Next generation access controls
-
Upload
transcendent-group -
Category
Economy & Finance
-
view
332 -
download
4
Transcript of Next generation access controls
![Page 1: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/1.jpg)
Next Generation Access Control
Urban Söderström
![Page 2: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/2.jpg)
© Axiomatics 2016 2
Access Control is as easy as in the Middle Ages
Only 2 options: • Store data safely & • control access
• Make data unusable
![Page 3: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/3.jpg)
© Axiomatics 2016 3
But internal and external requirements makes the picture much more complex …..
And the outside world where data is used ….. has changed How ?
Collaboration
Regulatory Compliance and Governance
New business & mobile-driven interactions
Time-to-market
![Page 4: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/4.jpg)
© Axiomatics 2016 4
1) Diligent 24 x 7 cyber crime professionals around
• Ransome ware for bitcoins • Advanced Persistent Threat • Spearfishing • National surveillance breaches
Night and day working on their Continuing Professional Education
![Page 5: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/5.jpg)
© Axiomatics 2016 5
2) Population of computer users has changed
Expert engineers But also • Your grandma • Your todler • Your malware • Your fridge • ……… Everyone is a user With digital identity
![Page 6: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/6.jpg)
© Axiomatics 2016 6
3) Identity ontology for every individual
My ID as a…. Customer Supplier Partner Private user Administrator Anonymous user Machine Fraudster, mule
Identity Federation E-ID E-Citizenship Mobil-ID Bank-ID …….
![Page 7: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/7.jpg)
© Axiomatics 2016 7
4) Rapid evolving usability requirements – “seven any”
Any one Any time Any where Any device Any networg Any app
Across any value chain Easy and fast
![Page 8: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/8.jpg)
© Axiomatics 2016 8
5) