Agenda SAP AG or an SAP affiliate company. All rights reserved. 2

Transcription

1 NextLabs: Beyond RBAC ABAC and Information Control Automation Tim Quan, Director - SAP Industries & Solutions, NextLabs March 2014

2 Agenda Common Challenges to Role Based Access Control (RBAC) Information Control Automation and Attribute Based Access Control (ABAC) Industry Frameworks for ABAC ABAC in SAP Demonstration Examples Benefits and Common Scenarios in SAP 2014 SAP AG or an SAP affiliate company. All rights reserved. 2

3 Agenda Common Challenges to Role Based Access Control (RBAC) Information Control Automation and Attribute Based Access Control (ABAC) Industry Frameworks for ABAC ABAC in SAP Demonstration Examples Benefits and Common Scenarios in SAP 2014 SAP AG or an SAP affiliate company. All rights reserved. 3

4 Challenge - Enforcement Granularity We can give her the role, but we can t limit what data she can see Product A Product B Product C Product D Product E Supplier Granted Access Required Access Leads to too much access, custom authorization logic and/or complex roles 2014 SAP AG or an SAP affiliate company. All rights reserved. 4

5 Challenge - Discretionary Authorization Please have you manager approve access Why should or shouldn t you manager approve access? Role purpose Job function and assignments Least privileges Compliance requirements Existing access Trust When should your access be revoked? 2014 SAP AG or an SAP affiliate company. All rights reserved. 5

6 Challenge - Role Explosion We have 10,000 users and 125,000 roles and growing Companies have multiple access drivers Functional Roles Compliance Regulations (e.g. ITAR, Trade Secrets, PII) IP Control Agreements (e.g. PIEA, NDA) Multiple Applications and Systems (e.g. PLM, ERP, CRM) Traditional role based access control (RBAC) explodes based on the number of variables Required Access Rules Number of Access Variables 2014 SAP AG or an SAP affiliate company. All rights reserved. 6

7 Information Control Enforcement Today Policy Authorities Legal - Intellectual Property Business Authorizations (e.g NDA, License) Non-Disclosure Agreement Acme Inc and Wiley Tech agree to share confidential information about Kaboom for 3 years. Materials marked ACME Confidential and destroyed at end of project. Procedural Controls (e.g. Access Review) Systematic Controls (e.g. Access Control) 90% 10% Procedural Controls IT Create Wiley Tech Site Manage Wiley Tech Group End User Get manager review Mark confidential Put data Wiley Tech Confidential site Collaboration Portal Tell Wiley to Destroy Systematic Controls Limit Access to Wiley Tech Site to users in Wiley Tech Group 2014 SAP AG or an SAP affiliate company. All rights reserved. 7

8 Key Business Trends Impacting Information Risk Industry Consolidation Globalization Anywhere.. Any device Continued M&A activity anticipated 76% of executives anticipate at least one acquisition in 2013* Joint Ventures and partnerships on the raise Competitive threats keep companies on edge for IP Protection Firms expanding footprint to international markets to drive revenue growth Trade and information exchange is crossing company and country borders Firms looking for next frontier of operational efficiency gains Desire to minimize IT maintenance and support costs Firms look for enabling employees with required access to data from anywhere and through any device * KPMG Survey on M&A Activity SAP AG or an SAP affiliate company. All rights reserved. 8

9 Increased Global Collaboration Supplier/Partner Customers Supplier Collaboration My Company Customer Collaboration Quality Contractor Quality Collaboration Outsourced Manufacturing Offshore Subsidiary 2014 SAP AG or an SAP affiliate company. All rights reserved. 9

10 Secure Information Collaboration Challenge Supplier/Partner Customers Supplier Collaboration Forecasts Purchase Orders Kanban Invoices Shipments Quality Contractor Supplier Collaboration Quality Collaboration My Company Customer Collaboration Outsourced Manufacturing Customer Collaboration Forecasts Promotions Replenishment ASNs Offshore Subsidiary Outsourced Manufacturing Quality Collaboration Quality Notifications Sub Con POs ASNs Invoices Shipments Work Order WIP 2014 SAP AG or an SAP affiliate company. All rights reserved. 10

11 Business Authorization Dimensions Data Access Functional Access Determine the actions a user can perform Data Access Determine the data a user can see Functional Access Governance Rules for access management 2014 SAP AG or an SAP affiliate company. All rights reserved. 11

