SlideShare ist ein Scribd-Unternehmen logo

Fine-Grained AuthZ for Cloud

Als PPTX, PDF herunterladen
David Brossard
David Brossard

This document discusses three strategies for implementing fine-grained authorization for cloud-based services using eXtensible Access Control Markup Language (XACML). The first strategy is to encourage software-as-a-service (SaaS) providers to directly support XACML by exposing security APIs. The second is to proxy all cloud connections through an on-premise gateway that enforces authorization policies. The third strategy converts XACML policies into the native format supported by each SaaS provider and pushes them via management APIs.

TechnologieBusiness
1 von 27
Fine-Grained Authorization for Cloud-based Services David Brossard Axiomatics @davidjbrossard - @axiomatics © 2012, Axiomatics AB 1
3 strategies to extend authorization to the Cloud We’re in London, we definitely need this strategy What it means for customers SaaS providers What you will learn © 2012, Axiomatics AB 2
Access control or authorization (AuthZ) Who can do what? “The authorization function determines whether a particular entity is authorized to perform a given activity, typically inherited from authentication when logging on to an application or service.” What’s authorization? © 2012, Axiomatics AB 3
Heard enough about SSO, federation and SAML? Authentication: Hi, I prove who I say I am One-off process Focus: user’s identity and the proof of identity Standards: OpenID, OAUTH, SAML… Authorization: Hi, can I transfer this amount? From code-driven to policy-driven Standard: XACML Authorization comes after Authentication © 2012, Axiomatics AB 4
The issue with Authorization today The black box challenge © 2012, Axiomatics AB 5
System growth leads to AuthZ challenges App App App Cost Brittleness Static Risk Lack of visibility Lack of audit Violation of SoD SaaS SaaS SaaS © 2012, Axiomatics AB 6
What happens to my data? Who can access which information? How do I comply with (what the auditor will ask for) Regulations? E.g. Export Control Contractual obligations? Going to the cloud doesn’t make it easier Do I need a different approach for cloud? The Authorization Challenge © 2012, Axiomatics AB 7
Export Control Know the user (citizenship, location, affiliation) Know the end use (end location, purpose of use) Example: Manufacturing in the cloud © 2012, Axiomatics AB 8
Fine-grained authorization to the rescue Attribute-based access control XACML © 2012, Axiomatics AB 9
Authorization is nearly always about Who? Identity + role (+ group) © 2012, Axiomatics AB 10 Credits: all icons from the Noun Project | Invisible: Andrew Cameron
Authorization should really be about… When?What? How?Where?Who? Why? © 2012, Axiomatics AB 11 Credits: all icons from the Noun Project | Invisible: Andrew Cameron, | Box: Martin Karachorov | Wrench: John O'Shea | Clock: Brandon Hopkins
eXtensible Access Control Markup Language OASIS standard XACML is expressed as A specification document (a PDF) and An XML schema Policy-based & attribute-based language Implement authorization based on object relations Only employees of a given plant can see technical data linked to items assigned to the plant © 2012, Axiomatics AB 12 Behold XACML, the standard for ABAC
© 2012, Axiomatics AB Refresher: the XACML architecture Decide Policy Decision Point Manage Policy Administration Point Support Policy Information Point Policy Retrieval Point Enforce Policy Enforcement Point 13
© 2012, Axiomatics AB 14 XACML  Transparent & Externalized AuthZ Centrally managed policy: ”PERMIT user with clearance X to read document classified as ….” “DENY access to classified document if…” User Application Information asset I want… PERMIT or DENY? PERMIT or DENY?
XACML  Anywhere AuthZ & Architecture Datacenter App A Service A Service D Service E Service M Service O SaaS SaaS © 2012, Axiomatics AB 15 Private Cloud
Fine-grained Authorization for the Cloud Three strategies for externalized authorization in the cloud © 2012, Axiomatics AB 16
A SaaS provider should offer Functional APIs (their core business) Non-functional (Security) APIs Let customers push their own XACML policies Apply the administrative delegation profile http://docs.oasis-open.org/xacml/3.0/xacml-3.0- administration-v1-spec-en.html Option #1 – tell your provider to adopt XACML © 2012, Axiomatics AB 17
SaaS provider Option #1 – Architecture Central IT: Company A SaaS Admin delegates rights to manage access control provided to customer A. The rights are restricted to only the applications and resources provided to this particular customer’s users. Customer A’s admin can manage access for their staff on its own by providing XACML policies and attributes Customer A users use the SaaS application 18© 2012, Axiomatics AB App#1 App#2 App#3 FunctionalAPI XACML Mgmt API 1. 2. 3.
Pros Consistent access control Fine-grained Risk-aware Future-proof SaaS vendor benefit multi-tenancy Cons Not many SaaS vendors support XACML today Option #1 – Pros & Cons © 2012, Axiomatics AB 19
If you can restrict access to SaaS applications from within the corporate network… All access to SaaS apps could be made to tunnel through a proxy Option #2 – Proxy your cloud connections © 2012, Axiomatics AB 20
Option #2 – Architecture SaaS App #1 SaaS App #2 SaaS App #3 VPN © 2012, Axiomatics AB 21
Pros Workaround current SaaS limitations Easy to deploy Available today Cons No direct access to SaaS app Forces users to go via VPN Access may not be as fine grained as Option #1 Lack of visibility into the SaaS data Option #2 – Pros & Cons © 2012, Axiomatics AB 22
What if the provider is reluctant to adopt XACML? “If the application won’t go to XACML then XACML will go to the application” Eve Maler, Forrester You still get Centrally managed authorization Standards-based (XACML) Approach Convert from XACML to expected SaaS format Push via SaaS management APIs Option #3 – Policy Provisioning based on XACML © 2012, Axiomatics AB 23
SaaS provider Option #3 – Architecture Central IT: Company A Convert XACML policies to the native format expected by the SaaS provider Customer A users use the SaaS application App#1 App#2 App#3 FunctionalAPI Native API © 2012, Axiomatics AB 24 Authorization constraints / permissions in the format expected by the SaaS provider
Pros Feasible today Viable solution Extends the customer’s XACML-based authorization system’s reach Cons Possible loss of XACML richness in access control Loss of dynamic nature Option #3 – Pros & Cons © 2012, Axiomatics AB 25
Cloud requires eXtensible Authorization Fine-grained Externalized Traditional approaches #1: tell your SaaS provider to adopt XACML. #2: proxy your cloud connections. Extended approach #3: Policy Provisioning based on XACML Also works for business apps (SharePoint, Windows) To summarize © 2012, Axiomatics AB 26
Questions? Contact us at info@axiomatics.com

