lean and mean – authorization for kick-ass apis (jonas markström)
TRANSCRIPT
Lean & Mean - Authorization for kick-ass APIs
Jonas MarkströmAPI Security Ninja
© Axiomatics 2016 2
Feeling lonely?
© Axiomatics 2016 3
Not one but many monoliths
© Axiomatics 2016 4
Time to rethink the plumbing…
© Axiomatics 2016 5
© Axiomatics 2016 6
© Axiomatics 2016 7
Feeling pretty happy?
© Axiomatics 2016 8
A single entry into the kingdom
© Axiomatics 2016 9
Open up to business
© Axiomatics 2016 10
Before & After
⁃ From the monolith to... ⁃ The decoupled approach
Acme Enterprise
Firewall
Web Container
Processes Data
Acme Enterprise
Firewall
Web Container
Processes Data
API API
API Gateway
Third Party
API
© Axiomatics 2016 11
Is your access control broken?
© Axiomatics 2016 12
Who gets to decide?
© Axiomatics 2016 13
Who gets to decide?
User API
I, Alice, want to view bank accounts
Can Alice view account #123?
Data
© Axiomatics 2016 14
The Guardian Angel
© Axiomatics 2016 15
Authorization as Infrastructure
User API
I, Alice, want to view bank accounts
Can Alice view account #123?
Data
API G
atew
ay
ABAC Authorization
Service
SQL
Prox
y
Which data can be
retrieved?
© Axiomatics 2016 16
Did you say ABAC?
Externalized Centralized Policy Driven AttributeBased Standardized
© Axiomatics 2016 17
Attributes are labels that describe anyone and anything
© Axiomatics 2016 18
Attributes are Multi-Dimensional
Who What Where When Why How
© Axiomatics 2016 19
Policies bring attributes
together to make it all
work
© Axiomatics 2016 20
“Managers can view accounts in their region”
“Customers can create transfers up to $1,000”
“A user cannot approve a transfer they requested”
“Tellers can view transactions in their own region”
© Axiomatics 2016 21
Policies that apply to a specific API or service
Policies that apply across the enterprise / API sets
Policies can be local or global
© Axiomatics 2016 22
Use ABAC to implement... Time-based policies
“Deny access to the API outside
office hours”
© Axiomatics 2016 23
Use ABAC to implement... Location-based policies
“Dutch Employees cannot view Singapore
client data”
© Axiomatics 2016 24
Use ABAC to implement... Dynamic access control
“Managers can view accounts that are in the
same branch.”
© Axiomatics 2016 25
Use ABAC to implement... Dynamic Segregation of Duty
“Employees cannot approve transactions
they initiate.”
© Axiomatics 2016 26
Secure APIs start with ABAC...
Any APIAny Policy
Any Attribute