In this presentation, I cover the history of access control, from simpler models e.g. access control lists (ACL) to Role Based Access Control (RBAC) and eventually Attribute Based Access Control (ABAC). I then discuss limitations of RBAC and how ABAC provides a better alternative using attributes and policies.
32. 70%
By 2020, 70 percent of enterprises will use ABAC as
the dominant mechanism to protect critical assets, up
from less than 5 percent today.
Gartner, 2013
“
”
The IT landscape is a vast universe full of very different but connected galaxies.
Think about it. You have the data galaxy, application galaxy, the web, log analysis, business processes, many more.
And of course you have the Security galaxy. It is by no means a small galaxy. Far from it. It is vast, complex, and tricky to navigate.
The universe
The IT landscape is a vast universe full of very different but connected galaxies.
Think about it. You have the data galaxy, application galaxy, the web, log analysis, business processes, many more.
And of course you have the Security galaxy. It is by no means a small galaxy. Far from it. It is vast, complex, and tricky to navigate.
Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical). (source: Wikipedia)
Security includes many different areas and specializations such as encryption, identity & access management, network security… Security addresses different concerns in different layers (think of the 7 ISO layers). Although the approach may be different due to technology (layer), the principles remain the same.
The galaxy
Let’s zoom in on a small galaxy (the “Milky Way”) high up there in the corner. Welcome to Identity & Access Management.
Identity and access management (IAM) is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.
IAM addresses the mission-critical need to ensure appropriate access to resources across increasingly heterogeneous technology environments, and to meet increasingly rigorous compliance requirements. This security practice is a crucial undertaking for any enterprise. It is increasingly business-aligned, and it requires business skills, not just technical expertise.
Enterprises that develop mature IAM capabilities can reduce their identity management costs and, more importantly, become significantly more agile in supporting new business initiatives.
Source: Gartner (http://www.gartner.com/it-glossary/identity-and-access-management-iam/)
The Solar System
Let’s jump straight into the Milky Way and continue on our journey. Welcome to the Solar System!
EAM – Externalized Authorization Management – is a smaller area within the IAM space. It deals specifically with authorization or access control. And even more specifically authorization that has been decoupled from and removed from the applications themselves hence the name “externalized”.
Gartner uses the term EAM while other firms e.g. Kuppinger Cole refer to Dynamic Authorization Management (DAM).
Here are some useful references:
EAM at Gartner: https://www.gartner.com/doc/2358815/technology-overview-externalized-authorization-management
DAM at Kuppinger Cole: https://www.kuppingercole.com/report/leadershipcompass_damgw709664614
What is an IAM Framework?
Authentication
Authentication is the area through which a user provides sufficient credentials to gain initial access to an application system or a particular resource. Once a user is authenticated, a session is created and referred during the interaction between the user and the application system until the user logs off or the session is terminated by other means (e.g. timeout). It usually comes with a password service module when the user ID /password authentication method is used. By centrally maintaining the session of a user, it provides Single-Sign-On service so that the user needs not logon again on accessing another application system or resource governed under the same IAM Framework.
Authorization
Authorization is the area that determines whether a user is permitted to access a particular resource. Authorization is performed by checking the resource access request, typically in the form of an URL in web-based application, against authorization policies that are stored in an IAM policy store.Authorization is the core area that implements role-based access control. Moreover, the authorization model could provide complex access controls based on data or information or policies including user attributes, user roles /groups, actions taken, access channels, time, resources requested, external data and business rules.
User Management
This area comprises of user management, password management, role/ group management and user /group provisioning. It defines the set of administrative functions such as identity creation, propagation, and maintenance of user identity and privileges. One of its components is user life cycle management that enables an enterprise to manage the lifespan of a user account, from the initial stage of provisioning to the final stage of de-provisioning.Some of the user management functions should be centralized while others should be delegated to end users. Delegated administration allows an enterprise to directly distribute workload to user departmental units. Delegation can also improve the accuracy of system data by assigning the responsibility of updates to persons closest to the situation and information.Self-service is another key concept within user management. Through self-profile management service an enterprise benefits from timely update and accurate maintenance of identity data. Another popular self-service function is self-password reset, which significantly alleviates the help desk workload to handle password reset requests.User management requires an integrated workflow capability to approve some user actions such as user account provisioning and de-provisioning.