Empfohlen

OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...David Brossard
 
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by DesignEIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by DesignDavid Brossard
 
To the cloud and beyond: delivering policy-driven authorization for cloud app...
To the cloud and beyond: delivering policy-driven authorization for cloud app...To the cloud and beyond: delivering policy-driven authorization for cloud app...
To the cloud and beyond: delivering policy-driven authorization for cloud app...David Brossard
 
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?David Brossard
 
Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...David Brossard
 
Authorization - it's not just about who you are
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you areDavid Brossard
 
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...David Brossard
 
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...David Brossard
 

Empfohlen

OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...David Brossard
 
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by DesignEIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by DesignDavid Brossard
 
To the cloud and beyond: delivering policy-driven authorization for cloud app...
To the cloud and beyond: delivering policy-driven authorization for cloud app...To the cloud and beyond: delivering policy-driven authorization for cloud app...
To the cloud and beyond: delivering policy-driven authorization for cloud app...David Brossard
 
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?David Brossard
 
Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...David Brossard
 
Authorization - it's not just about who you are
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you areDavid Brossard
 
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...David Brossard
 
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...David Brossard
 
Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases WSO2
 
Salesforce Backup, Restore & Archiving- Adam Best, Senior Program Architect
Salesforce Backup, Restore & Archiving- Adam Best, Senior Program ArchitectSalesforce Backup, Restore & Archiving- Adam Best, Senior Program Architect
Salesforce Backup, Restore & Archiving- Adam Best, Senior Program Architectgemziebeth
 
Fine-grained authorization with XACML
Fine-grained authorization with XACMLFine-grained authorization with XACML
Fine-grained authorization with XACMLPrabath Siriwardena
 
Identity as a Service
Identity as a ServiceIdentity as a Service
Identity as a ServicePrabath Siriwardena
 
Software as a Service - Concepts and Implementation
Software as a Service - Concepts and ImplementationSoftware as a Service - Concepts and Implementation
Software as a Service - Concepts and Implementationogglog
 
Sam and the Cloud
Sam and the CloudSam and the Cloud
Sam and the CloudJenny Carroll
 
Microsoft Insurance Solutions Keynote Presentation at the Financial Services ...
Microsoft Insurance Solutions Keynote Presentation at the Financial Services ...Microsoft Insurance Solutions Keynote Presentation at the Financial Services ...
Microsoft Insurance Solutions Keynote Presentation at the Financial Services ...Mike Walker
 
SaaS computing
SaaS computingSaaS computing
SaaS computingsumaira maqbool
 
Federation Services
Federation ServicesFederation Services
Federation ServicesEmpowerID
 
CIS14: User-Managed Access
CIS14: User-Managed AccessCIS14: User-Managed Access
CIS14: User-Managed AccessCloudIDSummit
 
F1_Design Mission Critical Enterprise Applications with Power Automate and Do...
F1_Design Mission Critical Enterprise Applications with Power Automate and Do...F1_Design Mission Critical Enterprise Applications with Power Automate and Do...
F1_Design Mission Critical Enterprise Applications with Power Automate and Do...serge luca
 
Cloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperCloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperRoger Chien
 
Short Sales Overview of EmpowerID
Short Sales Overview of EmpowerIDShort Sales Overview of EmpowerID
Short Sales Overview of EmpowerIDEmpowerID
 