12 Authorization Layers 2014 SAP AG or an SAP affiliate company. All rights reserved. 12

13 Information Control Policy Policy Authorities Business Authorizations (e.g NDA, License) Information Control Policy Procedural Controls (e.g. Access Review) Systematic Controls (e.g. Access Control) 90% 10% Information Controls Audit Data Classification Access Control (ABAC) Integrated Rights Management Data Labeling and Marking Communication Control Application Control Device Control Network Control Compliance Workflow 2014 SAP AG or an SAP affiliate company. All rights reserved. 13

14 Agenda Common Challenges to Role Based Access Control (RBAC) Information Control Automation and Attribute Based Access Control (ABAC) Industry Frameworks for ABAC ABAC in SAP Demonstration Examples Benefits and Common Scenarios in SAP 2014 SAP AG or an SAP affiliate company. All rights reserved. 14

15 Information Control Policy Attribute Driven Policy Attribute Based Access Control (ABAC) enables dynamic authorization logic Environment Information Centric Protecting data across systems and applications Built in Data Classification Services Identity Based Deep integration with common identity management systems and standards Identity ABAC Information 2014 SAP AG or an SAP affiliate company. All rights reserved. 15

16 Policy Model Allow only US Engineers to access Project X Specifications from US Offices Subject Location = US AND Department = Engineering Resource Project = Project X AND Type = Specification Environment Network Address = * Attribute-based rule conveys business intent Provide fine-grain, data level control SAP AG or an SAP affiliate company. All rights reserved. 16

17 Policy Structure Target determines policy applicability Condition determines policy effect Effect Policy decision and obligations FOR Confidential Top Secret ON Access BY NOT Employee Level 5 WHERE User.Authority = Resource.Authority DO Allow, Log Access 2014 SAP AG or an SAP affiliate company. All rights reserved. 17

18 Agenda Common Challenges to Role Based Access Control (RBAC) Information Control Automation and Attribute Based Access Control (ABAC) Industry Frameworks for ABAC ABAC in SAP Demonstration Examples Benefits and Common Scenarios in SAP 2014 SAP AG or an SAP affiliate company. All rights reserved. 18

19 Gartner: Dynamic Attribute-based Authorization will be dominant Attributes are now "how we role Context will play an ever-expanding role as people come to enterprise networks from all angles and devices. It will be a world of attribute-based access control, where an identity marketplace becomes a key provider of user attributes that build context and define access control decisions, especially for critical data, systems. Crafting policy definitions, however, will continue to present challenges. Prediction: By 2020, 70% of all businesses will use attribute-based access control (ABAC) as the dominant mechanism to protect critical assets, up from <5% today. Gartner Predicts 2014: Identity and Access Management (source 1, source 2) 2014 SAP AG or an SAP affiliate company. All rights reserved. 19

20 Kuppinger: Dynamic Attribute-based Authorization is the future Source: Kuppinger Cole Leadership Compass for Access Governance 2014 SAP AG or an SAP affiliate company. All rights reserved. 20

21 NIST Cyber Security Framework Source: Improving Critical Infrastructure Cybersecurity, Executive Order 13636, NIST, SAP AG or an SAP affiliate company. All rights reserved. 21

22 NIST Cyber Security Framework SAP Identity Management SAP GRC AC Source: Improving Critical Infrastructure Cybersecurity, Executive Order 13636, NIST, SAP AG or an SAP affiliate company. All rights reserved. 22

23 NIST Cyber Security Framework Source: Improving Critical Infrastructure Cybersecurity, Executive Order 13636, NIST, 2013 Centrally define corporate information security policies Segregate policy management by role Classify data based on policy Enforce data segregation based on policies Control access and usage based on multiple attributes, including user type, location, device type, media type Rights protect information based on multiple attributes Control how data is shared via based on policy Monitor and log data access and usage based on policies Raise user awareness through context based messages 2014 SAP AG or an SAP affiliate company. All rights reserved. 23

24 Agenda Common Challenges to Role Based Access Control (RBAC) Information Control Automation and Attribute Based Access Control (ABAC) Industry Frameworks for ABAC ABAC in SAP Demonstration Examples Benefits and Common Scenarios in SAP 2014 SAP AG or an SAP affiliate company. All rights reserved. 24

