SlideShare ist ein Scribd-Unternehmen logo

Policy based access control

Elimity
Elimity

Externalising or modularising access rules outside of the application in so called policies, represents a fundamental software engineering tactic. In this talk, we discuss ways how application developers can decouple access control rules from the application code and how this is done in current technologies. We also discuss the ways a security expert can express access control policies in an independent format and how he can manage these policies to align them with for example rules from different departments or enterprise-wide regulations.

Technologie
1 von 25
Downloaden Sie, um offline zu lesen
Policy-based access control Willem De Groef, iMinds-DistriNet Willem.DeGroef@kuleuven.be
2
3
4 ● Software artifact ● Declarative specification of access rules ● Independent from enforcement mechanism
PBAC and what it can mean for your business Business policy Employees GovernanceOperational 5
Explaining PBAC 6
User Subject Principal Guard Protected resource Action 1. How and where to implement the guard 2. How to encode the access rules 7 General Access Control System
Basic approach: rules in code [....] if (! (“manager” in user.roles and doc.owner == user and 8h00 < now() < 17h00 )) { [...] } + straightforward + you can encode almost anything - access rules are code - no separation of concerns - no modularity leads to audit challenge - what if rules change? ▪ update application code ▪ updates all over the place 8
More advanced approach: modularization @authz(user, “read”, result) public Document getDoc(docId) { [...] } + central definition of rules + easier to audit - access rules are code - IT is still in charge - no separation of concerns - what if rules change? ▪ update application code ▪ updates all over the place 9 public boolean authz( subject, action, resource) { if (! (“manager” in user.roles and …)) { [...] }
Most advanced approach: policy-based @authz(user, “read”, result) public Document getDoc(docId) { [...] } Policy Decision Point Policy + central authorization logic + central definition of rules + easy to audit + access rules independent artifacts + clear separation of concerns + rule updates at run-time 10
Not all rainbows and unicorns 11
PBAC and what it can mean for your business Business policy Employees GovernanceOperational 12
<Policy PolicyId=“dynamic-separation-of-duty" RuleCombiningAlgId=“deny-overrides"> <Description>Dynamic separation of duty</Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="string-equal"> <AttributeValue DataType="string">doc123</AttributeValue> <ResourceAttributeDesignator AttributeId="resource:id" DataType="string"/> </ResourceMatch> </Resource> </Resources> </Target> <Rule RuleId="deny" Effect=“Deny"> <Description>Deny if viewed other doc</Description> <Condition> <Apply FunctionId="string-is-in"> <AttributeValue DataType="string">doc456</AttributeValue> <SubjectAttributeDesignator AttributeId="subject:historyy" DataType="string"/> </Apply> </Condition> </Rule> <Rule RuleId=“default-permit" Effect=“Permit"> </Rule> <Obligations> <Obligation ObligationId="append-attribute" FulfillOn="Permit"> <AttributeAssignment AttributeId="value" DataType="string"> <SubjectAttributeDesignator AttributeId="resource:id" DataType="string"/> </AttributeAssignment> <AttributeAssignment AttributeId="attribute-id" DataType="string">subject:history</AttributeAssignment> </Obligation> 13 Independent declarative policy specification
1. Easy-to-use Policy languages 14
15 XACML policy editor
16 IDE for ALFA policy language
Simple Tree-structured Attribute-based Policy Language 17https://goo.gl/F2RE8g val policy = Policy("e-health example") := when ((action.id === "view") & (resource.type_ === "patient-data") & ("physician" in subject.roles)) apply PermitOverrides to ( Rule("requirement-for-permit") := permit iff (resource.owner_id in subject.treated), Rule("default deny") := deny )
2. Correctness & completeness support 18
19
20 Only syntactically correctness checks
21 Decoupling from application logic is hard { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBuckets", "Resource": "arn:aws:s3:::example_bucket" } } s3:ListBucket
Open research challenges ● Improve performance & scalability of the PDP ● Interoperability across multiple applications ● Access rules for the database layer ● Conflict resolution in policies ● Management of policies ● Supporting organizational processes 22
Conclusions 23
Conclusions 24 Policy-based access control ● Enables exciting new opportunities ○ Allows decent access management processes ○ Keep access control system in sync with your business ● Technology-wise still some hurdles ● Be future-proof by modularizing authorization!
Policy-based access control Any further questions? Contact us at Willem.DeGroef@kuleuven.be Interested in our events? Subscribe here http://bit.ly/DistrinetAccessControl