Software As A Service Presentation
Software As A Service PresentationSoftware As A Service Presentation
Software As A Service Presentational95iii
 
CIS 2015 User Managed Access - George Fletcher
CIS 2015 User Managed Access - George FletcherCIS 2015 User Managed Access - George Fletcher
CIS 2015 User Managed Access - George FletcherCloudIDSummit
 
Sonoa Cloud Services for Elasticity and Mobility
Sonoa Cloud Services for Elasticity and MobilitySonoa Cloud Services for Elasticity and Mobility
Sonoa Cloud Services for Elasticity and MobilityIntel Corporation
 
Design mission-critical enterprise applications with Power Automate and Docto...
Design mission-critical enterprise applications with Power Automate and Docto...Design mission-critical enterprise applications with Power Automate and Docto...
Design mission-critical enterprise applications with Power Automate and Docto...serge luca
 
Salesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Salesforce Shield: How to Deliver a New Level of Trust and Security in the CloudSalesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Salesforce Shield: How to Deliver a New Level of Trust and Security in the CloudDreamforce
 
User manual of i vms 4200-v2.3.1_20150415
User manual of i vms 4200-v2.3.1_20150415User manual of i vms 4200-v2.3.1_20150415
User manual of i vms 4200-v2.3.1_20150415IsraelGuillen12
 
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...Eve Maler
 
Fine grained two-factor access control for web-based cloud computing services
Fine grained two-factor access control for web-based cloud computing servicesFine grained two-factor access control for web-based cloud computing services
Fine grained two-factor access control for web-based cloud computing servicesShakas Technologies
 
The benefits of fine-grained synchronization in deterministic and efficient ...
The benefits of fine-grained synchronization in deterministic and efficient ...The benefits of fine-grained synchronization in deterministic and efficient ...
The benefits of fine-grained synchronization in deterministic and efficient ...Vincenzo Gulisano
 

Weitere ähnliche Inhalte

Was ist angesagt?

Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases WSO2
 
Salesforce Backup, Restore & Archiving- Adam Best, Senior Program Architect
Salesforce Backup, Restore & Archiving- Adam Best, Senior Program ArchitectSalesforce Backup, Restore & Archiving- Adam Best, Senior Program Architect
Salesforce Backup, Restore & Archiving- Adam Best, Senior Program Architectgemziebeth
 
Fine-grained authorization with XACML
Fine-grained authorization with XACMLFine-grained authorization with XACML
Fine-grained authorization with XACMLPrabath Siriwardena
 
Software as a Service - Concepts and Implementation
Software as a Service - Concepts and ImplementationSoftware as a Service - Concepts and Implementation
Software as a Service - Concepts and Implementationogglog
 
Microsoft Insurance Solutions Keynote Presentation at the Financial Services ...
Microsoft Insurance Solutions Keynote Presentation at the Financial Services ...Microsoft Insurance Solutions Keynote Presentation at the Financial Services ...
Microsoft Insurance Solutions Keynote Presentation at the Financial Services ...Mike Walker
 
Federation Services
Federation ServicesFederation Services
Federation ServicesEmpowerID
 
CIS14: User-Managed Access
CIS14: User-Managed AccessCIS14: User-Managed Access
CIS14: User-Managed AccessCloudIDSummit
 
F1_Design Mission Critical Enterprise Applications with Power Automate and Do...
F1_Design Mission Critical Enterprise Applications with Power Automate and Do...F1_Design Mission Critical Enterprise Applications with Power Automate and Do...
F1_Design Mission Critical Enterprise Applications with Power Automate and Do...serge luca
 
Cloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperCloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperRoger Chien
 
Short Sales Overview of EmpowerID
Short Sales Overview of EmpowerIDShort Sales Overview of EmpowerID
Short Sales Overview of EmpowerIDEmpowerID
 
Software As A Service Presentation
Software As A Service PresentationSoftware As A Service Presentation
Software As A Service Presentational95iii
 
CIS 2015 User Managed Access - George Fletcher
CIS 2015 User Managed Access - George FletcherCIS 2015 User Managed Access - George Fletcher
CIS 2015 User Managed Access - George FletcherCloudIDSummit
 
Sonoa Cloud Services for Elasticity and Mobility
Sonoa Cloud Services for Elasticity and MobilitySonoa Cloud Services for Elasticity and Mobility
Sonoa Cloud Services for Elasticity and MobilityIntel Corporation
 
Design mission-critical enterprise applications with Power Automate and Docto...
Design mission-critical enterprise applications with Power Automate and Docto...Design mission-critical enterprise applications with Power Automate and Docto...
Design mission-critical enterprise applications with Power Automate and Docto...serge luca
 
Salesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Salesforce Shield: How to Deliver a New Level of Trust and Security in the CloudSalesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Salesforce Shield: How to Deliver a New Level of Trust and Security in the CloudDreamforce
 
User manual of i vms 4200-v2.3.1_20150415
User manual of i vms 4200-v2.3.1_20150415User manual of i vms 4200-v2.3.1_20150415
User manual of i vms 4200-v2.3.1_20150415IsraelGuillen12
 
