Managing Role Explosion with Attribute-based Access Control - Webinar Series - Part 2
-
Upload
nextlabs-inc -
Category
Technology
-
view
1.136 -
download
0
Transcript of Managing Role Explosion with Attribute-based Access Control - Webinar Series - Part 2
© 2005-2013 NextLabs Inc.
Managing Role Explosion with Attribute-based Access Control: “Attributes” is the new Role
Sandeep ChopraDirector of Product ManagementNextLabs, Inc.
© 2005-2013 NextLabs Inc. Slide 2
2-Part Series
Part 1 – More Roles than Employees Trends and drivers for role explosion, cost of role management Demonstrations of typical use cases that drive role explosion
Part 2 – “Attributes” is the new Role Basics of ABAC and how it can help reduce role explosion Demonstrations of typical use cases and how ABAC works.
© 2005-2013 NextLabs Inc. Slide 3
Agenda
Presentation Review of Last Week Attribute Based Access Control Information Control Policies Use Cases Demonstration Examples
Question and Answers
© 2005-2013 NextLabs Inc. Slide 4
Authorization Layers
© 2005-2013 NextLabs Inc. Slide 5
Challenge – Exploding Access ComplexityCompanies have multiple access variables
• Multiple Export Jurisdictions (e.g. ITAR, EAR, BAFA)• Multiple IP Control Agreements (e.g. PIEA, NDA)• Multiple Applications and Systems (e.g. PLM, ERP, SCM)
Traditional role based access control (RBAC) explodes based on the number of variables
Number of Access Variables
Req
uire
d A
cces
s R
ules
© 2005-2013 NextLabs Inc. Slide 6
What are my Data Authorization options?
Data Authorization Decision Map
© 2005-2013 NextLabs Inc. Slide 7
ABAC: Integrating Identity, Content, and Context Attributes
Identity User Recipient Internal and External
Context Computer Network Location Channel/Application Connection Time
Content Data Type Metadata Custom Tags Data Content
Identity
ContentContext
“Who is using or sharing what data, how, why and with whom”
© 2005-2013 NextLabs Inc. Slide 8
Attribute-Based Policies
Allow only US Engineers to access Project X Specifications from US Offices
SubjectLocation = US AND Department = Engineering
ResourceProject = Project X AND Type = Specification
EnvironmentNetwork Address = 192.168.*
Attribute-based rule retails Business intent.Provide fine-grain, data level control.
© 2005-2013 NextLabs Inc. Slide 9
One Simple Role – Using ABAC
1 Simple Role
Polic
y us
ing
Attrib
utes
CRM
ECC
BW
© 2005-2013 NextLabs Inc. Slide 10
Roles Vs. Attributes
97% less roles using Attributes
Scenario Derived Role Enabler Role ABAC
50 Functional roles & 5 Subsidiaries
300 total roles: 50 Functional
roles 5 derived
company code
35 derived Plants
56 roles: 50 Functional
roles 1 enabler
template – Company code
1 enabler roles for Plant
50 Functional roles
35 Plants under 5 subsidiaries
1840 Roles 50 x 35 =
1,750 1,750 + 5+
35 + 50 = 1840 Roles
1802 Roles 50 Functional
roles x 35 plants = 1,750
1750 + 50 + 2 = 1802
51 Authorizations 50 Functional
roles 1 NextLabs
policy
Benefit Baseline 5% less than Derived roles
97% less than Enabler Roles
or Derived Roles
1 Company
5 Subsidiaries
7 Plants/Subsidiary= 35 Plants
© 2005-2013 NextLabs Inc. Slide 11
Key Characteristics of Attribute Based Policy
Finer grained, automated controls
Dynamic Enforcement
External Identity Attributes
External Resource Attributes
© 2005-2013 NextLabs Inc. Slide 12
About NextLabsNextLabs Entitlement Manager is an SAP-Endorsed Business Solution
Policy-driven, information risk management software for Global 5000 enterprises. Help companies achieve safer and
more secure internal and external collaboration
Ensure proper access to applications and data
Facts Locations
HQ: San Mateo, CABoston, MAHangzhou, PRCMalaysiaSingapore
40+ Patent Portfolio Major go-to-market Partners: IBM, SAP,
HCL-AXON, Hitachi Consulting
“We allow companies to preserve confidentiality, prevent data loss and ensure compliance across more channels and more points with a single unified solution with unmatched user acceptance and total cost of ownership.”
- Keng Lim, Chairman and CEO
NextLabs Overview
© 2005-2013 NextLabs Inc. Slide 13
Thank You!
Thank you for viewing a preview of Part 2 of our Managing Role Explosion with Attribute-Based Access Control webinar series.
To watch our complete recording, CLICK HERE.
In the remainder of this webinar, you will see typical use cases of Attribute Based Access Control and a Demo of how it works.