Empfohlen

Attribute based access control
Attribute based access controlAttribute based access control
Attribute based access controlElimity
 
Intro To Access Controls
Intro To Access ControlsIntro To Access Controls
Intro To Access ControlsHari Pudipeddi
 
Access Control: Principles and Practice
Access Control: Principles and PracticeAccess Control: Principles and Practice
Access Control: Principles and PracticeNabeel Yoosuf
 
01 database security ent-db
01 database security ent-db01 database security ent-db
01 database security ent-dbuncleRhyme
 
Keeping Private Data Private
Keeping Private Data PrivateKeeping Private Data Private
Keeping Private Data PrivateDobler Consulting
 
Database security copy
Database security copyDatabase security copy
Database security copyfika sweety
 
Defending broken access control in .NET
Defending broken access control in .NETDefending broken access control in .NET
Defending broken access control in .NETSupriya G
 
security and privacy in dbms and in sql database
security and privacy in dbms and in sql databasesecurity and privacy in dbms and in sql database
security and privacy in dbms and in sql databasegourav kottawar
 

Empfohlen

Attribute based access control
Attribute based access controlAttribute based access control
Attribute based access controlElimity
 
Intro To Access Controls
Intro To Access ControlsIntro To Access Controls
Intro To Access ControlsHari Pudipeddi
 
Access Control: Principles and Practice
Access Control: Principles and PracticeAccess Control: Principles and Practice
Access Control: Principles and PracticeNabeel Yoosuf
 
01 database security ent-db
01 database security ent-db01 database security ent-db
01 database security ent-dbuncleRhyme
 
Keeping Private Data Private
Keeping Private Data PrivateKeeping Private Data Private
Keeping Private Data PrivateDobler Consulting
 
Database security copy
Database security copyDatabase security copy
Database security copyfika sweety
 
Defending broken access control in .NET
Defending broken access control in .NETDefending broken access control in .NET
Defending broken access control in .NETSupriya G
 
security and privacy in dbms and in sql database
security and privacy in dbms and in sql databasesecurity and privacy in dbms and in sql database
security and privacy in dbms and in sql databasegourav kottawar
 
Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Prosanta Ghosh
 
Database security and privacy
Database security and privacyDatabase security and privacy
Database security and privacyMd. Ahasan Hasib
 
Database modeling and security
Database modeling and securityDatabase modeling and security
Database modeling and securityNeeharika Nidadavolu
 
Database security
Database securityDatabase security
Database securityArpana shree
 
Database security
Database securityDatabase security
Database securitykeerthusandeepreddy
 
Database Security
Database SecurityDatabase Security
Database SecurityShingalaKrupa
 
Abac and the evolution of access control
Abac and the evolution of access controlAbac and the evolution of access control
Abac and the evolution of access controlAkbar Azwir, MM, PMP, PMI-SP, PSM I, CISSP
 
Chapter23
Chapter23Chapter23
Chapter23gourab87
 
Database and Database Security..
Database and Database Security..Database and Database Security..
Database and Database Security..Rehan Manzoor
 
Data base security
Data base securityData base security
Data base securitySara Nazir
 
Identity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsIdentity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsAlain Huet
 
Security of the database
Security of the databaseSecurity of the database
Security of the databasePratik Tamgadge
 
Information Assurance in an Enterprise Hosting Environment
Information Assurance in an Enterprise Hosting EnvironmentInformation Assurance in an Enterprise Hosting Environment
Information Assurance in an Enterprise Hosting Environmentwebhostingguy
 
2013 12 18 webcast - building the privileged identity management business case
2013 12 18 webcast - building the privileged identity management business case2013 12 18 webcast - building the privileged identity management business case
2013 12 18 webcast - building the privileged identity management business casepmcbrideva1
 
How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsTL Technologies - Thoughts Become Things
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101Jerod Brennen
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM MaturityJerod Brennen
 
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017Micro Focus
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Jack Forbes
 
Dell Password Manager Architecture - Components
Dell Password Manager Architecture - ComponentsDell Password Manager Architecture - Components
Dell Password Manager Architecture - ComponentsAidy Tificate
 
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...apidays
 
Does DITA need XML? Lightweight DITA and HTML5
Does DITA need XML? Lightweight DITA and HTML5Does DITA need XML? Lightweight DITA and HTML5
Does DITA need XML? Lightweight DITA and HTML5Michael Priestley
 

Weitere ähnliche Inhalte

Was ist angesagt?

Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Prosanta Ghosh
 
Database security and privacy
Database security and privacyDatabase security and privacy
Database security and privacyMd. Ahasan Hasib
 
Database and Database Security..
Database and Database Security..Database and Database Security..
Database and Database Security..Rehan Manzoor
 
Data base security
Data base securityData base security
Data base securitySara Nazir
 
Identity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsIdentity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsAlain Huet
 
Security of the database
Security of the databaseSecurity of the database
Security of the databasePratik Tamgadge
 
Information Assurance in an Enterprise Hosting Environment
Information Assurance in an Enterprise Hosting EnvironmentInformation Assurance in an Enterprise Hosting Environment
Information Assurance in an Enterprise Hosting Environmentwebhostingguy
 
2013 12 18 webcast - building the privileged identity management business case
2013 12 18 webcast - building the privileged identity management business case2013 12 18 webcast - building the privileged identity management business case
2013 12 18 webcast - building the privileged identity management business casepmcbrideva1
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101Jerod Brennen
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM MaturityJerod Brennen
 
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017Micro Focus
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Jack Forbes
 
Dell Password Manager Architecture - Components
Dell Password Manager Architecture - ComponentsDell Password Manager Architecture - Components
Dell Password Manager Architecture - ComponentsAidy Tificate
 

Was ist angesagt? (20)

Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013
 
Database security and privacy
Database security and privacyDatabase security and privacy
Database security and privacy
 
Database modeling and security
Database modeling and securityDatabase modeling and security
Database modeling and security
 
Database security
Database securityDatabase security
Database security
 
Database security
Database securityDatabase security
Database security
 
Database Security
Database SecurityDatabase Security
Database Security
 
Abac and the evolution of access control
Abac and the evolution of access controlAbac and the evolution of access control
Abac and the evolution of access control
 
Chapter23
Chapter23Chapter23
Chapter23
 
Database and Database Security..
Database and Database Security..Database and Database Security..
Database and Database Security..
 
Data base security
Data base securityData base security
Data base security
 
Identity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsIdentity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling concepts
 
Security of the database
Security of the databaseSecurity of the database
Security of the database
 
Information Assurance in an Enterprise Hosting Environment
Information Assurance in an Enterprise Hosting EnvironmentInformation Assurance in an Enterprise Hosting Environment
Information Assurance in an Enterprise Hosting Environment
 
2013 12 18 webcast - building the privileged identity management business case
2013 12 18 webcast - building the privileged identity management business case2013 12 18 webcast - building the privileged identity management business case
2013 12 18 webcast - building the privileged identity management business case
 
How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systems
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM Maturity
 
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)
 
Dell Password Manager Architecture - Components
Dell Password Manager Architecture - ComponentsDell Password Manager Architecture - Components
Dell Password Manager Architecture - Components
 

Ähnlich wie Policy based access control

apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...apidays
 
Does DITA need XML? Lightweight DITA and HTML5
Does DITA need XML? Lightweight DITA and HTML5Does DITA need XML? Lightweight DITA and HTML5
Does DITA need XML? Lightweight DITA and HTML5Michael Priestley
 
TechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security FeaturesTechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security FeaturesTrivadis
 
MySQL Enterprise Monitor
MySQL Enterprise MonitorMySQL Enterprise Monitor
MySQL Enterprise MonitorTed Wennmark
 
7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodrom7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodromDoina Draganescu
 
Practical_Business_Rules_Development_and_Use
Practical_Business_Rules_Development_and_UsePractical_Business_Rules_Development_and_Use
Practical_Business_Rules_Development_and_UseMichael Cook
 
Building The Agile Database
Building The Agile DatabaseBuilding The Agile Database
Building The Agile Databaseelliando dias
 
Building Ranking Infrastructure: Data-Driven, Lean, Flexible - Sergii Khomenk...
Building Ranking Infrastructure: Data-Driven, Lean, Flexible - Sergii Khomenk...Building Ranking Infrastructure: Data-Driven, Lean, Flexible - Sergii Khomenk...
Building Ranking Infrastructure: Data-Driven, Lean, Flexible - Sergii Khomenk...Sergii Khomenko
 
