Identity, Privacy, and Data Protection in the Cloud XACML. David Brossard Product Manager, Axiomatics

Similar documents
OPENIAM ACCESS MANAGER. Web Access Management made Easy

OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere.

White Paper The Identity & Access Management (R)evolution

XACML and Access Management. A Business Case for Fine-Grained Authorization and Centralized Policy Management

HOL9449 Access Management: Secure web, mobile and cloud access

The Top 5 Federated Single Sign-On Scenarios

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

Entitlements Access Management for Software Developers

APIs The Next Hacker Target Or a Business and Security Opportunity?

Cloud-based Identity and Access Control for Diagnostic Imaging Systems

Single Sign On. SSO & ID Management for Web and Mobile Applications

The XACML Enabled Gateway The Entrance to a New SOA Ecosystem

White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution

SPML (Service Provisioning Markup Language) and the Importance of it within the Security Infrastructure Framework for ebusiness

Guideline on Implementing Cloud Identity and Access Management

Federated Identity and Single Sign-On using CA API Gateway

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

Oracle Platform Security Services & Authorization Policy Manager. Vinay Shukla July 2010

CLAIMS-BASED IDENTITY FOR WINDOWS

White Paper: Security and Agility in the API Economy. Optimizing and securing your APIs with ViewDS Identity Solutions and Layer 7

An Introduction to SCIM: System for Cross-Domain Identity Management

WHITEPAPER SECUREAUTH AND CAC HSPD-12 AUTHENTICATION TO WEB, NETWORK, AND CLOUD RESOURCES

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

Flexible Identity Federation

Cloud Standards. Arlindo Dias IT Architect IBM Global Technology Services CLOSER 2102

Interoperate in Cloud with Federation

Attribute-Based Access Control Solutions: Federating Authoritative User Data to Support Relying Party Authorization Decisions and Requirements

CLOUD-HOSTED PROXY BASED COLLABORATION IN MULTI- CLOUD COMPUTING ENVIRONMENTS WITH ABAC METHODS

IBM Tivoli Federated Identity Manager

WHITEPAPER SAML ALONE IS NOT SECURE - HERE S HOW TO FIX IT

Identity. Provide. ...to Office 365 & Beyond

Access Management Analysis of some available solutions

Core Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems

Connecting Users with Identity as a Service

How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications

Introduction to SAML

Single-Sign-On between On-Premises and the Cloud: Leveraging Windows Azure Active Directory to authenticate custom solutions and Apps

Authentication and Authorization Systems in Cloud Environments

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Secure Identity in Cloud Computing

Institute for Cyber Security. A Multi-Tenant RBAC Model for Collaborative Cloud Services

IDENTITY & ACCESS MANAGEMENT IN THE CLOUD

IBM API Management Overview IBM Corporation

Open Data Center Alliance Usage: Identity Management Interoperability Guide rev. 1.0

December 2014 Keywords/Summary

IBM Security Systems Division

White paper. Planning for SaaS Integration

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN

Enterprise Access Control Patterns For REST and Web APIs

PRACTICAL IDENTITY AND ACCESS MANAGEMENT FOR CLOUD - A PRIMER ON THREE COMMON ADOPTION PATTERNS FOR CLOUD SECURITY

An Oracle White Paper Dec Oracle Access Management OAuth Service

nexus Hybrid Access Gateway

UMA in Health Care: Providing Patient Control or Creating Chaos?

Microsoft SharePoint Architectural Models

MY1LOGIN SOLUTION BRIEF: PROVISIONING. Automated Provisioning of Users Access to Apps

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

SAML:The Cross-Domain SSO Use Case

IVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0

CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST618 Designing and Implementing Cloud Security CAST

The Future of Cloud Identity Security. Michael Schwartz Founder / CEO Gluu

tibbr Now, the Information Finds You.

Alex Wong Senior Manager - Product Management Bruce Ong Director - Product Management

A Standards-based Mobile Application IdM Architecture

Secure your cloud applications by building solid foundations with enterprise (security ) architecture

Apache Sentry. Prasad Mujumdar

Key Enablers for the Cloud Service Broker: Identity, Privacy, and Security

SaaS at Pfizer. Challenges, Solutions, Recommendations. Worldwide Business Technology

Cisco Cloud Onboarding Solution

IONA Security Platform

managing SSO with shared credentials

SAML Federated Identity at OASIS

TRANSITIONING ENTERPRISE CUSTOMERS TO THE CLOUD WITH PULSE SECURE

An Oracle White Paper August Oracle OpenSSO Fedlet

The increasing popularity of mobile devices is rapidly changing how and where we

EXECUTIVE VIEW. SecureAuth IdP. KuppingerCole Report

The Essential OAuth Primer: Understanding OAuth for Securing Cloud APIs

NCSU SSO. Case Study

A Survey on Cloud Security Issues and Techniques

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

Keeping access control while moving to the cloud. Presented by Zdenek Nejedly Computing & Communications Services University of Guelph

Cloud Security: Is It Safe To Go In Yet?

