enabling abac on apis
TRANSCRIPT
© 2015 Axiomatics - @axiomatics 1
Do you have an authorization challenge? Secure your sensitive data using the Axiomatics Policy Server / Axway API Gateway
© 2015 Axiomatics - @axiomatics 2
The value of information / data
What is the protection of confidential data worth to your enterprise?
What would your team be able build if there were no restrictions?
How valuable is your data at rest?In motion?
Find your golden eggs: which data deserves high protection?
© 2015 Axiomatics - @axiomatics 3
The traditional way to achieve access control
Binary mechanisms: all or nothingFirewalls…
Basic roles determine coarse-grained accessAdministrators have access to all
Data is not digitized – security through ‘obscurity’
Axiomatics is the leading provider of fine-grained authorization solutions
that help enterprises share their data securely.
Axiomatics – Who We Are
© 2015 Axiomatics - @axiomatics 4
(sharing securely is the true caring)
© 2015 Axiomatics - @axiomatics 5
We allow you to permit or denyaccess to data based on multiple factors
can access information
information can they access
can they access information
can they access information from
, from which device or via which API can they access information
, for what reason can they access information
Who
What
When
Where
How
Why
Axiomatics – What We Do
© 2015 Axiomatics - @axiomatics 6
Business Drivers
Secure Collaboration
Regulatory Compliance and Governance
New business & consumer mobile-driven interactions
Time-to-market & Consolidation
The Authorization challenge
Externalizing, Centralizing, and Standardizing Authorization
© 2015 Axiomatics - @axiomatics 7
© 2015 Axiomatics - @axiomatics 9
And it’s not getting any better
B2B
B-2-cloud-B
Organization YOrganization X
Enhance your access control Externalized
Access control is externalized from the business logic
Centralized
Access control policies are maintained centrally
Standardized
Access control policies use XACML, the eXtensible Access Control Markup Language
Flexible
ABAC is flexible – it can be applied to APIs, databases, and more
Dynamic
Access decisions are made dynamically at runtime
Context-based / Risk-based
© 2015 Axiomatics - @axiomatics 10
Attribute-based access control (ABAC)
Enable realtime access reviews & compliance audits ABAC uses policies to define access rights
Policies can express advanced scenarios e.g.
Segregation-of-duty
Risk-based access control
Geo-based access
Compliance use cases…
Healthcare scenarios
Policies enable timely and accurate compliance reporting
Make the auditors happy
Reports
What can a user do?
Who can access a given resource / API?
© 2015 Axiomatics - @axiomatics 11
Attribute-based Access Control
Government Use Case – enable the e-citizen
Defense Agency of a European government
Challenge
Securely expose an API to send/receive messages between government agencies and the e-citizen
Solution
Axway API Gateway to expose and secure the messaging APIs
Axiomatics Policy Server to apply fine-grained autorization on the APIs
© 2015 Axiomatics - @axiomatics 13
Secure your APIs using Axiomatics & Axway
Cloud-based services – SaaS – Federate & Control Access
Challenge
Let users use internal & cloud services seamlessly & make sure they access the relevant data only
Solution
Route all the calls to the cloud & internal apps via the Axway API Gateway
Use the API gateway to federate identities between the internal IdP and the cloud
Use the Axiomatics Policy Server to determine whether the user has access to the information in the cloud
Use the Axiomatics Policy Server to implement fine-grained authorization
Make sure the right data ends up in the right hands, right place, right jurisdiction at the right time
© 2015 Axiomatics - @axiomatics 15
Secure your APIs using Axiomatics & Axway
Enterprise
Axway API Gateway
IdP
© 2015 Axiomatics - @axiomatics 16
Architectural Overview & Flow
Axiomatics Policy Server (APS)
Internal Apps
Cloud Apps (Salesforce…)
Customer Enablement Use Case – Insurance Company
Challenge
Unlock insurance data and expose it online via a customer/agent portal
Solution
Build an API portal using the Axway API Gateway
Build a web portal / mobile application that connect to the APIs
Use the Axiomatics Policy Server to determine who can view what data
Example: agents can only view the insurance profile of a customer they are assigned to
© 2015 Axiomatics - @axiomatics 17
Secure your APIs using Axiomatics & Axway
© 2015 Axiomatics - @axiomatics 18
Architectural Overview & Flow
Axiomatics Policy Server (APS)
3. The gw calls APS for a fine-grained authorization decision: can Bob view insurance contract #123?
Web Portal
Mobile App
1. View insurance contract
Insurance APIs
Insurance Data
CustomerAxway API Gateway
2. The gateway handles authentication & API security
PIP
4. Retrieve metadata about the user and the insurance contract
5. Permit / Deny + extra options
6. The call is routed to the relevant API
Partner
Securing SharePoint
Apply Attribute-based access control to SharePoint
© 2015 Axiomatics - @axiomatics 19
Use Case: Export Control & Access to Sensitive Material Users
Belong to different projects
Have different nationalities
Have clearance levels
Documents
Have been classified (sorted, analyzed, and labeled)
Have a sensitivity classification (LOW, MEDIUM, HIGH)
Belong to special projects
Example rules
Documents with a Protective Marking of PINK may only be accessed by subjects with Clearance of Medium or High
Documents with a Nationality Constraint may only be accessed by subjects with that Nationality
© 2015 Axiomatics - @axiomatics 20
Fine-grained access control for MS SharePoint
Architectural Overview
© 2015 Axiomatics - @axiomatics 21
Fine-grained access control for MS SharePoint
Axiomatics Policy Server
Axway API Gateway
PIP
Microsoft SharePoint
Axway API Gateway handles
Authentication / federation
Interception
Protection of the SharePoint web portal
Protection of the SharePoint APIs
Calls the Axiomatics Policy Server
On the way in
On the way out
Filters out content based on decisions from the Axiomatics Policy Server
Retrieves metadata from SharePoint APIs
Axiomatics Policy Server handles
Access control policy definition/design
Retrieves metadata from SharePoint APIs
Reaches decisions based on information provided by
Axway API Gateway
SharePoint APIs
Can produce additional statements e.g.
Encrypt a given web part
Send email notification to manager
© 2015 Axiomatics - @axiomatics 22
How does it work?
Fine-grained access control for MS SharePoint
Example Request
© 2015 Axiomatics - @axiomatics 23
Fine-grained access control for MS SharePoint
Can Anne access a document from Project Epsilon?
Permit
Deny
What’s the next step?
Start your ABAC journey with Axiomatics
Download the Assessment Package
Request an evaluation
© 2015 Axiomatics - @axiomatics 24
Thank You