Axiomatics and First Point Global webinar Aug 6 2014
-
Upload
axiomatics-ab -
Category
Software
-
view
791 -
download
0
description
Transcript of Axiomatics and First Point Global webinar Aug 6 2014
© 2014 Axiomatics AB 1
Attribute Based Access Control (ABAC) and Authorising Data Access
Webinar: August 6, 2014
© 2014 Axiomatics AB 2
Today’s speakers
John Havers
Gerry Gebel
David Brossard
@axiomatics@fpgidentity#ABAC#XACML
© 2014 Axiomatics AB 3
© 2014 Axiomatics AB 4
IntroductionOverview and preamble
Business drivers – why organizations invested in ABAC
Business challenges – what problems they solved
Business values – what benefits they gained
© 2014 Axiomatics AB 5
© 2014 Axiomatics AB 6
Next generation information security
= dynamic authorization
= attribute based access control
© 2014 Axiomatics AB 7
Who
What Sensitive /business critical Information
Grant or deny access based on the following attributes
When
Where
Why
How
Why organizations invested in ABAC technology
© 2014 Axiomatics AB 8
Consolidated infrastructure
Enhanced security
Business enabler
Compliance
Expose data and APIsto customers and
partners
Write once, Enforce everywhere
Consistent authorization
enforcement across applications
Implement legal frameworks
Innovating in the digital economy
© 2014 Axiomatics AB 9
Business enabler
Expose data and APIsto customers and
partners
ABAC Value Proposition
Use Cases:• Context aware information management• ABAC database filtering, the key to
unlocking identity aware legacy data
The importance of ABAC in a modern information security and digital strategy
© 2014 Axiomatics AB 10
By 2020, 70 percent of enterprises
will use ABAC as the dominant
mechanism to protect critical assets,
up from less than 5 percent today.
“
”Gartner Predicts, March 2014
© 2014 Axiomatics AB 11
Due to the emerging nature of the Dynamic
Authorization Management market, innovation is
a key capability. Innovation drives customer
satisfaction when they receive new releases
that meet their developing requirements.
Axiomatics leads this sector.
“
”KuppingerCole AnalystsDynamic Authorization
Management Report 2014
© 2014 Axiomatics AB 12
Business ChallengesProblems solved
Benefits gained
© 2014 Axiomatics AB 13
Secure collaboration
Rapid and secure transactions
Compliance and governance
Timely IT service delivery
© 2014 Axiomatics AB 14
Secure collaboration
…depends on efficientinformation sharing…
… which depends onprecision in access controls.
Legacy access controls fail in dynamic environments
© 2014 Axiomatics AB 15
ABAC thrives in dynamic environments
© 2014 Axiomatics AB 16
The ABAC factorThe information highways can be opened again. Information can now be shared securely between the right people under the right conditions.
© 2014 Axiomatics AB 17
Rapid and secure transactions…depend on efficientdelegation of powers…
… while losses due to fraud or excessive risk taking are minimized.
© 2014 Axiomatics AB 18
Choose between speed and security…
..or choose both
© 2014 Axiomatics AB19
The ABAC factor More people can be empowered to securely execute transactions.
The transaction approval process can be considerably speeded up, according to your risk appetite.
© 2014 Axiomatics AB 20
Effective compliance
and governance…depend on efficientIT governance …
…which in turn depends on correct and verifiable authorizations.
Internal controls matrix and manual checklists
Centrally maintained policies enforced across applications
© 2014 Axiomatics AB 21
Authorization service
© 2014 Axiomatics AB 22
The ABAC factor
By enforcing regulations and proving that your organization is compliant you can avoid fines and other punishment, as well as damage to the organization’s reputation.
© 2014 Axiomatics AB 23
Timely servicedelivery
…depends on efficientsoftware development…
…and change management not causing delays.
© 2014 Axiomatics AB 24
Hundreds or thousands of If-clauses scattered all over your code
Write your policy once & automate enforcement wherever needed
Write once use many times
If project X is in
planning phase then…
else…
If the user is member of project X then … else …
If user is project lead
then … else …If project X is in production phase
then … else …
If project X change control board decision has been made then … else …
During the p
roject plann
ing
phase all pr
oject member
s may
change proje
ct specifica
tion
documents. I
n the produc
tion
phase specif
ications can
only
be changed b
y project le
ads
if and only
if a change
control boar
d decision
authorize th
em to do so.
The ABAC factor
© 2014 Axiomatics AB 25
Software development10%-40% cost savings – the more complex authorization rules you have, the greater the saving. Write access control code once and use over and over instead of maintaining thousands of ”if”-clauses in your code.
Change ManagementUp to 30% savings. No changes in applications when new business requirements or regulations mandate change access control policies.
So how do we do this?
Dynamic authorization for applications, enterprise APIs, and web services
Policies
Attribute Sources
1. Access request is intercepted
2. A query is sent to the external authorization service
3. The authorization engine evaluates the relevant policies
4. It may also need to query external attribute sources for more info
5. The decision – PERMIT or DENY is returned and enforced
User: Bob Application
Can Bob access record #22 PERMIT/DENY
AuthorizationService
Dynamic authorization for data filtering
Policies
Attribute Sources
1. SQL statement is intercepted
2. A query is sent to the external authorization service
3. The authorization engine evaluates the relevant policies
4. It may also need to query external attribute sources for more info
5. The result: SQL statement is dynamically modified and only authorized data is returned to user
Application Data storage
User Bob wants to SELECT * from table T
SELECT A,B FROM TABLE T
WHERE…
AuthorizationService
Filtereddata
© 2014 Axiomatics AB
© 2014 Axiomatics AB 31
Conclusions
© 2014 Axiomatics AB 32
Attribute Based Access Control (ABAC) objectives
Get competitive advantage and create new revenue streams
Minimize the risk of fraud with dynamic, real-time access control
Meet global regulatory and privacy requirements
Cut time to market and streamline internal development
© 2014 Axiomatics AB 33
Attribute Based Access Control (ABAC) benefits
Enabling secure collaboration
Delegating execution powers for fast and secure financial transactions
Compliance, compliance, and compliance
Faster service delivery, reduced development costs
© 2014 Axiomatics AB 34
Meet us on site Schedule time to meet with First Point Global and Axiomatics
During the weeks of August 25th and September 1st
Contact Damon Jones ([email protected])
or
Barry Metzger ([email protected])
© 2014 Axiomatics AB 35
Questions?Thank you for listening