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...Eve Maler
 

Was ist angesagt? (20)

Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases
 
Salesforce Backup, Restore & Archiving- Adam Best, Senior Program Architect
Salesforce Backup, Restore & Archiving- Adam Best, Senior Program ArchitectSalesforce Backup, Restore & Archiving- Adam Best, Senior Program Architect
Salesforce Backup, Restore & Archiving- Adam Best, Senior Program Architect
 
Fine-grained authorization with XACML
Fine-grained authorization with XACMLFine-grained authorization with XACML
Fine-grained authorization with XACML
 
Identity as a Service
Identity as a ServiceIdentity as a Service
Identity as a Service
 
Software as a Service - Concepts and Implementation
Software as a Service - Concepts and ImplementationSoftware as a Service - Concepts and Implementation
Software as a Service - Concepts and Implementation
 
Sam and the Cloud
Sam and the CloudSam and the Cloud
Sam and the Cloud
 
Microsoft Insurance Solutions Keynote Presentation at the Financial Services ...
Microsoft Insurance Solutions Keynote Presentation at the Financial Services ...Microsoft Insurance Solutions Keynote Presentation at the Financial Services ...
Microsoft Insurance Solutions Keynote Presentation at the Financial Services ...
 
SaaS computing
SaaS computingSaaS computing
SaaS computing
 
Federation Services
Federation ServicesFederation Services
Federation Services
 
CIS14: User-Managed Access
CIS14: User-Managed AccessCIS14: User-Managed Access
CIS14: User-Managed Access
 
F1_Design Mission Critical Enterprise Applications with Power Automate and Do...
F1_Design Mission Critical Enterprise Applications with Power Automate and Do...F1_Design Mission Critical Enterprise Applications with Power Automate and Do...
F1_Design Mission Critical Enterprise Applications with Power Automate and Do...
 
Cloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperCloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & Gatekeeper
 
Short Sales Overview of EmpowerID
Short Sales Overview of EmpowerIDShort Sales Overview of EmpowerID
Short Sales Overview of EmpowerID
 
Software As A Service Presentation
Software As A Service PresentationSoftware As A Service Presentation
Software As A Service Presentation
 
CIS 2015 User Managed Access - George Fletcher
CIS 2015 User Managed Access - George FletcherCIS 2015 User Managed Access - George Fletcher
CIS 2015 User Managed Access - George Fletcher
 
Sonoa Cloud Services for Elasticity and Mobility
Sonoa Cloud Services for Elasticity and MobilitySonoa Cloud Services for Elasticity and Mobility
Sonoa Cloud Services for Elasticity and Mobility
 
Design mission-critical enterprise applications with Power Automate and Docto...
Design mission-critical enterprise applications with Power Automate and Docto...Design mission-critical enterprise applications with Power Automate and Docto...
Design mission-critical enterprise applications with Power Automate and Docto...
 
Salesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Salesforce Shield: How to Deliver a New Level of Trust and Security in the CloudSalesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Salesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
 
User manual of i vms 4200-v2.3.1_20150415
User manual of i vms 4200-v2.3.1_20150415User manual of i vms 4200-v2.3.1_20150415
User manual of i vms 4200-v2.3.1_20150415
 
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
 

Andere mochten auch

Fine grained two-factor access control for web-based cloud computing services
Fine grained two-factor access control for web-based cloud computing servicesFine grained two-factor access control for web-based cloud computing services
Fine grained two-factor access control for web-based cloud computing servicesShakas Technologies
 
The benefits of fine-grained synchronization in deterministic and efficient ...
The benefits of fine-grained synchronization in deterministic and efficient ...The benefits of fine-grained synchronization in deterministic and efficient ...
The benefits of fine-grained synchronization in deterministic and efficient ...Vincenzo Gulisano
 
XACML - Fight For Your Love
XACML - Fight For Your LoveXACML - Fight For Your Love
XACML - Fight For Your LoveDavid Brossard
 
RBAC & ABAC: гибридное решение для управления правами доступа
RBAC & ABAC: гибридное решение для управления правами доступаRBAC & ABAC: гибридное решение для управления правами доступа
RBAC & ABAC: гибридное решение для управления правами доступаCUSTIS
 
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...David Brossard
 
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)Nordic APIs
 
Attribute based access control
Attribute based access controlAttribute based access control
Attribute based access controlElimity
 
Attribute Based Access Control
Attribute Based Access ControlAttribute Based Access Control
Attribute Based Access ControlChandra Sharma
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
RMLL 2013 - The SAML Protocol: Single Sign On for skilled people
RMLL 2013 - The SAML Protocol: Single Sign On for skilled peopleRMLL 2013 - The SAML Protocol: Single Sign On for skilled people
RMLL 2013 - The SAML Protocol: Single Sign On for skilled peopleClément OUDOT
 
A Model to Enable Application-scoped Access Control as a Service for IoT Usin...
A Model to Enable Application-scoped Access Control as a Service for IoT Usin...A Model to Enable Application-scoped Access Control as a Service for IoT Usin...
A Model to Enable Application-scoped Access Control as a Service for IoT Usin...Federico Fernández Moreno
 
