flexible and dynamic security for the data centric enterprise
TRANSCRIPT
David Brossard
Axiomatics
Twitter: @axiomatics
Flexible and dynamic security for the data-centric enterpriseBridging the gap between the C-Level and systems administrators
More data about everything
Interaction data
More users
Medical data More user expectations
More regulations
More jurisdictions
Financial data
IoT dataSocial network data
Banks
Government recordsCustomer preferences
ManufacturersPrivacy SoX
HIPAA
US regulations
EU legislation
NAFTA EmployeesPartnersCustomers
PatientsAccess anytime
Access anywhere
Access from any deviceInsurers
More devices
Smart phone
Tablet
Desktop
Laptop
Hong Kong Monetary Authority
FamilySmart watch
PCI-DSS
Patient consent
Singapore
The modern data headache
• Coarse-grained (all or nothing)
• Role-centric (sysdba)
• Linked to the database (rather than the data)
Traditional database security
Huh, ok, hmmm let’s implement
some custom logic here
A one-way monologue
Let’s pepper in stored
procedures…
Implement the latest Singapore Finance regulation… Now! Add more
regulations…
What about governance & compliance?
• What are the access permissions?
• Who has access to a record?
• Who accessed a given record?
Need for a comprehensive approach
• Access Reviews, Compliance & Audits
• Requirements gathering
• Design & Implementation
How to implement the following…
Source: Monetary Authority of Singapore
Employees of the bank can view customers’ bank accounts
Employees outside Singapore cannot view the balance of a
Singapore-based customer
All access to data should be blocked outside office hours
Static data masking – Copying data to another location
Hard-coding logic inside the db e.g. stored procedures
Hard-coding inside the application layer
… using today’s techniques?
Challenges
• Too static
• Difficult to audit
• Time to market
• Expensive
• Technology-specific
• Security silos
A way capable of tackling the many dimensions of data in the modern world
There is a better way (comprehensive, holistic)
Security capable of leveraging
those attributes to make decisions
Security that looks at the data,
the user and their attributes
We need true data-centric security
Attribute-Based Access Control
• A standard defined by NIST
• Access control is expressed via policies
• Policies use attributes to describe cases when access
should be denied / allowed
Attribute-Based Access Control
• Access control is externalized from the business logic
• Access control policies are maintained centrally
• The access control is flexible so that it can be applied to APIs,
databases, and more
• Access control decisions are made dynamically at runtime
Define the access control requirement
Only employees in Singapore
can view
the balance of a Singapore-based customer bank account
• Role: employee• User location: Singapore• Action: view (SELECT)
• Resource: balance• Resource type: bank account • Resource location: Singapore
Extract the attributes
Only employees in Singapore
can view
the balance of a Singapore-based customer bank account
A user with the role == employeecan do the action == SELECTon the column == BALANCE of table == ACCOUNTSif account.location == user.location
Implement the policy
Only employees in Singapore
can view
the balance of a Singapore-based customer bank account
• Centrally managed access policies
• Data filtering on the fly
• Dynamic Data masking on the fly
What ABAC can let you achieve
Axiomatics Data Access Filter MD
• One solution for multiple databases
• Policy-driven data-centric security
– The same standards-based policies you use for other apps / APIs
• Dynamic on-the-fly data filtering
– Only retrieve entitled data & avoid leaks
• Dynamic on-the-fly data masking
– Mask values e.g. credit card numbers
Fortune 50 Bank
• Location: NY, USA
• Use case: developer access to production data
• Challenges
– Make sure developers get relevant access only
– Ensure PII are not disclosed
Fortune 50 Bank
• Location: NY, USA
• Use case: business intelligence & big data
• Challenges
– Run reports on bank data
– Protect PII
Fortune 500 Pharmaceutical
• Location: USA
• Use case: clinical trial data
• Challenges
– Guarantee patient privacy
– Protect company sensitive IP
– Speed up time to market through secure collaboration
Fortune 500 Global Bank
• Location: Europe
• Use case: implement banking regulations
– Singapore
– Hong Kong
• Challenges
– In order to operate in certain markets, banks must comply with an increasing number of complex regulations around data sharing