The Very Latest in Authorization Standards and Trends
Cloud Identity Summit - 2014
Gerry Gebel Axiomatics [email protected] @ggebel
© 2014 Axiomatics AB 1
Preamble Authorization v.Next
Cloud Identity Summit 2014
© 2014 Axiomatics AB 2
© 2014 Axiomatics AB 3
© 2014 Axiomatics AB 4
© 2014 Axiomatics AB 5
Having a policy language is a key differentiator for ABAC/XACML
© 2014 Axiomatics AB 6
OAuth
UMA
JWT
XACML Finding the right combination
Agenda
§ Business trends that are influencing authorization requirements
§ Externalized Authorization and ABAC
§ Standards update § JSON, REST, ALFA and more
§ Prognostications
Cloud Identity Summit 2014
© 2014 Axiomatics AB 7
Business Trends & AuthZ
Cloud Identity Summit 2014
© 2014 Axiomatics AB 8
© 2014 Axiomatics AB 9
© 2014 Axiomatics AB 10
Next generation information security = dynamic authorization = attribute based access control
Legacy access controls fail in dynamic environments
© 2014 Axiomatics AB 11
ABAC thrives in dynamic environments
© 2014 Axiomatics AB 12
Who
What Sensitive / business critical Information
Grant or deny access based on the following attributes
When
Where
Why
How
© 2014 Axiomatics AB 13
By 2020, 70 percent of enterprises
will use ABAC as the dominant
mechanism to protect critical assets,
up from less than 5 percent today.
“ ”
Gartner Predicts, March 2014
Externalized Authorization and ABAC
Cloud Identity Summit 2014
© 2014 Axiomatics AB 14
NIST Special Pub 800-‐162 *
§ “[ABAC] flexibility provides the greatest breadth of subjects to access the greatest breadth of objects without specifying individual relationships between each subject and each object”
© 2014 Axiomatics AB 15
* nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf
Example from NIST report § Nurse Practitioners in the Cardiology Department can View the Records of
Heart Patients § Variables in the policy language enable very efficient policy structures – reducing the
maintenance load § Management of heart patient records is part of the business application – not an IT
function § Multiple attributes must be available for policy evaluation – either as part of the access
request or retrieved from an authoritative source
© 2014 Axiomatics AB 16
NIST example -‐ expanded § Nurse Practitioners can View the Records of Patients in the same Department
they are assigned to § This rule can apply to all departments in the hospital § Add a new department or change names of department and the rule does not change § Rule compares department of the Nurse Practitioner to the department of the Patient § Avoids the role explosion effect of RBAC models
© 2014 Axiomatics AB 17
Applying ABAC to every layer of your application
ADAF
© 2014 Axiomatics AB 18
REST, JSON, & ALFA What’s new on the XACML standards front?
© 2014 Axiomatics AB 19
§ Profiles add functionality § REST § JSON § Export Control § IP Protection § Hierarchal Resources § Etc.
What’s in the XACML standard
XACML
Reference Architecture
Policy Language
Request / Response Protocol
© 2014 Axiomatics AB 20
The Request/Response format
• Subject User id = Alice Role = Manager
• Action Action id = approve
• Resource Resource type = Purchase Order PO #= 12367
• Environment Device Type = Laptop
XACML Request
Can Manager Alice approve Purchase Order 12367?
XACML Response
Yes, she can
• Result Decision: Permit Status: ok
© 2014 Axiomatics AB 21
XML encoding of an authZ request
<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" > </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">hello</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">say</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> </xacml-ctx:Request>
Can Alice Say
Hello?