TechDays 2013 Jari Kallonen: What's New WebForms 4.5
TechDays 2013 Jari Kallonen: What's New WebForms 4.5TechDays 2013 Jari Kallonen: What's New WebForms 4.5
TechDays 2013 Jari Kallonen: What's New WebForms 4.5Tieturi Oy
 
01_Team_03_CS_591_Project
01_Team_03_CS_591_Project01_Team_03_CS_591_Project
01_Team_03_CS_591_Projectharsh mehta
 
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & ImplementationsThousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & ImplementationsOracle
 
Expedite the development lifecycle with MongoDB and serverless - DEM02 - Sant...
Expedite the development lifecycle with MongoDB and serverless - DEM02 - Sant...Expedite the development lifecycle with MongoDB and serverless - DEM02 - Sant...
Expedite the development lifecycle with MongoDB and serverless - DEM02 - Sant...Amazon Web Services
 
The way from DB-driven development to DDD
The way from DB-driven development to DDDThe way from DB-driven development to DDD
The way from DB-driven development to DDDProvectus
 
Data Services and the Modern Data Ecosystem (ASEAN)
Data Services and the Modern Data Ecosystem (ASEAN)Data Services and the Modern Data Ecosystem (ASEAN)
Data Services and the Modern Data Ecosystem (ASEAN)Denodo
 
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in OracleProtect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in OracleNelson Calero
 

Ähnlich wie Policy based access control (20)

apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
 
Does DITA need XML? Lightweight DITA and HTML5
Does DITA need XML? Lightweight DITA and HTML5Does DITA need XML? Lightweight DITA and HTML5
Does DITA need XML? Lightweight DITA and HTML5
 
TechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security FeaturesTechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security Features
 
Aspects of 10 Tuning
Aspects of 10 TuningAspects of 10 Tuning
Aspects of 10 Tuning
 
MySQL Enterprise Monitor
MySQL Enterprise MonitorMySQL Enterprise Monitor
MySQL Enterprise Monitor
 
7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodrom7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodrom
 
Vpd
VpdVpd
Vpd
 
Practical_Business_Rules_Development_and_Use
Practical_Business_Rules_Development_and_UsePractical_Business_Rules_Development_and_Use
Practical_Business_Rules_Development_and_Use
 
Building The Agile Database
Building The Agile DatabaseBuilding The Agile Database
Building The Agile Database
 
Building Ranking Infrastructure: Data-Driven, Lean, Flexible - Sergii Khomenk...
Building Ranking Infrastructure: Data-Driven, Lean, Flexible - Sergii Khomenk...Building Ranking Infrastructure: Data-Driven, Lean, Flexible - Sergii Khomenk...
Building Ranking Infrastructure: Data-Driven, Lean, Flexible - Sergii Khomenk...
 
DB2 LUW Auditing
DB2 LUW AuditingDB2 LUW Auditing
DB2 LUW Auditing
 
TechDays 2013 Jari Kallonen: What's New WebForms 4.5
TechDays 2013 Jari Kallonen: What's New WebForms 4.5TechDays 2013 Jari Kallonen: What's New WebForms 4.5
TechDays 2013 Jari Kallonen: What's New WebForms 4.5
 
01_Team_03_CS_591_Project
01_Team_03_CS_591_Project01_Team_03_CS_591_Project
01_Team_03_CS_591_Project
 
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & ImplementationsThousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
 
Expedite the development lifecycle with MongoDB and serverless - DEM02 - Sant...
Expedite the development lifecycle with MongoDB and serverless - DEM02 - Sant...Expedite the development lifecycle with MongoDB and serverless - DEM02 - Sant...
Expedite the development lifecycle with MongoDB and serverless - DEM02 - Sant...
 