25 NextLabs Solution Approach Manage Monitor Educate Enforce Audit Turns business requirements into enforceable controls Integrates with enterprise, cloud, and client applications Data Classification Data Segregation Access Control Rights Protection Communications Control Activity Logging Log and audit data and user activity 2014 SAP AG or an SAP affiliate company. All rights reserved. 25

26 Policy-Driven Security Controls and Compliance Automation for SAP Allow only Project A Team Members in Site 1 to access Project A data for 6 months Context User Attributes Data Classification NextLabs is a SAP Endorsed Business Solution Partner Data-level and transaction-level security Field-level security control Virtualized data segregation Attribute-based Access Control and Access Segregation Encryption and DRM protection of data inside and outside of SAP Monitor or Deny modes Audit and Reporting of all requested access 2014 SAP AG or an SAP affiliate company. All rights reserved. 26

27 Information Control Policy Model 2014 SAP AG or an SAP affiliate company. All rights reserved. 27

28 Security Classification Centrally manages SAP Master data attributes Features Granularity (Transaction & Master data) Extensible Schema Inheritance (e.g., Material to BOM) Classification Lifecycle Management Classification Automation Integration with external Classification systems (e.g., SAP GTS for Export Control) 2014 SAP AG or an SAP affiliate company. All rights reserved. 28

29 Attribute Based Access Control ACCESS DENIED: Only members of Project Y can access project data ACCESS DENIED: ITAR Technical Data: Export Authorization Required 2014 SAP AG or an SAP affiliate company. All rights reserved. 29

30 Integrated Rights Management for SAP Protects data inside and outside SAP Features Automatic rights protection Long Text Documents File type agnostic Persistence Classification Metadata Rights 2014 SAP AG or an SAP affiliate company. All rights reserved. 30

31 Policy Compliance Audit Dashboards Role based dashboards for easy access to most critical analysis Analytics Multi-dimensional summary analysis Trend Analysis End to End Activity Audit Data access, use and distribution across applications Details required for Incident Investigation and Response Compliance Audit Policy Enforcement Policy Based Activity Audit Personal and Shared Reports Integrates with Compliance Record Keeping 2014 SAP AG or an SAP affiliate company. All rights reserved. 31

32 Agenda Common Challenges to Role Based Access Control (RBAC) Information Control Automation and Attribute Based Access Control (ABAC) Industry Frameworks for ABAC ABAC in SAP Demonstration Examples Benefits and Common Scenarios in SAP 2014 SAP AG or an SAP affiliate company. All rights reserved. 32

33 Agenda Common Challenges to Role Based Access Control (RBAC) Information Control Automation and Attribute Based Access Control (ABAC) Industry Frameworks for ABAC ABAC in SAP Demonstration Examples Benefits and Common Scenarios in SAP 2014 SAP AG or an SAP affiliate company. All rights reserved. 33

34 RBAC vs. RBAC+ABAC in SAP Scenario RBAC RBAC + ABAC 1 Company 50 Functional roles & 5 Subsidiaries 300 total roles: 50 Functional roles 5 derived company code 35 derived Plants 50 Functional roles 5 Subsidiaries 7 Plants/Subsidiary 35 Plants under 5 subsidiaries 1840 Roles 50 x 35 = 1,750 1, = 1840 Roles 51 Authorizations 50 Functional roles 1 NextLabs policy = 35 Plants 97% less roles using Attributes Benefit Baseline 97% less than RBAC alone 2014 SAP AG or an SAP affiliate company. All rights reserved. 34

35 NextLabs can help address Security & Compliance Challenges Business Transformation Secure Collaboration Regulatory Compliance IP and Data Security Accelerate consolidation with dynamic authorization. Enable field level security without role explosion with attribute based access control (ABAC). Accelerate and enable safe collaboration with external partners. Improve data access visibility within partner networks. Centrally define and enforce policies. Automate tedious compliance processes and audit reporting for Export (ITAR/EAR, BAFA, Dual Use, ) Privacy (PCI, PII ) Others (Chemical Weapons Convention, Nuclear Energy..) Protect and prevent loss of critical data inside and outside SAP Business Suite. Persistently protect IP data distributed with digital rights technology in and out of the enterprise SAP AG or an SAP affiliate company. All rights reserved. 35