Nordic APIs - Building a Secure API
Nordic APIs - Building a Secure APINordic APIs - Building a Secure API
Nordic APIs - Building a Secure APITwobo Technologies
 
Sensing-as-a-Service - An IoT Service Provider's Perspectives
Sensing-as-a-Service - An IoT Service Provider's PerspectivesSensing-as-a-Service - An IoT Service Provider's Perspectives
Sensing-as-a-Service - An IoT Service Provider's PerspectivesDr. Mazlan Abbas
 
Slideshare Powerpoint presentation
Slideshare Powerpoint presentationSlideshare Powerpoint presentation
Slideshare Powerpoint presentationelliehood
 

Andere mochten auch (17)

Fine grained two-factor access control for web-based cloud computing services
Fine grained two-factor access control for web-based cloud computing servicesFine grained two-factor access control for web-based cloud computing services
Fine grained two-factor access control for web-based cloud computing services
 
The benefits of fine-grained synchronization in deterministic and efficient ...
The benefits of fine-grained synchronization in deterministic and efficient ...The benefits of fine-grained synchronization in deterministic and efficient ...
The benefits of fine-grained synchronization in deterministic and efficient ...
 
EU data protection issues in IoT
EU data protection issues in IoTEU data protection issues in IoT
EU data protection issues in IoT
 
XACML - Fight For Your Love
XACML - Fight For Your LoveXACML - Fight For Your Love
XACML - Fight For Your Love
 
RBAC & ABAC: гибридное решение для управления правами доступа
RBAC & ABAC: гибридное решение для управления правами доступаRBAC & ABAC: гибридное решение для управления правами доступа
RBAC & ABAC: гибридное решение для управления правами доступа
 
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
 
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
 
Attribute based access control
Attribute based access controlAttribute based access control
Attribute based access control
 
Attribute Based Access Control
Attribute Based Access ControlAttribute Based Access Control
Attribute Based Access Control
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
 
RMLL 2013 - The SAML Protocol: Single Sign On for skilled people
RMLL 2013 - The SAML Protocol: Single Sign On for skilled peopleRMLL 2013 - The SAML Protocol: Single Sign On for skilled people
RMLL 2013 - The SAML Protocol: Single Sign On for skilled people
 
A Model to Enable Application-scoped Access Control as a Service for IoT Usin...
A Model to Enable Application-scoped Access Control as a Service for IoT Usin...A Model to Enable Application-scoped Access Control as a Service for IoT Usin...
A Model to Enable Application-scoped Access Control as a Service for IoT Usin...
 
Saml in cloud
Saml in cloudSaml in cloud
Saml in cloud
 
Nordic APIs - Building a Secure API
Nordic APIs - Building a Secure APINordic APIs - Building a Secure API
Nordic APIs - Building a Secure API
 
Sensing-as-a-Service - An IoT Service Provider's Perspectives
Sensing-as-a-Service - An IoT Service Provider's PerspectivesSensing-as-a-Service - An IoT Service Provider's Perspectives
Sensing-as-a-Service - An IoT Service Provider's Perspectives
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
 
Slideshare Powerpoint presentation
Slideshare Powerpoint presentationSlideshare Powerpoint presentation
Slideshare Powerpoint presentation
 

Ähnlich wie Fine-Grained AuthZ for Cloud

Axiomatics webinar 13 june 2013 shared
Axiomatics webinar 13 june 2013 sharedAxiomatics webinar 13 june 2013 shared
Axiomatics webinar 13 june 2013 sharedFinn Frisch
 
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...ggebel
 
GoodDogLabs IAM Cloud Migration - Bridging the Gap
GoodDogLabs IAM Cloud Migration - Bridging the GapGoodDogLabs IAM Cloud Migration - Bridging the Gap
GoodDogLabs IAM Cloud Migration - Bridging the GapAldo Pietropaolo
 
CIS 2015- Rethinking Your Authorization Strategy- Gerry Gebel
CIS 2015- Rethinking Your Authorization Strategy- Gerry GebelCIS 2015- Rethinking Your Authorization Strategy- Gerry Gebel
CIS 2015- Rethinking Your Authorization Strategy- Gerry GebelCloudIDSummit
 
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the PuzzleAuthorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the PuzzleNordic APIs
 
Cloud 12 08 V2
Cloud 12 08 V2Cloud 12 08 V2
Cloud 12 08 V2Pini Cohen
 
ITSM & the Cloud, what does it mean for you?
ITSM & the Cloud, what does it mean for you?ITSM & the Cloud, what does it mean for you?
ITSM & the Cloud, what does it mean for you?Axios Systems
 
Top Ten Reasons Why Developers Don't Adopt ABAC
Top Ten Reasons Why Developers Don't Adopt ABACTop Ten Reasons Why Developers Don't Adopt ABAC
Top Ten Reasons Why Developers Don't Adopt ABACForgeRock
 
