XACML and Access Management. A Business Case for Fine-Grained Authorization and Centralized Policy Management

Similar documents
White Paper The Identity & Access Management (R)evolution

White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution

Entitlements Access Management for Software Developers

Identity, Privacy, and Data Protection in the Cloud XACML. David Brossard Product Manager, Axiomatics

OPENIAM ACCESS MANAGER. Web Access Management made Easy

Web Applications Access Control Single Sign On

Introduction to SAML

The XACML Enabled Gateway The Entrance to a New SOA Ecosystem

SPML (Service Provisioning Markup Language) and the Importance of it within the Security Infrastructure Framework for ebusiness

Enterprise Identity Management Reference Architecture

How much do you pay for your PKI solution?

TECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management

Open Data Center Alliance Usage: Identity Management Interoperability Guide rev. 1.0

NetworkingPS Federated Identity Solution Solutions Overview

A Model for Access Control Management in Distributed Networks

SOA REFERENCE ARCHITECTURE: WEB TIER

White Paper Delivering Web Services Security: The Entrust Secure Transaction Platform

How can Identity and Access Management help me to improve compliance and drive business performance?

Oracle Access Manager. An Oracle White Paper

Best Practices in Identity and Access Management (I&AM) for Regulatory Compliance. RSA Security and Accenture February 26, :00 AM

Prof. Dr. Lutz Heuser SAP Research

managing SSO with shared credentials

IDENTITY MANAGEMENT AND WEB SECURITY. A Customer s Pragmatic Approach

Federated Identity and Single Sign-On using CA API Gateway

Intelligent Security Design, Development and Acquisition

Strengthen security with intelligent identity and access management

Enterprise Management Solutions Protection Profiles

Product overview. CA SiteMinder lets you manage and deploy secure web applications to: Increase new business opportunities

BUSINESS-DRIVEN, COMPLIANT IDENTITY MANAGEMENT USING SAP NetWeaver IDENTITY MANAGEMENT

Architecture Guidelines Application Security

Open Data Center Alliance Usage: Infrastructure as a Service (IaaS) Privileged User Access rev. 1.0

Current Environment Assessment Specification. Single Sign On Customer Relation Management Workstation Support

Single Sign On In A CORBA-Based

Identity Management Roadmap and Maturity Levels. Martin Kuppinger Kuppinger Cole + Partner mk@kuppingercole.de

OpenHRE Security Architecture. (DRAFT v0.5)

Identity Management for Interoperable Health Information Exchanges

An Oracle White Paper Dec Oracle Access Management Security Token Service

G Cloud 6 CDG Service Definition for Forgerock Software Services

IBM Customer Experience Suite and Electronic Forms

Oracle Role Manager. An Oracle White Paper Updated June 2009

nexus Hybrid Access Gateway

Federal Identity, Credentialing, and Access Management. Identity Scheme Adoption Process

This research note is restricted to the personal use of

Oracle Identity Management for SAP in Heterogeneous IT Environments. An Oracle White Paper January 2007

Cloud Standards. Arlindo Dias IT Architect IBM Global Technology Services CLOSER 2102

LDAP Authentication Configuration Appendix

How to Implement Enterprise SAML SSO

Oracle Platform Security Services & Authorization Policy Manager. Vinay Shukla July 2010

SHAREPOINT SERVICE DEFINITION. G-CLOUD Commercial-in-Confidence. civil.lockheedmartin.co.uk

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

10 Things IT Should be Doing (But Isn t)

Identity and Access Management

Take Control of Identities & Data Loss. Vipul Kumra

Integrating Enterprise Reporting Seamlessly Using Actuate Web Services API

Websense Data Security Suite and Cyber-Ark Inter-Business Vault. The Power of Integration

HP Identity Management for manufacturing companies

The Emerging Infrastructure for Identity and Access Management

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

Role Based Identity and Access Management Basic Infrastructure for New Citizen Services and Lean Internal Administration

Standards and Guidelines for. Information Technology. Infrastructure, Architecture, and Ongoing Operations

secure user IDs and business processes Identity and Access Management solutions Your business technologists. Powering progress