36 Policy Evaluation SAP ECC Subject userid= carter Department = Sales location= US Action Run Query Resource UI Function = Display Mat = CRD Exp Security = ITAR IP = Proprietary Export Lic = NA ACC = Project 01 Response Effect Allow/Deny Obligations Show Message ITAR TECHNICAL DATA Policy Controller (PDP) Evaluate Deploy Policy Bundle Policies / Policy Components Control Center (PAP) AD/ LDAP SAP CUA HRMS IdM SAP Server 2014 SAP AG or an SAP affiliate company. All rights reserved. 36

37 Policy Combining Deny Override Policy 1 (IP Control) Application PIP PEP AuthZ Concept Andy Access Material A Policy Decision Point (PDP) ALLOW Policy 2 (Export Compliance) ALLOW DENY Data Policy Information Point (PIP) Policy 3 (National Security) DENY Manage Access Rules Independently. Reduces the number of authorizations 2014 SAP AG or an SAP affiliate company. All rights reserved. 37

38 Entitlement Manager for SAP Global Consolidation Secure Collaboration Regulatory Compliance Data & IP Security SAP Entitlement Manager DC Data Classification DS Data Segregation AC Access Control RP Rights Protection AL - Audit 2014 SAP AG or an SAP affiliate company. All rights reserved. 38

39 End-to-End Information Controls Secure the Source Secure data use Secure external collaboration Project X Project X Entitlement Management Tech Data.d wg Rights Management Tech Data.d wg Communication Control Allow Only Members of Project X to access Project X Data Deny Copy/Paste of Project X Data Encrypt Project X Data on USB Deny Sharing Project X data outside Project X Team Control Center Information Control Platform Information Control Policy Identity Controls Data XACML 2014 SAP AG or an SAP affiliate company. All rights reserved. 39

40 NextLabs Information Risk Management Suite Information Control Enforcement Application Enforcement Document Enforcement Enforcement Developer SAP ERP SAP CRM SAP DMS Microsoft SharePoint File Server (CIFS/NFS) Microsoft Windows DAC Dassault Enovia PLM Siemens Teamcenter PLM IBM FileNet P8 Rights Management Server Rights Management Client SOAP/REST Java C#, C++ Information Control Automation Data Classification Data Segregation Access Control Communication Control Data Encryption Activity Monitoring Control Center Policy Platform Information Control Policy Model Identity Data Events XACML 2014 SAP AG or an SAP affiliate company. All rights reserved. 40

41 SAP Endorsed Business Solutions (EBS) An SAP Ecosystem By Invitation Only Program Endorsed Business Solutions Complementary solutions selected by SAP Product and Industry groups Application level integration with 3 month solution qualification to ensure end-to-end business process Product roadmap guided by SAP based on Cooperative Development Agreement The use of NextLabs with SAP ERP enables customers to comply with export regulations such as ITAR and offers them greater flexibility in designing and enforcing IP security policies. - Magnus Bjorendahl Global Head of A&D IBU, SAP Endorsed by SAP and sold by partners 2014 SAP AG or an SAP affiliate company. All rights reserved. 41

42 World Class Customers Aerospace & Defense High Technology Chemical Financial Services Industrial Manufacturing 2014 SAP AG or an SAP affiliate company. All rights reserved. 42

43 About NextLabs NextLabs Overview We allow companies to preserve confidentiality, prevent data loss and ensure compliance across more channels and more points with a single unified solution with unmatched user acceptance and total cost of ownership. - Keng Lim, Chairman and CEO NextLabs Entitlement Manager is an SAP-Endorsed Business Solution. Policy-driven, information risk management software for Global 5000 enterprises. Help companies achieve safer and more secure internal and external collaboration. Ensure proper access to applications and data. Facts Locations HQ: San Mateo, CA Boston, MA Hangzhou, PRC Malaysia Singapore 40+ Patent Portfolio Major go-to-market Partners: SAP, Microsoft, IBM, Deloitte, HCL-AXON 2014 SAP AG or an SAP affiliate company. All rights reserved. 43

44 Thank you Tim Quan Director, SAP Industries & Solutions NextLabs 2 Waters Park Drive, Suite 250 San Mateo, CA T E tim.quan@nextlabs.com 2013 SAP AG or an SAP affiliate company. All rights reserved.