XACML and Access Management. A Business Case for Fine-Grained Authorization and Centralized Policy Management

Transcription

1 A Business Case for Fine-Grained Authorization and Centralized Policy Management

2 Dissolving Infrastructures A recent Roundtable with CIOs from a dozen multinational companies concurred that Identity & Access Management (IAM) investment plans remain unaltered in spite of the financial situation which impacts the IT budgets of everyone. Yet, they shared one serious concern. How do you establish an IAM roadmap that remains consistently valid over at least the next six months of which we currently know only one thing for certain: namely that there will be change? Examples of events foreseen based on costly experiences made: Mergers & acquisitions: a new entity with its own full-blown IT infrastructure suddenly needs to be incorporated. While basic business critical systems can run in parallel for some time, at least portions of user populations must be granted access across domains instantly. Existing role modeling to align access with business rules become useless. Cloud computing: A new CRM operated in-house for no more than six months was abandoned by a good portion of the company s sales force in favor of a co-hosted service floating on the clouds of a business partner. Integration points need to be remodeled to resolve related IAM challenges. Web service wrappers: Transactions on mainframes once represented a major authorization headache. RACF or competing technology solutions were a satisfactory answer. Today, however, no user interacts with these systems face to face. Yet, they are still the foundation within many infrastructures, hidden under layers of service oriented architectures. Authorization issues are multiplying with each service added. And new services are being constantly added. Increasingly diverse user populations: One CIO thought her company unique in that internal users represented only a fraction of her total identity life-cycle hassle. A vast majority were external consultants, technology partners, resellers, different categories of customers with varying levels of access to support services, third-party service providers and many more. Her problem was special, indeed, yet it turned out to be far from unique. Dynamically changing user populations seem to pass through some data centers like a herd of buffalos on the run. Figure 1: Service Delivery Evolution Increases Authorization Headaches Centralizing AAAA Control In a not too distant past IAM was often referred to as AAAA. Definitions of the acronym have varied but in essence these essential IAM goals were addressed: Administration services to manage user identities and credentials Authentication services to securely establish user identities Authorization services to determine user permissions Accountability services securing evidence of actions and events

3 As IAM capabilities have evolved in recent years, efficient and centralized control over some of these A domains have been achieved. The figure below illustrates a generic version of an IAM vision commonly promoted by vendors and implementers alike. Figure 2: Common Overall IAM Vision Administration: Modern Identity Management solutions enable a structured process for the creation, alteration or termination of user IDs with approval workflows leaving an audit trail for auditors and system owners alike to review. User Provisioning automates and secures user profile configurations on thus centrally managed systems. Authentication: More often than not applications and systems utilize shared and centrally managed services to verify user identities. Technologies based on Kerberos, PKI, LDAP, SAML or other protocols or authentication mechanisms are widely deployed. Yet, while Accountability within the IAM system itself can be established, securing an audit trail of user access to resources still remains a challenge. And this is especially true for the most sensitive types of access: privileged or superuser access to systems holding business critical data. Finally, Authorization services essentially remain distributed and embedded within the proprietary code of the various target systems themselves. The intranet web portal, the CRM, ERP and HR system may all share the same authentication service to verify that Joe is actually Joe. However, the CRM system will determine which customers Joe can access. The ERP system will resolve which invoice records Joe can edit. The HR system will grant access to employee data based on its own access control configurations applicable to Joe, etc. Thus, authorization remains delegated to each of the provisioned target system. Dynamic Access Control Needs User provisioning, probably the fastest growing branch of IAM technology deployed today, assumes such delegation of authorization techniques to be reliable and sustainable, which in many instances may be the case. However, confronted with the dynamically changing business environment, as anticipated by the Roundtable discussion referred to above, the Common Overall IAM Vision illustrated above often falls short. It assumes a static operating environment and is therefore not flexible enough. With mashups combining data from multiple sources there is no or little comfort even in the assumed fact that authorization within each individual source is sound. Data mining utilities accessing the RDBMS backend behind the application logic of the application server, web services propagating data to user populations beyond the realm of the existing authorization domain, service channels incorporating external contents, user populations as well as data being merged for all of these real-world challenges, the prevailing IAM vision risks