Extend and Enhance AD FS

BOF2337 Open Source Identity and Access Management Expert Panel, Part II. 23 September :30p Hilton - Golden Gate 6/7/8 San Francisco CA

Technical Layer (Technical Interoperability) Information Layer (Information Interoperability. Business Layer (Business Process Interoperability)

Stephen Hess. Jim Livingston. Program Name. IAM Executive Sponsors. Identity & Access Management Program Charter Dated 3 Jun 15

Laserfiche for Federal Government MEET YOUR AGENCY S MISSION

CHAPTER - 3 WEB APPLICATION AND SECURITY

The Primer: Nuts and Bolts of Federated Identity Management

Enterprise Digital Identity Architecture Roadmap

APIs The Next Hacker Target Or a Business and Security Opportunity?

How To Secure A Database From A Leaky, Unsecured, And Unpatched Server

EXECUTIVE VIEW. CA Privileged Identity Manager. KuppingerCole Report

Data Center Solutions

Identity & Access Management new complex so don t start?

Vendor Questionnaire

Identity Management Basics. OWASP May 9, The OWASP Foundation. Derek Browne, CISSP, ISSAP

White paper. The Big Data Security Gap: Protecting the Hadoop Cluster

The Top 5 Federated Single Sign-On Scenarios

INTELLIGENCE DRIVEN IDENTITY AND ACCESS MANAGEMENT

Service Oriented Architecture (SOA) An Introduction

United States Citizenship and Immigration Services (USCIS) Enterprise Service Bus (ESB)

WHITE PAPER. Improving Efficiency in IT Administration via Automated Policy Workflows in UNIX/Linux

The Unique Alternative to the Big Four. Identity and Access Management

Improving Security and Productivity through Federation and Single Sign-on

White Paper. What is an Identity Provider, and Why Should My Organization Become One?

How To Achieve Pca Compliance With Redhat Enterprise Linux

An Enterprise Architect s Guide to API Integration for ESB and SOA

SOA Myth or Reality??

Transcription:

A Business Case for Fine-Grained Authorization and Centralized Policy Management

Dissolving Infrastructures A recent Roundtable with CIOs from a dozen multinational companies concurred that Identity & Access Management (IAM) investment plans remain unaltered in spite of the financial situation which impacts the IT budgets of everyone. Yet, they shared one serious concern. How do you establish an IAM roadmap that remains consistently valid over at least the next six months of which we currently know only one thing for certain: namely that there will be change? Examples of events foreseen based on costly experiences made: Mergers & acquisitions: a new entity with its own full-blown IT infrastructure suddenly needs to be incorporated. While basic business critical systems can run in parallel for some time, at least portions of user populations must be granted access across domains instantly. Existing role modeling to align access with business rules become useless. Cloud computing: A new CRM operated in-house for no more than six months was abandoned by a good portion of the company s sales force in favor of a co-hosted service floating on the clouds of a business partner. Integration points need to be remodeled to resolve related IAM challenges. Web service wrappers: Transactions on mainframes once represented a major authorization headache. RACF or competing technology solutions were a satisfactory answer. Today, however, no user interacts with these systems face to face. Yet, they are still the foundation within many infrastructures, hidden under layers of service oriented architectures. Authorization issues are multiplying with each service added. And new services are being constantly added. Increasingly diverse user populations: One CIO thought her company unique in that internal users represented only a fraction of her total identity life-cycle hassle. A vast majority were external consultants, technology partners, resellers, different categories of customers with varying levels of access to support services, third-party service providers and many more. Her problem was special, indeed, yet it turned out to be far from unique. Dynamically changing user populations seem to pass through some data centers like a herd of buffalos on the run. Figure 1: Service Delivery Evolution Increases Authorization Headaches Centralizing AAAA Control In a not too distant past IAM was often referred to as AAAA. Definitions of the acronym have varied but in essence these essential IAM goals were addressed: Administration services to manage user identities and credentials Authentication services to securely establish user identities Authorization services to determine user permissions Accountability services securing evidence of actions and events