© 2014 Axiomatics AB 22
JSON encoding of an authZ request
{"subject": {"attribute":[{ "attributeId":"username", "value":"alice"}]},
"resource": {"attribute":[{ "attributeId":"resource-id", "value":"hello"}]},
"action": {"attribute":[{ "attributeId":"action-id", "value":"say"}]}}
© 2014 Axiomatics AB 23
JSON vs. XML
0
10
20
30
40
50
Word count
XML JSON
0 200 400 600 800
1000 1200 1400
Char. Count
XML JSON
Size of a XACML request
© 2014 Axiomatics AB 24
REST Profile
XML over HTTP
XML over HTTP
JSON over HTTP
JSON over HTTP
© 2014 Axiomatics AB 25
ALFA – Abbreviated Language for Authorization § Domain Specific Language (DSL) that provides an abstraction over XACML
§ Pseudo language is similar to C# or Java
§ Author policies in Eclipse IDE, plug in automatically generates XACML
© 2014 Axiomatics AB 26
Axiomatics has committed to submit ALFA as an XACML profile
A policy example, in English
/**
* A manager can approve a transaction if their approval limit is greater than
* the transaction amount and if the risk is less than 5
*/
Let’s take a look at this policy in XACML and ALFA
© 2014 Axiomatics AB 27
A policy example, in XACML (1)
<?xml version="1.0" encoding="UTF-8"?> <!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).> <xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="http://axiomatics.com/alfa/identifier/policing.principles.allowTransaction" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"> <xacml3:Description>Let a manager approve a transaction if their approval limit is greater than the transaction amount and if the risk is less than 5</xacml3:Description> <xacml3:PolicyDefaults> <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion> </xacml3:PolicyDefaults> <xacml3:Target> <xacml3:AnyOf> <xacml3:AllOf> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="userRole" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false" /> </xacml3:Match> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">approve</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" MustBePresent="false" />
© 2014 Axiomatics AB 28
A policy example, in XACML (2)
</xacml3:Match> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">transaction</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="resourceType" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> </xacml3:Match> </xacml3:AllOf> </xacml3:AnyOf> </xacml3:Target> <xacml3:Rule Effect="Permit" RuleId="http://axiomatics.com/alfa/identifier/policing.principles.allowTransaction.allowIfLowRiskScore"> <xacml3:Description /> <xacml3:Target /> <xacml3:Condition> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:double-greater-than"/> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#double">5.0</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="transactionRiskScore" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" />
© 2014 Axiomatics AB 29
A policy example, in XACML (3)
</xacml3:Apply> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any"> <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:double-less-than-or-equal"/> <xacml3:AttributeDesignator AttributeId="transactionAmount" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> <xacml3:AttributeDesignator AttributeId="userApprovalLimit" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false" /> </xacml3:Apply> </xacml3:Apply> </xacml3:Condition> </xacml3:Rule> </xacml3:Policy>
© 2014 Axiomatics AB 30
A policy example, in ALFA
policy allowTransaction{
target clause userRole=="manager" and actionId=="approve" and resType=="transaction"
apply firstApplicable
rule allowIfLowRiskScore{
condition (transactionRiskScore < 5) && (transactionAmount <= userApprovalLimit)
permit
}
}
© 2014 Axiomatics AB 31
OAuth & XACML? Further simplification of XACML?
Prognostications
© 2014 Axiomatics AB 32
How can OAuth and XACML complement each other?
§ OAuth: popular authZ mechanism for API security and consumer scenarios
§ Missing from OAuth: declarative policy language
© 2014 Axiomatics AB 33
§ XACML policies were used to control scopes for OAuth tokens
What if?
Easy consumption of JWT tokens for advanced authorization via XACML-‐based service
© 2014 Axiomatics AB 34
{"subject": {"attribute":[{ "attributeId":"username", "value":"alice"}]},
"resource": {"attribute":[{ "attributeId":"resource-id", "value":"hello"}]},
"action": {"attribute":[{ "attributeId":"action-id", "value":"say"}]}}
JWT
On the further simplification of XACML
§ REST and JSON profiles greatly simplify the developer experience § See David Brossard’s workshop material from Sunday
§ But what about the policy language?
© 2014 Axiomatics AB 35
© 2014 Axiomatics AB 36
SCIM + XACML
Questions? Thank you for listening