The way from DB-driven development to DDD
The way from DB-driven development to DDDThe way from DB-driven development to DDD
The way from DB-driven development to DDD
 
Less11 Security
Less11 SecurityLess11 Security
Less11 Security
 
Data Services and the Modern Data Ecosystem (ASEAN)
Data Services and the Modern Data Ecosystem (ASEAN)Data Services and the Modern Data Ecosystem (ASEAN)
Data Services and the Modern Data Ecosystem (ASEAN)
 
A lightweight DITA update
A lightweight DITA updateA lightweight DITA update
A lightweight DITA update
 
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in OracleProtect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
 

Kürzlich hochgeladen

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 

Kürzlich hochgeladen (20)

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Policy based access control

  • 1. Policy-based access control Willem De Groef, iMinds-DistriNet Willem.DeGroef@kuleuven.be
  • 2. 2
  • 3. 3
  • 4. 4 ● Software artifact ● Declarative specification of access rules ● Independent from enforcement mechanism
  • 5. PBAC and what it can mean for your business Business policy Employees GovernanceOperational 5
  • 7. User Subject Principal Guard Protected resource Action 1. How and where to implement the guard 2. How to encode the access rules 7 General Access Control System
  • 8. Basic approach: rules in code [....] if (! (“manager” in user.roles and doc.owner == user and 8h00 < now() < 17h00 )) { [...] } + straightforward + you can encode almost anything - access rules are code - no separation of concerns - no modularity leads to audit challenge - what if rules change? ▪ update application code ▪ updates all over the place 8
  • 9. More advanced approach: modularization @authz(user, “read”, result) public Document getDoc(docId) { [...] } + central definition of rules + easier to audit - access rules are code - IT is still in charge - no separation of concerns - what if rules change? ▪ update application code ▪ updates all over the place 9 public boolean authz( subject, action, resource) { if (! (“manager” in user.roles and …)) { [...] }
  • 10. Most advanced approach: policy-based @authz(user, “read”, result) public Document getDoc(docId) { [...] } Policy Decision Point Policy + central authorization logic + central definition of rules + easy to audit + access rules independent artifacts + clear separation of concerns + rule updates at run-time 10
  • 11. Not all rainbows and unicorns 11
  • 12. PBAC and what it can mean for your business Business policy Employees GovernanceOperational 12
  • 13. <Policy PolicyId=“dynamic-separation-of-duty" RuleCombiningAlgId=“deny-overrides"> <Description>Dynamic separation of duty</Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="string-equal"> <AttributeValue DataType="string">doc123</AttributeValue> <ResourceAttributeDesignator AttributeId="resource:id" DataType="string"/> </ResourceMatch> </Resource> </Resources> </Target> <Rule RuleId="deny" Effect=“Deny"> <Description>Deny if viewed other doc</Description> <Condition> <Apply FunctionId="string-is-in"> <AttributeValue DataType="string">doc456</AttributeValue> <SubjectAttributeDesignator AttributeId="subject:historyy" DataType="string"/> </Apply> </Condition> </Rule> <Rule RuleId=“default-permit" Effect=“Permit"> </Rule> <Obligations> <Obligation ObligationId="append-attribute" FulfillOn="Permit"> <AttributeAssignment AttributeId="value" DataType="string"> <SubjectAttributeDesignator AttributeId="resource:id" DataType="string"/> </AttributeAssignment> <AttributeAssignment AttributeId="attribute-id" DataType="string">subject:history</AttributeAssignment> </Obligation> 13 Independent declarative policy specification
  • 14. 1. Easy-to-use Policy languages 14
  • 16. 16 IDE for ALFA policy language
  • 17. Simple Tree-structured Attribute-based Policy Language 17https://goo.gl/F2RE8g val policy = Policy("e-health example") := when ((action.id === "view") & (resource.type_ === "patient-data") & ("physician" in subject.roles)) apply PermitOverrides to ( Rule("requirement-for-permit") := permit iff (resource.owner_id in subject.treated), Rule("default deny") := deny )
  • 18. 2. Correctness & completeness support 18
  • 19. 19
  • 21. 21 Decoupling from application logic is hard { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBuckets", "Resource": "arn:aws:s3:::example_bucket" } } s3:ListBucket
  • 22. Open research challenges ● Improve performance & scalability of the PDP ● Interoperability across multiple applications ● Access rules for the database layer ● Conflict resolution in policies ● Management of policies ● Supporting organizational processes 22
  • 24. Conclusions 24 Policy-based access control ● Enables exciting new opportunities ○ Allows decent access management processes ○ Keep access control system in sync with your business ● Technology-wise still some hurdles ● Be future-proof by modularizing authorization!
  • 25. Policy-based access control Any further questions? Contact us at Willem.DeGroef@kuleuven.be Interested in our events? Subscribe here http://bit.ly/DistrinetAccessControl