As IAM capabilities have evolved in recent years, efficient and centralized control over some of these A domains have been achieved. The figure below illustrates a generic version of an IAM vision commonly promoted by vendors and implementers alike. Figure 2: Common Overall IAM Vision Administration: Modern Identity Management solutions enable a structured process for the creation, alteration or termination of user IDs with approval workflows leaving an audit trail for auditors and system owners alike to review. User Provisioning automates and secures user profile configurations on thus centrally managed systems. Authentication: More often than not applications and systems utilize shared and centrally managed services to verify user identities. Technologies based on Kerberos, PKI, LDAP, SAML or other protocols or authentication mechanisms are widely deployed. Yet, while Accountability within the IAM system itself can be established, securing an audit trail of user access to resources still remains a challenge. And this is especially true for the most sensitive types of access: privileged or superuser access to systems holding business critical data. Finally, Authorization services essentially remain distributed and embedded within the proprietary code of the various target systems themselves. The intranet web portal, the CRM, ERP and HR system may all share the same authentication service to verify that Joe is actually Joe. However, the CRM system will determine which customers Joe can access. The ERP system will resolve which invoice records Joe can edit. The HR system will grant access to employee data based on its own access control configurations applicable to Joe, etc. Thus, authorization remains delegated to each of the provisioned target system. Dynamic Access Control Needs User provisioning, probably the fastest growing branch of IAM technology deployed today, assumes such delegation of authorization techniques to be reliable and sustainable, which in many instances may be the case. However, confronted with the dynamically changing business environment, as anticipated by the Roundtable discussion referred to above, the Common Overall IAM Vision illustrated above often falls short. It assumes a static operating environment and is therefore not flexible enough. With mashups combining data from multiple sources there is no or little comfort even in the assumed fact that authorization within each individual source is sound. Data mining utilities accessing the RDBMS backend behind the application logic of the application server, web services propagating data to user populations beyond the realm of the existing authorization domain, service channels incorporating external contents, user populations as well as data being merged for all of these real-world challenges, the prevailing IAM vision risks

introducing yet another legacy hindering rather than supporting smooth adoption to dynamically changing requirements. Moreover, even if the operating environment as such remains fairly stable, evaluation of user permissions still needs to respond dynamically to changing contexts. The NIST Enterprise Dynamic Access Control (EDAC) authorization model illustrates such needs. EDAC, suggested to overcome static binding of permissions in Role Base Access Control (RBAC) models, introduces workflows, changing business rules, varying attributes, environmental changes (red alerts or, less dramatically, end of business hours), filled-in questionnaire obligations etc. and other changing conditions which must be considered in a decision to grant or deny access. What was permitted during phase A should possibly be denied once the state of a workflow changes to phase B. What goes at noon may be forbidden at midnight. What may be in compliance while related data is in a draft state may be a severe breach of integrity once it has reached a finalized and approved state, etc. Attributes altered in the course of data processing in one business critical system may therefore need to impact authorization decisions made in another. In service oriented architectures the frequency with which such contextual changes may need to impact authorization decisions rapidly increases. New IAM architectures must keep these needs in mind in order to improve upon its predecessors. Policy- and Standards-Based Authorization Thus, while administration and authentication services have evolved over the years, modern IAM architectures still often lack key components to allow a standards-based approach to authorization and auditing challenges. With the extendible Access Control Markup Language (XACML), version 2 approved as an OASIS standard in 2005 and by now matured production-ready with 3.0 to be released, a foundation for these components has been provided. XACML provides a generic and flexible language to deal with all aspects of authorization policy management and enforcement. Much like SQL comes with a Data Definition Language for database modeling as well as a query language for data retrieval, XACML can be used to define access control policies as well as to query the policy engine with access requests; the response being a straightforward Permit or Deny. The flexibility and scalability of XACML ensures it can be used to express any existing authorization policy or access request while addressing dynamically changing conditions with a compelling simplicity. Standards are of little interest unless adhered to and accepted by broad majorities. And standards put on banners in bitter struggles between know-it-alls of different convictions often serve counterproductive purposes. Luckily, XACML already enjoys broad acceptance and robust interoperability between vendor implementations has already been proven. Thus, XACML is already a standard that you can reliably base future architectural decisions upon. Basic concepts XACML provides attribute based authorization. A Subject wants to perform an Action on a Resource in a given Enviromental context. Each of these entities may be defined with one simple or multiple sets of complex attributes. Rules define conditions that need to be met if the requested action should be allowed. Bob wants to read the financial report draft via the VPN at midnight. Permit or Deny? Alice wants to print the report on HP Printer 2 on the second floor although she hasn t signed her NDA yet. Permit or Deny? Multiple Rules are combined in Policies and multiple policies can be combined in Policy Sets. One Policy Set in turn can include multiple further policy sets.