Modern Architectures
Modern ArchitecturesModern Architectures
Modern ArchitecturesSecureAuth
 
2.evaluating cloud platforms
2.evaluating cloud platforms2.evaluating cloud platforms
2.evaluating cloud platformsDrRajapraveenkN
 
Cloud Computing By Faisal Shehzad
Cloud Computing By Faisal ShehzadCloud Computing By Faisal Shehzad
Cloud Computing By Faisal ShehzadFaisal Shehzad
 
AWS Basic Practitioner Heena Talreja.pptx
AWS Basic Practitioner Heena Talreja.pptxAWS Basic Practitioner Heena Talreja.pptx
AWS Basic Practitioner Heena Talreja.pptxHitendrasingh79
 
End User Computing at CloudHesive.pptx
End User Computing at CloudHesive.pptxEnd User Computing at CloudHesive.pptx
End User Computing at CloudHesive.pptxCloudHesive
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3EnterpriseGRC Solutions, Inc.
 
Microsoft Windows Azure Platform Appfabric for Technical Decision Makers
Microsoft Windows Azure Platform Appfabric for Technical Decision MakersMicrosoft Windows Azure Platform Appfabric for Technical Decision Makers
Microsoft Windows Azure Platform Appfabric for Technical Decision MakersMicrosoft Private Cloud
 
Cloud Use Cases And Standards
Cloud Use Cases And StandardsCloud Use Cases And Standards
Cloud Use Cases And StandardsGovCloud Network
 
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...GovCloud Network
 
Steve Mills - Dispelling the Vapor Around Cloud Computing
Steve Mills - Dispelling the Vapor Around Cloud ComputingSteve Mills - Dispelling the Vapor Around Cloud Computing
Steve Mills - Dispelling the Vapor Around Cloud ComputingMauricio Godoy
 

Ähnlich wie Fine-Grained AuthZ for Cloud (20)

Axiomatics webinar 13 june 2013 shared
Axiomatics webinar 13 june 2013 sharedAxiomatics webinar 13 june 2013 shared
Axiomatics webinar 13 june 2013 shared
 
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
 
GoodDogLabs IAM Cloud Migration - Bridging the Gap
GoodDogLabs IAM Cloud Migration - Bridging the GapGoodDogLabs IAM Cloud Migration - Bridging the Gap
GoodDogLabs IAM Cloud Migration - Bridging the Gap
 
CIS 2015- Rethinking Your Authorization Strategy- Gerry Gebel
CIS 2015- Rethinking Your Authorization Strategy- Gerry GebelCIS 2015- Rethinking Your Authorization Strategy- Gerry Gebel
CIS 2015- Rethinking Your Authorization Strategy- Gerry Gebel
 
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the PuzzleAuthorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
 
Cloud 12 08 V2
Cloud 12 08 V2Cloud 12 08 V2
Cloud 12 08 V2
 
ITSM & the Cloud, what does it mean for you?
ITSM & the Cloud, what does it mean for you?ITSM & the Cloud, what does it mean for you?
ITSM & the Cloud, what does it mean for you?
 
Top Ten Reasons Why Developers Don't Adopt ABAC
Top Ten Reasons Why Developers Don't Adopt ABACTop Ten Reasons Why Developers Don't Adopt ABAC
Top Ten Reasons Why Developers Don't Adopt ABAC
 
Modern Architectures
Modern ArchitecturesModern Architectures
Modern Architectures
 
2.evaluating cloud platforms
2.evaluating cloud platforms2.evaluating cloud platforms
2.evaluating cloud platforms
 
Cloud Computing By Faisal Shehzad
Cloud Computing By Faisal ShehzadCloud Computing By Faisal Shehzad
Cloud Computing By Faisal Shehzad
 
Presentation1502212
Presentation1502212Presentation1502212
Presentation1502212
 
AWS Basic Practitioner Heena Talreja.pptx
AWS Basic Practitioner Heena Talreja.pptxAWS Basic Practitioner Heena Talreja.pptx
AWS Basic Practitioner Heena Talreja.pptx
 
Cloud_computing Notes.docx
Cloud_computing Notes.docxCloud_computing Notes.docx
Cloud_computing Notes.docx
 
End User Computing at CloudHesive.pptx
End User Computing at CloudHesive.pptxEnd User Computing at CloudHesive.pptx
End User Computing at CloudHesive.pptx
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
 
Microsoft Windows Azure Platform Appfabric for Technical Decision Makers
Microsoft Windows Azure Platform Appfabric for Technical Decision MakersMicrosoft Windows Azure Platform Appfabric for Technical Decision Makers
Microsoft Windows Azure Platform Appfabric for Technical Decision Makers
 
Cloud Use Cases And Standards
Cloud Use Cases And StandardsCloud Use Cases And Standards
Cloud Use Cases And Standards
 
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
 
Steve Mills - Dispelling the Vapor Around Cloud Computing
Steve Mills - Dispelling the Vapor Around Cloud ComputingSteve Mills - Dispelling the Vapor Around Cloud Computing
Steve Mills - Dispelling the Vapor Around Cloud Computing
 

