© 2014 Axiomatics AB 1
The #1 New Year’s Resolution: Lock down your dataNext GenerationData Centric Securityis ABAC-powered
Webinar January 15, 2014
© 2014 Axiomatics AB 2
2:001:591:581:571:561:551:541:531:521:511:501:491:481:471:461:451:441:431:421:411:401:391:381:371:361:351:341:331:321:311:301:291:281:271:261:251:241:231:221:211:201:191:181:171:161:151:141:131:121:111:101:091:081:071:061:051:041:031:021:011:000:590:580:570:560:550:540:530:520:510:500:490:480:470:460:450:440:430:420:410:400:390:380:370:360:350:340:330:320:310:300:290:280:270:260:250:240:230:220:210:200:190:180:170:160:150:140:130:120:110:100:090:080:070:060:050:040:030:020:01NOWCount-down
for webinar start:
The #1 New Year’s Resolution: Lock down your data
Webinar January 15, 2014
© 2014 Axiomatics AB 3
Next GenerationData Centric Securityis ABAC-powered
The #1 New Year’s Resolution: Lock down your data
Webinar January 15, 2014
Guidelines
© 2014 Axiomatics AB 4
You are muted centrally
The webinar is recorded
Slides available for download
Q&A at the end
Agenda
Data Centric Security
Business Drivers
Technology Solutions
Attribute Based Access Control (ABAC) powering Data-Centric Security
DEMO
© 2014 Axiomatics AB 6
The new normal
© 2014 Axiomatics AB 9
Gobal connectivity
Collaboration
Mobility
Data sharing
Cloud
Big data
9
How do we protect confidentiality in this new landscape?
”The Death of Least Privilege”
© 2014 Axiomatics AB 10
“By 2020, over 80% of enterprises will allow unrestricted access to noncritical assets, up from <5% today, reducing spending on IAM by 25%.“
Gregg Kreizman, Gartner
How about critical assets?
© 2014 Axiomatics AB 11
“By 2020, 70% of all businesses will use attribute-based access control (ABAC) as the dominant mechanism to protect critical assets, up from <5% today.”
Gregg Kreizman, Gartner
“Roles Make Way for Other Attributes”
© 2014 Axiomatics AB 12
$3.5m
$300,000
Average cost to a company due to data breaches
Average cost for a single successful cyber attack
3.5m - 2014 Ponemon Institute: 2014 Cost of Data Breach Study300,000 – IBMX-Force 2012 mid-year trend and risk report
© 2014 Axiomatics AB 13
94m$194 The average cost per lost or breached record
Estimated number of citizen records lost by government agencies between 2009 and 2012
x
=
$18,000,000,00094 - 2012 Rapid7 report on Data Breaches in the Government Sector.
194 - Ponemon Institute’s 2011 Cost of Data Breach Study.
DBMS security focus in the past Default accounts
Users and roles
Exposed passwords
Patching
Privileges and permissions
Parameter settings
Password management
Profiles
Auditing
Listener security
© 2014 Axiomatics AB 14
Data Centric Security
Tokenization3678-4263-2321-0002 3678-6342-2527-0002
Element encryption3678-4263-2321-0002 &s#f=z¤VA(cCi][%TXy
Data Masking123-56-7890 ***-**-7890
© 2014 Axiomatics AB 15
Focus on sensitive content:Credit Card NumbersSocial Security Numbers
NextGen Data Centric Security: ABAC
User attributesdetermine WHO the user is
Attributes for context,database objects and actions determine WHAT, WHERE, WHEN, and HOW access is requested
Access control policies PERMIT or DENY
© 2014 Axiomatics AB 16
WYSIWAG: What you seeis what you are authorizedto get
ADAF MD 1+1>2
Combining two existing, robust and proven technology approaches:
Data Centric SecurityThe same core engine as in the market leading Data Masking solution is used as a SQL Proxy.
Attribute Based Access Control (ABAC)Axiomatics core technology with Reverse Query enhancement.
Result: Next generation database security integrates data access control with corporate Identity & Access Management.
© 2014 Axiomatics AB 17
Data Centric Security – ABAC based authorization
© 2014 Axiomatics AB 18
Policies
Attribute Sources
1. SQL statement is intercepted
2. A query is sent to the external authorization service
3. The authorization engine evaluates the relevant policies
4. It may also need to query external attribute sources for more info
5. The result: SQL statement is dynamically modified and only authorized data is returned to user
Application Data storage
User Bob wants to SELECT A,B from table T
SELECT A,BFROM TABLE T WHERE…
AuthorizationService
Filtereddata
Attributes for use data access policies
Clients
SSN FName LName Amount CreditCard Country
528-11-2543 Greg Miller $ 17 300 Visa4532 9965 5798 3440
USA
441-40-3329 Melissa Sanders $ 18 500 Mastercard5526 2777 6929 2069
UK
665-03-3478 Betty Roark $ 16 300 Visa4929 7639 2645 8194
Germany
043-04-5684 Gail Dandrea $ 14 500 Mastercard5196 7330 7610 9809
Italy
025-12-6134 Dorothy Scott $ 19 200 Mastercard5542 6593 8399 5146
UK
413-23-1218 Kristine Gamble $17 300 Visa4485 4810 9116 1750
Germany
Table(”Table=Clients”)
Column(”Column=CreditCard”)
Col/Row Valueexamples:(” Country=UK”)or(“Amount<17000”)
ActionSELECT, UPDATE, INSERT, DELETE
© 2014 Axiomatics AB 20
Axiomatics Data Access Filter
Manager can see Clients but not SSN and CreditCard
Clients
SSN FName LName Amount CreditCard Country
528-11-2543 Greg Miller $ 17 300 Visa4532 9965 5798 3440
USA
441-40-3329 Melissa Sanders $ 18 500 Mastercard 5526 2777 6929 2069
UK
665-03-3478 Betty Roark $ 16 300 Visa4929 7639 2645 8194
Germany
043-04-5684 Gail Dandrea $ 14 500 Mastercard5196 7330 7610 9809
Italy
025-12-6134 Dorothy Scott $ 19 200 Mastercard5542 6593 8399 5146
UK
413-23-1218 Kristine Gamble $17 300 Visa4485 4810 9116 1750
Germany
User ID: Greg MillerRole: Manager
SQL statementSELECT Fname, Lname, Amount FROM Clients
ResultAs requested.Note: No protected columns were requested.
