As presented at the XACML seminar, 26 april 2012, at SURFnet (Utrecht, NL) by PIMN, CSA and PvIB. Presented the context-enhanced authorization project on usefullness and feasibility of using context to improve authz for a large Dutch bank.
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced authorizations
1. XACML pilot at a large Dutch bank
Using XACML to implement context-
enhanced authorizations
Maarten Wegdam, Novay
With contributions of Martijn Oostdijk, Novay
XACML seminar, 26 April 2012
www.novay.nl | maarten.wegdam@novay.nl
| +31 53 4850414 | @maartenwegdam |
http://maarten.wegdam.name (blog) |
http://www.linkedin.com/in/wegdam
2. formerly Telematica
research & advice
Instituut
innovation projects
multi-disciplinairy, ~50
(government, financial, health)
researchers/advisors
2
3. digital identity,
Managing Advisor privacy, trust
Maarten
Maarten
Wegdam
Wegdam
PhD in computer CV: KPN Research,
science (RuG, UT) Bell Labs, UD@UT
3 XACML pilot - context-enhanced authorization
4. Authorization & Context?
(Attribute Based
Access Control)
4 XACML pilot - context-enhanced authorization
5. Context-enhanced authz
• XACML pilot at a large Dutch bank
• Context = location and more
• DYNAMIC!! policies
• Usefulness through use cases +
feasibility study through demonstrator
• Scope: employees
5 XACML pilot - context-enhanced authorization
6. CEA – the movie
http://youtu.be/lGUprbxJNvE
6 XACML pilot - context-enhanced authorization
7. I will NOT discuss
• ABAC
• XACML
So I have MORE TIME FOR
• Context-enhanced authz
• Use case + demonstrator
• Lessons learned
7 XACML pilot - context-enhanced authorization
8. Context and examples
Environment Social
Physiological
• security • SN friends
incidents
• heart rate
• activity twitter
Location
• cell-id, GPS Time Mental
• country • office hours • stressed
• proximity
Activities
Network Device
• travelling
• VPN • type
• meeting
• Wifi • ownership
• sleeping
8 XACML pilot - context-enhanced authorization
9. Use-cases – a high level …
Read-only outside the office for transactions
Used device
User proximity
Data loss prevention when travelling
9 XACML pilot - context-enhanced authorization
10. Demonstrator
Proximity
dongle User Application
NFC reader
Context client
Google
Latitude
Policies
Outlook Policy
Engine
Google
Calendar Policies incl.
ctxt variables
Context
Device Mgmt server
10 XACML pilot - context-enhanced authorization
11. 11 XACML pilot - context-enhanced authorization
12. 12 XACML pilot - context-enhanced authorization
13. 13 XACML pilot - context-enhanced authorization
14. Our approach: authZ levels
All
• @office, proximity, IT-dept. mngd laptop
A lot
• @home, proximity, IT-dept. mngd laptop, 6.00-23.00
Some
• @office, user mngd (registered) iPad, agenda, 06.00-23.00
• IT-dept. mngd laptop, proximity, agenda, time in 6.00-23.00
A little
• Proximity, registered device
Nothing
14 XACML pilot - context-enhanced authorization
15. 15 XACML pilot - context-enhanced authorization
16. 16 XACML pilot - context-enhanced authorization
17. 17 XACML pilot - context-enhanced authorization
19. Main lesson
YES we can
It is useful
It is feasible using XACML
tooling
BUT … (next slides)
19 XACML pilot - context-enhanced authorization
20. Context – low-hanging fruit
Location, location, location
Stuff derived from location
Used device (BYOD, enterprise mobility etc)
Used network (VPN/local, access point etc)
Time-of-day
Security incidents / events
And of course normal usage patterns
Please note: context is just an attribute
20
for XACML, but then dynamic
XACML pilot - context-enhanced authorization
21. Quality of context
Sensors have limitations
Context is vague
(probability, accuracy, outdated)
Requires knowing how vague, and
combining context: not trivial!
21 XACML pilot - context-enhanced authorization
22. Authenticity of context
Attack by faking or disabling context sources
We need verification
• Rely on trusted sources, e.g., company owned
• Combining multiple sources (cf. quality of context)
• Context history
Depends very much on specific scenario
22 XACML pilot - context-enhanced authorization
23. Trust in context vs usefullness
needed
trust in
authenticity
of context
23 XACML pilot - context-enhanced authorization
24. Context is privacy sensitive
Minimize privacy consequences
• Limit (centralized) storage
• Minimize sensing
• Privacy-by-design, PETs etc
Acceptance
• Ensure sufficient benefit for the users!!!
• Transparency & consent
24 XACML pilot - context-enhanced authorization
25. Complexity of policies
Context will increase complexity
• Complete and conflict free
Expressing context at high abstraction helps
Not too high: lose quality and authenticity
We defined discrete ‘authz levels’
25 XACML pilot - context-enhanced authorization
26. Scalability & performance
Typical XACML attribute are static,
context is not: perf & scalability challenge
No more caching
Pre-fetching context helps performance,
bad for scalability
26 XACML pilot - context-enhanced authorization
27. Centralization - take authz out of the application (cf
authn)
Key take-aways
Use attributes (ABAC), XACML is the standard to do
this multi-vendor and across domains
Our pilot: use dynamic attributes (i.e., context)
Yes it is useful, yes it is feasible
But w.r.t. context: authenticity, quality & privacy
But w.r.t. dyn attributes / XACML: complexity of
policies & scalability/performance
27 XACML pilot - context-enhanced authorization
28. More information
• Project page @Novay
• http://www.novay.nl/okb/projects/context-enhanced-authorization/12435
• Whitepaper: Feasibility of Context-enhanced Authorization , in the banking
sector
• Blogposts with more technical XACML experiences
• http://martijno.blogspot.com/2012/02/xacml-with-tivoli-security-policy.html
• Ack: Martijn Oostdijk, Bob Hulsebosch, Jaap Reitsma, Ruud
Kosman & other Novay colleagues, IBM, Rabobank
www.novay.nl | maarten.wegdam@novay.nl
| +31 53 4850414 | @maartenwegdam |
http://maarten.wegdam.name (blog) |
http://www.linkedin.com/in/wegdam
28 XACML pilot - context-enhanced authorization