EXECUTIVE VIEW. EmpowerID KuppingerCole Report. By Peter Cummings October By Peter Cummings

IGI Portal architecture and interaction with a CA- online

Request for Proposals. Statewide Two Factor Authentication Solution. Addendum #2 October 5, Questions and Responses

Transcription:

Identity, Privacy, and Data Protection in the Cloud XACML David Brossard Product Manager, Axiomatics 1

What you will learn The issue with authorization in the cloud Quick background on XACML 3 strategies to extend authorization to the Cloud What it means for customers SaaS providers 2

The issue with Authorization today The black box challenge 3

System growth leads to AuthZ challenges Cost App Brittleness App Static App Risk SaaS Lack of visibility SaaS SaaS Lack of audit Violation of SoD 4

The Authorization Challenge What happens to my data? Who can access which information? How do I comply with (what the auditor will ask for) Regulations? E.g. Export Control Contractual obligations? Going to the cloud doesn t make it easier Do I need a different approach for cloud? 5

Example: Manufacturing in the cloud Export Control Know the user (citizenship, location, affiliation) Know the end use (end location, purpose of use) 6

XACML to the rescue Implementing fine-grained authorization in the cloud 7

Authorization is nearly always about Who? Identity + role (+ group) 8

Authorization should really be about Who? What? When? Where? Why? How? 9

Behold XACML, the standard for ABAC extensible Access Control Markup Language OASIS standard XACML is expressed as A specification document (a PDF) + XML schema Policy-based & attribute-based language Implement authorization based on object relations Only employees of a given plant can see technical data linked to items assigned to the plant 10

Who s behind XACML? Oracle IBM Veterans Administration Axiomatics EMC 2 Bank of America The Boeing Company And many more 11

Refresher: the XACML architecture Enforce Policy Enforcement Point Decide Policy Decision Point Support Policy Information Point Policy Retrieval Point Manage Policy Administration Point 12

XACML Transparent & Externalized AuthZ Centrally managed policy: PERMIT user with clearance X to read document classified as. DENY access to classified document if PERMIT or DENY? Information asset PERMIT or DENY? I want User Application 13

XACML Anywhere AuthZ & Architecture Datacenter Private Cloud SaaS SaaS App A Service A Service D Service E Service M Service O 14

Fine-grained Authorization for the Cloud Three strategies for externalized authorization in the cloud 15

Option #1 tell your provider to adopt XACML A SaaS provider should offer Functional APIs (their core business) Non-functional (Security) APIs Let customers push their own XACML policies Apply the administrative delegation profile http://docs.oasis-open.org/xacml/3.0/xacml-3.0- administration-v1-spec-en.html 16

Functional API Option #1 Architecture 1. SaaS Admin delegates rights to manage access control provided to customer A. The rights are restricted to only the applications and resources provided to this particular customer s users. 2. Customer A s admin can manage access for their staff on its own by providing XACML policies and attributes XACML Mgmt API App#1 3. Customer A users use the SaaS application App#2 Central IT: Company A App#3 SaaS provider 17

Option #1 Architecture (including id. Federation) 4. Internal user identity is verified. User attributes are inserted inside newly created SAML assertion IdP STS Trust establishment STS 1. User authenticates using internal authentication mechanism and id store (e.g. LDAP) 3. User internal identity is translated to virtual identity e.g. SAML assertion 6. SAML assertion is validated against local STS. Attributes are extracted from SAML assertion and returned 7. XACML AuthZ request including the attributes from the SAML assertion are sent to the PDP for a decision message saml message 2. User calls out to SaaS application 5. User message is forwarded to SaaS app along with SAML assertion App#1 App#2 App#3 Central IT: Company A SaaS provider 18

Option #1 Pros & Cons Pros Consistent access control Fine-grained Risk-aware Future-proof SaaS vendor benefit multi-tenancy Cons Not many SaaS vendors support XACML today 19

Option #2 Proxy your cloud connections If you can restrict access to SaaS applications from within the corporate network All access to SaaS apps could be made to tunnel through a proxy 20

Option #2 Architecture VPN SaaS App #1 SaaS App #2 SaaS App #3 21

Option #2 Pros & Cons Pros Workaround current SaaS limitations Easy to deploy Available today Cons No direct access to SaaS app Forces users to go via VPN Access may not be as fine grained as Option #1 Lack of visibility into the SaaS data 22

Option #3 Policy Provisioning based on XACML What if the provider is reluctant to adopt XACML? If the application won t go to XACML then XACML will go to the application Eve Maler, Forrester You still get Centrally managed authorization Standards-based (XACML) Approach Convert from XACML to expected SaaS format Push via SaaS management APIs 23

Functional API Option #3 Architecture Convert XACML policies to the native format expected by the SaaS provider Authorization constraints / permissions in the format expected by the SaaS provider Native API App#1 Customer A users use the SaaS application App#2 Central IT: Company A App#3 SaaS provider 24

Option #3 Pros & Cons Pros Feasible today Viable solution Extends the customer s XACML-based authorization system s reach Cons Possible loss of XACML richness in access control Loss of dynamic nature 25

Standards & the Cloud Standards are important for the cloud It promotes vendor interoperability It promotes layer interoperability Example XACML authorization services can easily use SAML< OAUTH, OAUTH2, OpenID XACML can also use semantic web standards This leads to easier deployments and faster ROI 26

To summarize Cloud requires extensible Authorization Fine-grained Externalized Traditional approaches #1: tell your SaaS provider to adopt XACML. #2: proxy your cloud connections. Extended approach #3: Policy Provisioning based on XACML Also works for business apps (SharePoint, Windows) 27

Online resources OASIS technical committee: http://www.oasis-open.org/committees/xacml/ LinkedIn group http://www.linkedin.com/groups/oasis-xacml- 3934718 28

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information