TopTen Reasons Why Developers Don’t Adopt ABAC IRM Summit – Phoenix – June 2014 Gerry Gebel Axiomatics [email protected] @ggebel © 2014 Axiomatics AB 1
May 27, 2015
Top Ten Reasons Why Developers Don’t Adopt ABAC
IRM Summit – Phoenix – June 2014
Gerry Gebel Axiomatics [email protected] @ggebel
© 2014 Axiomatics AB 1
© 2014 Axiomatics AB 2
IRM Summit 2014
Agenda
§ Business trends and ABAC
§ Top Ten List
IRM Summit
© 2014 Axiomatics AB 3
Business Trends & ABAC
IRM Summit
© 2014 Axiomatics AB 4
What is Attribute Based Access Control (ABAC)? § A mode of externalized authorization
§ Authorization policies/rules are managed in a centralized service (deployment can be centralized/distributed/hybrid)
§ The Extensible Access Control Markup Language (XACML) is an example of an ABAC system
§ Policies utilize attributes to describe specific access rules, which is why it is called attribute based access control
© 2014 Axiomatics AB 5
Collaboration …depends on efficient information sharing… … which depends on precision in access controls…
Business challenge
Speed in business transactions …depends on efficient delegation of powers… … while losses due to fraud or excessive risk taking are minimized…
Business challenge
Regulatory compliance …depends on efficient IT governance … …which in turn depends on correct and verifiable authorizations …
Business challenge
Protecting credit card numbers, financial data, accounts, etc.
© 2014 Axiomatics AB 9
The data protection problem
Information storage – global increase
© 2014 Axiomatics AB 10
The data protection problem
Based on: Hilbert and Lopez, 2011
86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07
300
250
200
150
100
50
0
~93% digital
~0,7% digital
DAC
MAC
RBAC
ABAC Increasing access control challenges
Legacy access control Attribute based access control
© 2014 Axiomatics AB 11
Legacy access controls fail in dynamic environments
Policy example – expanded from NIST* report § Nurse Practitioners can View the Records of Patients in the same
Department they are assigned to during shift hours
§ This rule can apply to all departments in the hospital § Add a new department or change names of department and the rule does not change § Rule compares department of the Nurse Practitioner to the department of the Patient
© 2014 Axiomatics AB 12
Subject attributes Action attributes Resource attributes Environment * nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf
Top Ten List
IRM Summit
© 2014 Axiomatics AB 13
ABAC Degree of Difficulty
© 2014 Axiomatics AB 14
aka, ADD
1. “It will impact performance”
© 2014 Axiomatics AB 15
Response #1 § There are many ways to scale or configure for maximum performance § Utilize caching of policies, attributes and decisions § Employ faster communication protocols, like Apache Thrift § Place the decision engine closer to the application it’s protecting § Embed the decision engine within the application to eliminate network hops § Use smart policy modeling to make evaluations more efficient
§ ABAC systems are proven in very large deployments § 200+ million users § 20,000 access requests per second § Your ABAC system should have many modes of operation to address many scenarios
© 2014 Axiomatics AB 16
2. “I don’t like XML”
© 2014 Axiomatics AB 17
Response #2 § Fine, don’t use it… try JSON instead
§ Go from this:
© 2014 Axiomatics AB 18
<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" > </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">hello</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">say</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> </xacml-ctx:Request>
Response #2 § To this:
© 2014 Axiomatics AB 19
{"subject": {"attribute":[{ "attributeId":"username", "value":"alice"}]},
"resource": {"attribute":[{ "attributeId":"resource-id", "value":"hello"}]},
"action": {"attribute":[{ "attributeId":"action-id", "value":"say"}]}} 0
200 400 600 800
1000 1200 1400
Char. Count
XML JSON
3. “It makes the system more complex”
© 2014 Axiomatics AB 20
Response #3 § So you prefer to pollute your application code
with security stuff?
§ There are trade-offs to consider when outsourcing functions to an external service
§ For the developer, the interface is very simple § Send a package of attributes to AuthZ service § Process the Permit/Deny response
© 2014 Axiomatics AB 21
REST
4. “I can do it faster myself”
© 2014 Axiomatics AB 22
Response #4 § IT lead time to set up authorization service can be time consuming § If you heavy weight processes for setting up new hardware, VM images, etc.
§ One time pain generates many returns for future projects § But few want to be the first mover
§ Option: bundle the authorization service with your application § Less reliance on IT services § All the necessary components are packaged with the application
© 2014 Axiomatics AB 23
5. “I don’t care about enterprise issues”
© 2014 Axiomatics AB 24
,
Response #5 § What are the results of this bad attitude? § IT has to provision accounts and identity data to every application built this way (which
launched the comma into IAM legend status) § Legions of application managers now hate you because they have to manually review
stacks of permissions and roles from your app and everyone else that built apps the same way
§ Congratulations, we now have 500 applications and 50,000 roles
© 2014 Axiomatics AB 25
6. “My code is more flexible”
© 2014 Axiomatics AB 26
Response #6 § You may be right, for a particular use case
§ But § How long did it take to code? § Is it adaptable to the next scenario? § How much effort is required to maintain your code?
© 2014 Axiomatics AB 27
7. “I don’t know where the attributes are”
© 2014 Axiomatics AB 28
Response #7 § No need to concern yourself § Just send the attributes available in the user session
§ Subject identifier § Resource identifier § Action
§ Role or group info § Device type
§ Authentication type § Etc.
§ The authorization service handles the rest, looking up additional attributes if necessary
© 2014 Axiomatics AB 29
8. “What if the external service fails?”
© 2014 Axiomatics AB 30
Response #8 § Practice good hygiene § Eliminate single points of failure § Understand failure modes and document processes for recovery § Implement change control processes, which permits roll back to known state
§ But these are tasks for the IT department, and it’s their specialty
© 2014 Axiomatics AB 31
9. “Who will manage the policies, me?”
© 2014 Axiomatics AB 32
Response #9 § If you insist, yes § Policies are easily created using ALFA shorthand syntax
§ Similar to C# or Java § Plug in for Eclipse § Submitted to OASIS for standardization
§ Or you can rely on business owner, security office or system administrators to create and manage access policies § It’s another item off your plate
© 2014 Axiomatics AB 33
10. “Isn’t ABAC just a new fad?”
© 2014 Axiomatics AB 34
Like, say, sock shots at conferences…
Response #10: The ABAC trend
35
2005 XACML version 2.0: Concept production-ready for enterprise needs.
2009 US Federal CIO Council – (FICAM) Roadmap and Implementation Plan v1.0 advocates ABAC
2006 Axiomatics founded. First project: a nation- wide eHealth service.
2011 FICAM v2.0: ABAC recommended access control model for promoting information sharing between diverse and disparate organizations.
2013 XACML version 3.0
2014 NIST Guide on ABAC
2014 Gartner predicts: ”By 2020, 70% of all businesses will use ABAC as the dominant mechanism to protect critical assets, up from 5% today.”
ABAC = Attribute Based Access Control
© 2014 Axiomatics AB
Wrapping up
© 2014 Axiomatics AB 36
Summary § Touched on some issues of why developers resist ABAC
§ There are others….
§ Hopefully you’ve learned some ways to deal with objections
© 2014 Axiomatics AB 37
IRM Summit 2014
Questions? Thank you for listening