Basic components A Policy Enforcement Point (PEP) is a component intercepting any kind of access request. The PEP queries a Policy Definition Point (PDP) to determine whether access should be denied or allowed. The PDP may consult a Policy Information Point (PIP) which in turn interacts with other authoritative sources to gather additional data needed for a decision, typically an LDAP repository or databases holding information relevant for authorization decisions. Administrators use the Policy Administration Point (PAP) to maintain policy definitions. The Business Case A CIO confronted with the challenges of a sudden merger would obviously not resolve issues at hand by simply adding some new authorization technology. XACML is no universal cure against rapidly changing user populations, cloud computing, clogged up web services or insufficient compliance reporting tools. Yet, obviously headaches introduced in situations such as these would be easier to endure in a world where standardized and policy-based authorization has been widely adopted. So when is the right time to start? When does XACML-based authorization provide short term benefits while laying the foundation for a more sustainable future? Below some examples of situations in which XACML-based authorization has proven to provide immediate benefits: Service-oriented architectures. The organization is implementing new solutions based on service oriented architectures. By making standardized authorization a corporate policy, developers are able to more efficiently reuse components for authorization which reduces implementation costs and time. At the same time, the organization enables an interface for business and IT to interact, allowing a structured process to ensure alignment of access control policies with overall business objectives and rules. Dynamic and fine-grained access controls required. The organization is unable to meet regulatory requirements or to achieve a satisfactory level of IT governance unless access to data in one or several business critical applications can be made more context aware with fine-grained authorization. Health care where patient data records are shared in a way that needs to meet regulatory requirements and conform to standards such as HL7 is a typical example. But similar challenges arise in other Content- Enabled Vertical Applications (CEVA) which combine content management services with business process management tools to support core business processes. By using robust, fine-grained policybased authorization the organization is able to protect privacy and to secure confidentiality for its vital data stores.

IAM related integration efforts. The organization is introducing new tools and capabilities for purposes such as data mining and reporting, content management or ERP data exchange, efforts which require IAM integration to be achieved via provided APIs of tools used. A decision to achieve this integration by means of a PEP querying a PDP rather than using a custom built solution does not necessarily reduce the immediate integration effort, but the end result offers a more flexible and sustainable solution. And for every future integration project, the benefits of a thus achieved integration platform become obvious. Controlling authorization in workflows. IT support for increasingly complex workflows is required as interactions between different user categories are being automated. This is for instance the case in many applications enabling egovernment capabilities. Transfers from one state to the other in a process may depend on complex data validation. Digital signatures may be used for approval workflows. To handle conditional process progress in which user access to data becomes context dependent, a policy based authorization model helps breaking down complex dependencies in simple logical operations. Handling enterprise content management challenges. In recent years, many organizations have made use of new enterprise content management technologies that radically simplify deployment of general purpose data stores. Privacy concerns or data protection needs are typically not the primary focus when these solutions are being implemented. Yet, as vital information is made easily available to a broad audience the need for fine-grained authorization soon becomes obvious. XACML based authorization have proven to be an efficient answer to the problem. Do you recognize any of the above or similar challenges? If so, you would probably be well advised to consider XACML as a basic requirement within your future IT architecture. About Axiomatics Axiomatics, located in Stockholm, Sweden, is the leading provider of fine- grained authorization and entitlement management solutions based on the XACML standard. As an active member of XACML Technical Committee in OASIS, Axiomatics contributes to the development of the standard and has the editorial responsibility of its latest specification. Axiomatics has currently customers in health care, defense, telecommunication and financial markets. Contact information Mailing address: Axiomatics AB Electrum 223 164 40 Kista Sweden info@axiomatics.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information