Mehr von David Brossard

Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...David Brossard
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...David Brossard
 
The Holy Grail of IAM: Getting to Grips with Authorization
The Holy Grail of IAM: Getting to Grips with AuthorizationThe Holy Grail of IAM: Getting to Grips with Authorization
The Holy Grail of IAM: Getting to Grips with AuthorizationDavid Brossard
 
OpenID AuthZEN ALFA PEP-PDP Prior Art
OpenID AuthZEN ALFA PEP-PDP Prior ArtOpenID AuthZEN ALFA PEP-PDP Prior Art
OpenID AuthZEN ALFA PEP-PDP Prior ArtDavid Brossard
 
OpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG UpdateOpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG UpdateDavid Brossard
 
Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...David Brossard
 

Mehr von David Brossard (6)

Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
 
The Holy Grail of IAM: Getting to Grips with Authorization
The Holy Grail of IAM: Getting to Grips with AuthorizationThe Holy Grail of IAM: Getting to Grips with Authorization
The Holy Grail of IAM: Getting to Grips with Authorization
 
OpenID AuthZEN ALFA PEP-PDP Prior Art
OpenID AuthZEN ALFA PEP-PDP Prior ArtOpenID AuthZEN ALFA PEP-PDP Prior Art
OpenID AuthZEN ALFA PEP-PDP Prior Art
 
OpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG UpdateOpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG Update
 
Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...
 

Kürzlich hochgeladen

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 

Kürzlich hochgeladen (20)

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 

Fine-Grained AuthZ for Cloud

  • 1. Fine-Grained Authorization for Cloud-based Services David Brossard Axiomatics @davidjbrossard - @axiomatics © 2012, Axiomatics AB 1
  • 2. 3 strategies to extend authorization to the Cloud We’re in London, we definitely need this strategy What it means for customers SaaS providers What you will learn © 2012, Axiomatics AB 2
  • 3. Access control or authorization (AuthZ) Who can do what? “The authorization function determines whether a particular entity is authorized to perform a given activity, typically inherited from authentication when logging on to an application or service.” What’s authorization? © 2012, Axiomatics AB 3
  • 4. Heard enough about SSO, federation and SAML? Authentication: Hi, I prove who I say I am One-off process Focus: user’s identity and the proof of identity Standards: OpenID, OAUTH, SAML… Authorization: Hi, can I transfer this amount? From code-driven to policy-driven Standard: XACML Authorization comes after Authentication © 2012, Axiomatics AB 4
  • 5. The issue with Authorization today The black box challenge © 2012, Axiomatics AB 5
  • 6. System growth leads to AuthZ challenges App App App Cost Brittleness Static Risk Lack of visibility Lack of audit Violation of SoD SaaS SaaS SaaS © 2012, Axiomatics AB 6
  • 7. What happens to my data? Who can access which information? How do I comply with (what the auditor will ask for) Regulations? E.g. Export Control Contractual obligations? Going to the cloud doesn’t make it easier Do I need a different approach for cloud? The Authorization Challenge © 2012, Axiomatics AB 7
  • 8. Export Control Know the user (citizenship, location, affiliation) Know the end use (end location, purpose of use) Example: Manufacturing in the cloud © 2012, Axiomatics AB 8
  • 9. Fine-grained authorization to the rescue Attribute-based access control XACML © 2012, Axiomatics AB 9
  • 10. Authorization is nearly always about Who? Identity + role (+ group) © 2012, Axiomatics AB 10 Credits: all icons from the Noun Project | Invisible: Andrew Cameron
  • 11. Authorization should really be about… When?What? How?Where?Who? Why? © 2012, Axiomatics AB 11 Credits: all icons from the Noun Project | Invisible: Andrew Cameron, | Box: Martin Karachorov | Wrench: John O'Shea | Clock: Brandon Hopkins
  • 12. eXtensible Access Control Markup Language OASIS standard XACML is expressed as A specification document (a PDF) and An XML schema Policy-based & attribute-based language Implement authorization based on object relations Only employees of a given plant can see technical data linked to items assigned to the plant © 2012, Axiomatics AB 12 Behold XACML, the standard for ABAC
  • 13. © 2012, Axiomatics AB Refresher: the XACML architecture Decide Policy Decision Point Manage Policy Administration Point Support Policy Information Point Policy Retrieval Point Enforce Policy Enforcement Point 13
  • 14. © 2012, Axiomatics AB 14 XACML  Transparent & Externalized AuthZ Centrally managed policy: ”PERMIT user with clearance X to read document classified as ….” “DENY access to classified document if…” User Application Information asset I want… PERMIT or DENY? PERMIT or DENY?
  • 15. XACML  Anywhere AuthZ & Architecture Datacenter App A Service A Service D Service E Service M Service O SaaS SaaS © 2012, Axiomatics AB 15 Private Cloud
  • 16. Fine-grained Authorization for the Cloud Three strategies for externalized authorization in the cloud © 2012, Axiomatics AB 16
  • 17. A SaaS provider should offer Functional APIs (their core business) Non-functional (Security) APIs Let customers push their own XACML policies Apply the administrative delegation profile http://docs.oasis-open.org/xacml/3.0/xacml-3.0- administration-v1-spec-en.html Option #1 – tell your provider to adopt XACML © 2012, Axiomatics AB 17
  • 18. SaaS provider Option #1 – Architecture Central IT: Company A SaaS Admin delegates rights to manage access control provided to customer A. The rights are restricted to only the applications and resources provided to this particular customer’s users. Customer A’s admin can manage access for their staff on its own by providing XACML policies and attributes Customer A users use the SaaS application 18© 2012, Axiomatics AB App#1 App#2 App#3 FunctionalAPI XACML Mgmt API 1. 2. 3.
  • 19. Pros Consistent access control Fine-grained Risk-aware Future-proof SaaS vendor benefit multi-tenancy Cons Not many SaaS vendors support XACML today Option #1 – Pros & Cons © 2012, Axiomatics AB 19
  • 20. If you can restrict access to SaaS applications from within the corporate network… All access to SaaS apps could be made to tunnel through a proxy Option #2 – Proxy your cloud connections © 2012, Axiomatics AB 20
  • 21. Option #2 – Architecture SaaS App #1 SaaS App #2 SaaS App #3 VPN © 2012, Axiomatics AB 21
  • 22. Pros Workaround current SaaS limitations Easy to deploy Available today Cons No direct access to SaaS app Forces users to go via VPN Access may not be as fine grained as Option #1 Lack of visibility into the SaaS data Option #2 – Pros & Cons © 2012, Axiomatics AB 22
  • 23. What if the provider is reluctant to adopt XACML? “If the application won’t go to XACML then XACML will go to the application” Eve Maler, Forrester You still get Centrally managed authorization Standards-based (XACML) Approach Convert from XACML to expected SaaS format Push via SaaS management APIs Option #3 – Policy Provisioning based on XACML © 2012, Axiomatics AB 23
  • 24. SaaS provider Option #3 – Architecture Central IT: Company A Convert XACML policies to the native format expected by the SaaS provider Customer A users use the SaaS application App#1 App#2 App#3 FunctionalAPI Native API © 2012, Axiomatics AB 24 Authorization constraints / permissions in the format expected by the SaaS provider
  • 25. Pros Feasible today Viable solution Extends the customer’s XACML-based authorization system’s reach Cons Possible loss of XACML richness in access control Loss of dynamic nature Option #3 – Pros & Cons © 2012, Axiomatics AB 25
  • 26. Cloud requires eXtensible Authorization Fine-grained Externalized Traditional approaches #1: tell your SaaS provider to adopt XACML. #2: proxy your cloud connections. Extended approach #3: Policy Provisioning based on XACML Also works for business apps (SharePoint, Windows) To summarize © 2012, Axiomatics AB 26