© 2014 Axiomatics AB 21
Axiomatics Data Access Filter
Clients
SSN FName LName Amount CreditCard Country
528-11-2543 Greg Miller $ 17 300 Visa4532 9965 5798 3440
USA
441-40-3329 Melissa Sanders $ 18 500 Mastercard 5526 2777 6929 2069
UK
665-03-3478 Betty Roark $ 16 300 Visa4929 7639 2645 8194
Germany
043-04-5684 Gail Dandrea $ 14 500 Mastercard5196 7330 7610 9809
Italy
025-12-6134 Dorothy Scott $ 19 200 Mastercard5542 6593 8399 5146
UK
413-23-1218 Kristine Gamble $17 300 Visa4485 4810 9116 1750
Germany
Manager can see Clients but not SSN and CreditCard User ID: Greg Miller
Role: Manager
SQL statementSELECT Fname, Lname, Amount, CreditCard FROM Clients
ResultEmpty data set because Greg is not allowed to see CreditCard as requested.
© 2014 Axiomatics AB 22
Axiomatics Data Access Filter
Clients
SSN FName LName Amount CreditCard Country
528-11-2543 Greg Miller $ 17 300 Visa4532 9965 5798 3440
USA
441-40-3329 Melissa Sanders $ 18 500 Mastercard5526 2777 6929 2069
UK
665-03-3478 Betty Roark $ 16 300 Visa4929 7639 2645 8194
Germany
043-04-5684 Gail Dandrea $ 14 500 Mastercard5196 7330 7610 9809
Italy
025-12-6134 Dorothy Scott $ 19 200 Mastercard5542 6593 8399 5146
UK
413-23-1218 Kristine Gamble $17 300 Visa4485 4810 9116 1750
Germany
Manager sees CreditCards for clients in managed country User ID: Greg Miller
Role: ManagerManaged country: UK
SQL JOIN statementSELECT
A.Fname, A.Lname, A.Amount,B.CreditCard,A.Country
FROM Clients as ALEFT JOIN(SELECT ID, CreditCardFROM Clients) AS B
ON A.ID = B.ID;
ResultCreditCards omitted as mandated by policy
© 2014 Axiomatics AB 23
Axiomatics Data Access Filter
EMPTY
EMPTY
EMPTY
EMPTY
Manager sees all Client data but only for managed country
Clients
SSN FName LName Amount CreditCard Country
528-11-2543 Greg Miller $ 17 300 Visa4532 9965 5798 3440
USA
441-40-3329 Melissa Sanders $ 18 500 Mastercard 5526 2777 6929 2069
UK
665-03-3478 Betty Roark $ 16 300 Visa4929 7639 2645 8194
Germany
043-04-5684 Gail Dandrea $ 14 500 Mastercard5196 7330 7610 9809
Italy
025-12-6134 Dorothy Scott $ 19 200 Mastercard5542 6593 8399 5146
UK
413-23-1218 Kristine Gamble $17 300 Visa4485 4810 9116 1750
Germany
User ID: Greg MillerRole: ManagerManaged country: UK
SQL statementSELECT *FROM Clients
ResultSubset of recordsretrieved
© 2014 Axiomatics AB 24
Axiomatics Data Access Filter
The use case
Acme Insurance Company is building a new application
The application is aimed at
Customers via a rich mobile-friendly web portal
Brokers who sell insurance policies and manage contracts on behalf of their customers
Claims processors who look at claims and approve them
In this demo, we will use MS Excel as the front-end for brokers
The database being protected is Oracle 11g XE
DEMO
Protected information
Insurance policies
amount, SSN, region, customer financial information
Insurance claims
amount, approved, description, location, individuals involved…
DEMO
Authorization scenario
DEMO
Brokers can view the insurance policies of a customer if the broker is assigned to the customer
Role==broker
Action==view
Resource==insurance policy This is the relationship
userId == customer.assignedBroker
A user with the role == broker can do the action == view on resources of type == insurance policy
if the user id == the customer’s assigned broker id.
What will happen in the demo? Change the user’s role access is impacted
Add data to the database access is impacted
Add or remove a broker – customer relationship access is impacted
DEMO
Key Capabilities Context-aware
Filter data based on any available criteria (e.g. location, date/time, device type…)
Multi-database capability
Microsoft SQL Server; Oracle Database
Other databases in the future
Enterprise-ready
Fault-tolerant
High performance
Datacenter ready
Powerful XACML 3.0 Policy support
User attributes from any data store
© 2014 Axiomatics AB 33
Axiomatics Data Access Filter
Protect database contents to achieve business goals
Promote the right level of data sharing and collaboration – especially when personally identifiable information (PII) and confidential data are at stake
Enable collaboration across business units and with external partners
Reduce risk of data leakage
Ensure effective compliance and governance
Easily demonstrate that effective controls are in place
Data filtering promotes data sharing, reduces risk
Upcoming webinar
Using the OWASP Top Ten to Upgrade your Authorization Services
February 10 at 2pm Eastern, 11am Pacific
Register here: bit.ly/14WtOVo
© 2014 Axiomatics AB 35
Top Related