abac non-technical challenge - aps 6.0
TRANSCRIPT
© 2014 Axiomatics AB 1
Handling the Access Control ObstaclesEnabling the shift to Attribute Based Access Control (ABAC) with Axiomatics Policy Server 6.0
Webinar: March 12, 2015
© 2014 Axiomatics AB 2
Agenda Attribute Based Access Control
(ABAC) introduction & drivers
Reducing the divide between business and IT – dealing with the non-technical challenges
APS 6.0: enabling a collaborate approach to ABAC management
Q&A
© 2014 Axiomatics AB 3
Too coarse grained hinder collaboration, lead to productivity and revenue loss
Unable to capture risks unnecessary risk exposure and potential loss
Unable to meet regulatory requirements compliance breaches, reputational loss, fines, etc.
Difficult to adapt information systems slow time-to-market
WE NEED TO GO ABAC!
© 2014 Axiomatics AB 4
Existing access control models fail
What is Attribute Based Access Control (ABAC)?
It uses centrally managed authorization policies/rules
(vs. current models based on code embedded differently in each application)
Policies use attributes to exactly define WHO should gain access to WHAT, WHERE, WHY, WHEN and HOW
(vs. current coarse-grained models based on roles to group users with similar needs)
It externalizes authorization from applications
(vs. current models based on authorization being built into each and every application)
It is standards-based – eXtensible Access Control Markup Language (XACML)
(vs. current models based on the skills and methods of software developers who implement business rules in C++, Java, C# etc.)
© 2014 Axiomatics AB 5
© 2014 Axiomatics AB 6
By 2020, 70 percent of enterprises
will use ABAC as the dominant
mechanism to protect critical assets,
up from less than 5 percent today.
“
”
Gartner Predicts, March 2014
Attribute Based Access Control (ABAC)
© 2014 Axiomatics AB 7
ABAC enables the Any-Depth Architecture
© 2014 Axiomatics AB 8
© 2014 Axiomatics AB 9
The ABAC shiftNon-technical vs. technical challenge
FROM RBAC
FROM COARSE-GRAINED
Many users in one role
TO ABAC
TO FINE-GRAINED
Many attributes per user/resource…
© 2014 Axiomatics AB 10
The ABAC shift
Role A
Purchase-to-pay: Process view vs. IT view
© 2014 Axiomatics AB 11
Based on: Audit-focused Mining – New Views on Integrating Process Mining and Internal Control, Martin Schultz, CISA, CIA, ISACA Journal Vol 3. 2014
Who is authorized to create PO?
Who is authorized to approve?
InvoicePOReceipt?
Who is authorized to verify delivery?
Who is authorized to approve payment?
Focus on policy rather than on role
Create PO Permit users to create POs without general restrictions. For individual cost centers authorized users may however be explicitly named.
Approve PO Managers level X or above can approve POs provided the amount is within their approval limits and the sum total of approved POs during the period does not exceed corresponding budget constraints
Verify goods receipt
The receipt of goods or services must be verified. Permit users to register a receipt provided…
Approvepayment
Permit an approval of a payment only if matching and approved PO-Receipt-Invoice exists and the user is…
© 2014 Axiomatics AB 12
© 2014 Axiomatics AB 13
Based on: Enhancing Governance with a Simplified Approach to Segregation of Duties, Kevin Kobelsky, PhD, CISA, CA, CPA, ISACA Journal Vol 4. 2014
Defining the access control policy
© 2014 Axiomatics AB 14
© 2015 Axiomatics AB 15
Abstract example use case
Data storage
Workflow phases
Control board
General public
Members
Create
Read
Update
Delete
Create
Read
Update
Delete
Planning Production
© 2015 Axiomatics AB 16
DEMO use case policy – English version
Defining the access control policy
© 2014 Axiomatics AB 17
© 2014 Axiomatics AB 18
A collaborative approach to Policy Life Cycle Managment
© 2014 Axiomatics AB 18
Domain 1Export control
specialist
Domain 2PLM
system owner
Domain 3DocMansystemowner
AxiomaticsPolicyserver
Sandbox 1 Sandbox 2 Sandbox 3
AuthZDomain 1
AuthZDomain 2
Lessons learned from customers
PolicyOwners
Attributegovernance
How to reduce the divide between IT & Business in ABACdeployments – did we shed some light?
© 2014 Axiomatics AB 20
Axiomatics Policy Server 6.0 addresses the non-technical challenge
New features in Axiomatics Policy Server 6.0
Rich, web-based policy editor for business users
Put the business in the driver’s seat
One-click deployment
Enhanced attribute dictionary
Introduction of namespaces
Easy developer integration: REST and JSON support
© 2014 Axiomatics AB 21
© 2014 Axiomatics AB 22
Live DemoAxiomatics Policy Server 6.0
The use case
Managers can view transactions
Employees can view transactions in their own region
The owner of a transaction can view the amount of the transaction.
© 2014 Axiomatics AB 23
Axiomatics Policy Server 6.0 Demo
Employees can view transactions in their own region
User attributes
Role == employee
Region
Action attributes
Action == view
Resource attributes
Object type == transaction
Region
© 2014 Axiomatics AB 24
Axiomatics Policy Server 6.0 Demo
Relationship
Let’s implement it in the policy editor