Visa4532 9965 5798 3440
USA
441-40-3329 Melissa Sanders $ 18 500 Mastercard5526 2777 6929 2069
UK
665-03-3478 Betty Roark $ 16 300 Visa4929 7639 2645 8194
Germany
043-04-5684 Gail Dandrea $ 14 500 Mastercard5196 7330 7610 9809
Italy
025-12-6134 Dorothy Scott $ 19 200 Mastercard5542 6593 8399 5146
UK
413-23-1218 Kristine Gamble $17 300 Visa4485 4810 9116 1750
Germany
User ID: Greg MillerRole: Manager
SQL statementSELECT Fname, Lname, Amount,SSN,CreditCardFROM Clients
ResultOnly the user’s ”own” record is retrieved
© 2014 Axiomatics AB 20
Axiomatics Data Access Filter
Manager can see Clients but only for managed country
Clients
SSN FName LName Amount CreditCard Country
528-11-2543 Greg Miller $ 17 300 Visa4532 9965 5798 3440
USA
441-40-3329 Melissa Sanders $ 18 500 Mastercard5526 2777 6929 2069
UK
665-03-3478 Betty Roark $ 16 300 Visa4929 7639 2645 8194
Germany
043-04-5684 Gail Dandrea $ 14 500 Mastercard5196 7330 7610 9809
Italy
025-12-6134 Dorothy Scott $ 19 200 Mastercard5542 6593 8399 5146
UK
413-23-1218 Kristine Gamble $17 300 Visa4485 4810 9116 1750
Germany
User ID: Greg MillerRole: ManagerManaged country: UK
SQL statementSELECT *FROM Clients
ResultSubset of recordsretrieved
© 2014 Axiomatics AB 21
Axiomatics Data Access Filter
DEMO
© 2014 Axiomatics AB 22
The use case
Acme Insurance Company is building a new application
The application is aimed at
Customers via a rich mobile-friendly web portal
Brokers who sell insurance policies and manage contracts on behalf of their customers
Claims processors who look at claims and approve them
In this demo, we will use MS Excel as the front-end for brokers
The database being protected is Oracle 11g XE
DEMO
Actors in the demo
Brokers
View insurance policies
Claims processors
View insurance claims
DEMO
Sensitive information
Insurance policies
amount, SSN, region, customer financial information
Insurance claims
amount, approved, description, location, individuals involved…
DEMO
Demo architecture
DEMO
Authorization scenario
DEMO
Brokers can view the insurance policies of a customer if the broker is assigned to the customer
Role==broker
Action==view
Resource==insurance policy This is the relationship
userId == customer.assignedBroker
A user with the role == broker can do the action == view on resources of type == insurance policy
if the user id == the customer’s assigned broker id.
What will happen in the demo? Change the user’s role access is impacted
Add data to the database access is impacted
Add or remove a broker – customer relationship access is impacted
Log out and log in as a separate user access is impacted
DEMO
Is there a backdoor?
DEMO
Is that all?
No, of course not!
You can use the full strength of ABAC to protect your data
Relationships
Device information
Time of day
Authentication type
And more…
DEMO
Key Capabilities Context-aware
Filter data based on any available criteria (e.g. location, date/time, device type…)
Multi-database capability
Microsoft SQL Server; Oracle
May support others in the future
Enterprise-ready
Fault-tolerant
High performance
Datacenter ready
Powerful XACML 3.0 Policy support
User attributes from any data store
© 2014 Axiomatics AB 31
Axiomatics Data Access Filter
Standards based ABAC = Simplicity and Security
Single point of access control management for database layer
Enforces authorization in a non-intrusive way; application changes not required
Minimizes risk exposure for data in transit
Consistently enforces authorization across multiple channels/applications
Ensures policies and control rules are in place by users accessing and extracting source data
Benefits of ABAC data filtering