Central User Repository
Central User Repository stores and delivers identity information to other services, and provides service to verify credentials submitted from clients. The Central User Repository presents an aggregate or logical view of identities of an enterprise. Directory services adopting LDAPv3 standards have become the dominant technology for Central User Repository. Both meta-directory and virtual directory can be used to manage disparate identity data from different user repositories of applications and systems. A meta-directory typically provides an aggregate set of identity data by merging data from different identity sources into a meta-set. It usually comes with a 2-way data synchronization service to keep the data in synchronization with other identity sources. A virtual directory delivers a unified LDAP view of consolidated identity information, and multiple databases containing different sets of users are combined in real time behind the scene.
Source: Hong Kong Polytechnic University (http://www.polyu.edu.hk/ags/Newsletter/news0911/IAM_details.html)
Now that you expose data more openly, you need to watch out for those gaps, those holes in the system. Either you lock everything down and you make sure only the relevant clients or individuals get access to the right data or you open up fully. Do you bake the access control inside the API itself? Do you for instance implement methods such as getMyProfile()? How do you make sure your API is secure but also future-proof and flexible enough to adapt to future needs? How do you make sure your API complies with national and international regulations?
ABAC or Attribute-Based Access Control is the new authorization model flexible enough to secure your APIs, applications, and data stores all in one go, from one central place, in a consistent manner.
ABAC is a NIST-backed initiative. XACML is the standard implementation for ABAC
Two first-class citizens in ABAC: policies and attributes
Attributes are key-value pairs. They can be used to describe anything and anyone. Attributes can be multi-valued. For instance citizenship = ‘Swedish’ and ‘Norwegian’. Attributes can be typed. An attribute could be a string, a number, a boolean, or a date. For instance:
dateOfBirth
isActive
Balance
In this example, the bottle could be described with the following attributes:
Content
Owner
Volume
Distributor…
Attributes alone though are not enough. We need something to bring the attributes all together. We need a bit of chemistry.
Attributes can relate to who, what, where, when, why, and how.
Attributes cover all the grammatical functions of a sentence: the subject (who), the verb (what action), the object (what resource), and the contextual information (why, how, when, where…)
Attributes can be sourced from multiple locations: databases, other APIs, the API message itself, authentication tokens (SAML, JWT…)
Attributes can relate to who, what, where, when, why, and how.
Attributes cover all the grammatical functions of a sentence: the subject (who), the verb (what action), the object (what resource), and the contextual information (why, how, when, where…)
Attributes can be sourced from multiple locations: databases, other APIs, the API message itself, authentication tokens (SAML, JWT…)
Policies are like the natural language
Attributes are like the vocabulary
Use policies to bind attributes together to create the authorization spark. Use policies to combine attributes and determine whether access should be granted or denied.
Examples
Policies can grant access… and deny access
Policies can grant access… and deny access
Dynamic access control that is applied on the fly based on the context of the interaction. Location and time as previously seen but also relationship: does the user own the data? Have a relationship to the data?
Dynamic access control that is applied on the fly based on the context of the interaction. Location and time as previously seen but also relationship: does the user own the data? Have a relationship to the data?
One of the main challenges when building APIs, business layers, applications, and data stores is that it is unclear where authorization decisions should be made and by whom. Should developers implement the logic? If so, where? As SQL statements? As logic inside a business process? Inside the application’s logic itself? Or within the API? What if we have different ways of consuming the same data sets? Does this require implementing different logic in different places? And how do I get a good overview of what is allowed, what isn’t? How do I prove I am compliant?
Let’s look at a flow. Imagine a user Alice on the left-hand side trying to access data via an API on the right-hand side. Who gets to decide whether the call should be allowed? The API can handle authentication and basic authorization e.g. OAuth scopes. But what about finer-grained authorization? Who does the data belong to?
We’ve heard many names for that component. And yes we’ve even heard Guardian Angel. This is the component you query in order to get a decision, an authorization decision. Can I do this? Yes, you can. No you cannot.
The Guardian Angel is the one central point of decision making you go to in the enterprise for decisions. It is the same central point no matter the layer you are in, no matter the technology. It knows it all.
Divide Responsibilities: API gateways are the muscles that enforce the decisions returned by the Brains.
The Guardian Angel enables loose coupling and separation of concern between business logic and authorization logic. Much like you delegate authentication, logging, and other non-functional aspects of your app to infrastructure, so should you for authorization. In doing so, you will have 2 pieces:
The brains – this is the part the Guardian Angel plays
The muscles – this is the piece that enforce whatever the Guardian Angel says.
In real life, the Guardian Angel is a bit like the judiciary system of a country and the police force plays the role of enforcement
Let’s look at a flow. Imagine a user Alice on the left-hand side trying to access data via an API on the right-hand side. Who gets to decide whether the call should be allowed? The API can handle authentication and basic authorization e.g. OAuth scopes. But what about finer-grained authorization? Who does the data belong to?