CIS14: The Very Latest in Authorization Standards

The Very Latest in Authorization Standards and Trends

Cloud Identity Summit - 2014

Gerry Gebel Axiomatics [email protected] @ggebel

© 2014 Axiomatics AB 1

Preamble Authorization v.Next

Cloud Identity Summit 2014





Having a policy language is a key differentiator for ABAC/XACML


OAuth

UMA

JWT

XACML Finding the right combination

Agenda

§  Business trends that are influencing authorization requirements

§  Externalized Authorization and ABAC

§  Standards update §  JSON, REST, ALFA and more

§  Prognostications



Business Trends & AuthZ





Next generation information security = dynamic authorization = attribute based access control

Legacy access controls fail in dynamic environments


ABAC thrives in dynamic environments


Who

What Sensitive / business critical Information

Grant or deny access based on the following attributes

When

Where

Why

How


By 2020, 70 percent of enterprises

will use ABAC as the dominant

mechanism to protect critical assets,

up from less than 5 percent today.

“ ”

Gartner Predicts, March 2014

Externalized Authorization and ABAC



NIST Special Pub 800-‐162 *

§  “[ABAC] flexibility provides the greatest breadth of subjects to access the greatest breadth of objects without specifying individual relationships between each subject and each object”


* nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf

Example from NIST report §  Nurse Practitioners in the Cardiology Department can View the Records of

Heart Patients §  Variables in the policy language enable very efficient policy structures – reducing the

maintenance load §  Management of heart patient records is part of the business application – not an IT

function §  Multiple attributes must be available for policy evaluation – either as part of the access

request or retrieved from an authoritative source


NIST example -‐ expanded §  Nurse Practitioners can View the Records of Patients in the same Department

they are assigned to §  This rule can apply to all departments in the hospital §  Add a new department or change names of department and the rule does not change §  Rule compares department of the Nurse Practitioner to the department of the Patient §  Avoids the role explosion effect of RBAC models


Applying ABAC to every layer of your application

ADAF


REST, JSON, & ALFA What’s new on the XACML standards front?


§  Profiles add functionality §  REST §  JSON §  Export Control §  IP Protection §  Hierarchal Resources §  Etc.

What’s in the XACML standard

XACML

Reference Architecture

Policy Language

Request / Response Protocol


The Request/Response format

•  Subject User id = Alice Role = Manager

•  Action Action id = approve

•  Resource Resource type = Purchase Order PO #= 12367

•  Environment Device Type = Laptop

XACML Request

Can Manager Alice approve Purchase Order 12367?

XACML Response

Yes, she can

•  Result Decision: Permit Status: ok


XML encoding of an authZ request

<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" > </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">hello</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">say</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> </xacml-ctx:Request>

Can Alice Say

Hello?


JSON encoding of an authZ request

{"subject": {"attribute":[{ "attributeId":"username", "value":"alice"}]},

"resource": {"attribute":[{ "attributeId":"resource-id", "value":"hello"}]},

"action": {"attribute":[{ "attributeId":"action-id", "value":"say"}]}}


JSON vs. XML

0

10

20

30

40

50

Word count

XML JSON

0 200 400 600 800

1000 1200 1400

Char. Count

XML JSON

Size of a XACML request


REST Profile

XML over HTTP

XML over HTTP

JSON over HTTP

JSON over HTTP


ALFA – Abbreviated Language for Authorization §  Domain Specific Language (DSL) that provides an abstraction over XACML

§  Pseudo language is similar to C# or Java

§  Author policies in Eclipse IDE, plug in automatically generates XACML


Axiomatics has committed to submit ALFA as an XACML profile

A policy example, in English

/**

* A manager can approve a transaction if their approval limit is greater than

* the transaction amount and if the risk is less than 5

*/

Let’s take a look at this policy in XACML and ALFA


A policy example, in XACML (1)

<?xml version="1.0" encoding="UTF-8"?> <!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).> <xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="http://axiomatics.com/alfa/identifier/policing.principles.allowTransaction" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"> <xacml3:Description>Let a manager approve a transaction if their approval limit is greater than the transaction amount and if the risk is less than 5</xacml3:Description> <xacml3:PolicyDefaults> <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion> </xacml3:PolicyDefaults> <xacml3:Target> <xacml3:AnyOf> <xacml3:AllOf> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="userRole" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false" /> </xacml3:Match> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">approve</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" MustBePresent="false" />



</xacml3:Match> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">transaction</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="resourceType" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> </xacml3:Match> </xacml3:AllOf> </xacml3:AnyOf> </xacml3:Target> <xacml3:Rule Effect="Permit" RuleId="http://axiomatics.com/alfa/identifier/policing.principles.allowTransaction.allowIfLowRiskScore"> <xacml3:Description /> <xacml3:Target /> <xacml3:Condition> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:double-greater-than"/> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#double">5.0</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="transactionRiskScore" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" />



</xacml3:Apply> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any"> <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:double-less-than-or-equal"/> <xacml3:AttributeDesignator AttributeId="transactionAmount" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> <xacml3:AttributeDesignator AttributeId="userApprovalLimit" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false" /> </xacml3:Apply> </xacml3:Apply> </xacml3:Condition> </xacml3:Rule> </xacml3:Policy>


A policy example, in ALFA

policy allowTransaction{

target clause userRole=="manager" and actionId=="approve" and resType=="transaction"

apply firstApplicable

rule allowIfLowRiskScore{

condition (transactionRiskScore < 5) && (transactionAmount <= userApprovalLimit)

permit

}

}


OAuth & XACML? Further simplification of XACML?

Prognostications


How can OAuth and XACML complement each other?

§  OAuth: popular authZ mechanism for API security and consumer scenarios

§  Missing from OAuth: declarative policy language


§  XACML policies were used to control scopes for OAuth tokens

What if?

Easy consumption of JWT tokens for advanced authorization via XACML-‐based service


{"subject": {"attribute":[{ "attributeId":"username", "value":"alice"}]},

"resource": {"attribute":[{ "attributeId":"resource-id", "value":"hello"}]},

"action": {"attribute":[{ "attributeId":"action-id", "value":"say"}]}}

JWT

On the further simplification of XACML

§  REST and JSON profiles greatly simplify the developer experience §  See David Brossard’s workshop material from Sunday

§  But what about the policy language?



SCIM + XACML

Questions? Thank you for listening

CIS14: The Very Latest in Authorization Standards

Technology

CIS14: The Very Latest in Authorization Standards