Hinweis der Redaktion

  1. Once upon a time, access control was about who you were. What mattered was your identity or perhaps your role or group.But today, access control should be more about what you represent, what you want to do, what you want to access, for which purpose, when, where, how, and why…Credits:Invisible: Andrew Cameron, from The Noun ProjectBox: Martin Karachorov, Wrench: John O'Sheaclock: Brandon Hopkins
  2. Once upon a time, access control was about who you were. What mattered was your identity or perhaps your role or group.But today, access control should be more about what you represent, what you want to do, what you want to access, for which purpose, when, where, how, and why…Credits:Invisible: Andrew Cameron, from The Noun ProjectBox: Martin Karachorov, Wrench: John O'Sheaclock: Brandon Hopkins
  3. Policy Enforcement PointIn the XACML architecture, the PEP is the component in charge of intercepting business messages and protecting targeted resources by requesting an access control decision from a policy decision point and enforcing that decision. PEPs can embrace many different form factors depending on the type of resource being protected.Policy Decision PointThe PDP sits at the very core of the XACML architecture. It implements the XACML standard and evaluation logic. Its purpose is to evaluate access control requests coming in from the PEP against the XACML policies read from the PRP. The PDP then returns a decision – either of Permit, Deny, Not Applicable, or Indeterminate.Policy Retrieval PointThe PRP is one of the components that support the PDP in its evaluation process. Its only purpose is to act as a persistence layer for XACML policies. It can therefore take many forms such as a database, a file, or a web service call to a remote repository.Policy Information PointXACML is a policy-based language which uses attributes to express rules & conditions. Attributes are bits of information about a subject, resource, action, or context describing an access control situation. Examples of attributes are a user id, a role, a resource URI, a document classification, the time of the day, etc… In its evaluation process, the PDP may need to retrieve additional attributes. It turns to PIPs where attributes are stored. Examples of PIPs include corporate user directories (LDAP…), databases, UDDIs… The PDP may for instance ask the PIP to look up the role of a given user.Policy Administration PointThe PAP’s purpose is to provide a management interface administrators can use to author policies and control their lifecycle.