4 introducing yet another legacy hindering rather than supporting smooth adoption to dynamically changing requirements. Moreover, even if the operating environment as such remains fairly stable, evaluation of user permissions still needs to respond dynamically to changing contexts. The NIST Enterprise Dynamic Access Control (EDAC) authorization model illustrates such needs. EDAC, suggested to overcome static binding of permissions in Role Base Access Control (RBAC) models, introduces workflows, changing business rules, varying attributes, environmental changes (red alerts or, less dramatically, end of business hours), filled-in questionnaire obligations etc. and other changing conditions which must be considered in a decision to grant or deny access. What was permitted during phase A should possibly be denied once the state of a workflow changes to phase B. What goes at noon may be forbidden at midnight. What may be in compliance while related data is in a draft state may be a severe breach of integrity once it has reached a finalized and approved state, etc. Attributes altered in the course of data processing in one business critical system may therefore need to impact authorization decisions made in another. In service oriented architectures the frequency with which such contextual changes may need to impact authorization decisions rapidly increases. New IAM architectures must keep these needs in mind in order to improve upon its predecessors. Policy- and Standards-Based Authorization Thus, while administration and authentication services have evolved over the years, modern IAM architectures still often lack key components to allow a standards-based approach to authorization and auditing challenges. With the extendible Access Control Markup Language (XACML), version 2 approved as an OASIS standard in 2005 and by now matured production-ready with 3.0 to be released, a foundation for these components has been provided. XACML provides a generic and flexible language to deal with all aspects of authorization policy management and enforcement. Much like SQL comes with a Data Definition Language for database modeling as well as a query language for data retrieval, XACML can be used to define access control policies as well as to query the policy engine with access requests; the response being a straightforward Permit or Deny. The flexibility and scalability of XACML ensures it can be used to express any existing authorization policy or access request while addressing dynamically changing conditions with a compelling simplicity. Standards are of little interest unless adhered to and accepted by broad majorities. And standards put on banners in bitter struggles between know-it-alls of different convictions often serve counterproductive purposes. Luckily, XACML already enjoys broad acceptance and robust interoperability between vendor implementations has already been proven. Thus, XACML is already a standard that you can reliably base future architectural decisions upon. Basic concepts XACML provides attribute based authorization. A Subject wants to perform an Action on a Resource in a given Enviromental context. Each of these entities may be defined with one simple or multiple sets of complex attributes. Rules define conditions that need to be met if the requested action should be allowed. Bob wants to read the financial report draft via the VPN at midnight. Permit or Deny? Alice wants to print the report on HP Printer 2 on the second floor although she hasn t signed her NDA yet. Permit or Deny? Multiple Rules are combined in Policies and multiple policies can be combined in Policy Sets. One Policy Set in turn can include multiple further policy sets.

5 Basic components A Policy Enforcement Point (PEP) is a component intercepting any kind of access request. The PEP queries a Policy Definition Point (PDP) to determine whether access should be denied or allowed. The PDP may consult a Policy Information Point (PIP) which in turn interacts with other authoritative sources to gather additional data needed for a decision, typically an LDAP repository or databases holding information relevant for authorization decisions. Administrators use the Policy Administration Point (PAP) to maintain policy definitions. The Business Case A CIO confronted with the challenges of a sudden merger would obviously not resolve issues at hand by simply adding some new authorization technology. XACML is no universal cure against rapidly changing user populations, cloud computing, clogged up web services or insufficient compliance reporting tools. Yet, obviously headaches introduced in situations such as these would be easier to endure in a world where standardized and policy-based authorization has been widely adopted. So when is the right time to start? When does XACML-based authorization provide short term benefits while laying the foundation for a more sustainable future? Below some examples of situations in which XACML-based authorization has proven to provide immediate benefits: Service-oriented architectures. The organization is implementing new solutions based on service oriented architectures. By making standardized authorization a corporate policy, developers are able to more efficiently reuse components for authorization which reduces implementation costs and time. At the same time, the organization enables an interface for business and IT to interact, allowing a structured process to ensure alignment of access control policies with overall business objectives and rules. Dynamic and fine-grained access controls required. The organization is unable to meet regulatory requirements or to achieve a satisfactory level of IT governance unless access to data in one or several business critical applications can be made more context aware with fine-grained authorization. Health care where patient data records are shared in a way that needs to meet regulatory requirements and conform to standards such as HL7 is a typical example. But similar challenges arise in other Content- Enabled Vertical Applications (CEVA) which combine content management services with business process management tools to support core business processes. By using robust, fine-grained policybased authorization the organization is able to protect privacy and to secure confidentiality for its vital data stores.

6 IAM related integration efforts. The organization is introducing new tools and capabilities for purposes such as data mining and reporting, content management or ERP data exchange, efforts which require IAM integration to be achieved via provided APIs of tools used. A decision to achieve this integration by means of a PEP querying a PDP rather than using a custom built solution does not necessarily reduce the immediate integration effort, but the end result offers a more flexible and sustainable solution. And for every future integration project, the benefits of a thus achieved integration platform become obvious. Controlling authorization in workflows. IT support for increasingly complex workflows is required as interactions between different user categories are being automated. This is for instance the case in many applications enabling egovernment capabilities. Transfers from one state to the other in a process may depend on complex data validation. Digital signatures may be used for approval workflows. To handle conditional process progress in which user access to data becomes context dependent, a policy based authorization model helps breaking down complex dependencies in simple logical operations. Handling enterprise content management challenges. In recent years, many organizations have made use of new enterprise content management technologies that radically simplify deployment of general purpose data stores. Privacy concerns or data protection needs are typically not the primary focus when these solutions are being implemented. Yet, as vital information is made easily available to a broad audience the need for fine-grained authorization soon becomes obvious. XACML based authorization have proven to be an efficient answer to the problem. Do you recognize any of the above or similar challenges? If so, you would probably be well advised to consider XACML as a basic requirement within your future IT architecture. About Axiomatics Axiomatics, located in Stockholm, Sweden, is the leading provider of fine- grained authorization and entitlement management solutions based on the XACML standard. As an active member of XACML Technical Committee in OASIS, Axiomatics contributes to the development of the standard and has the editorial responsibility of its latest specification. Axiomatics has currently customers in health care, defense, telecommunication and financial markets. Contact information Mailing address: Axiomatics AB Electrum Kista Sweden info@axiomatics.com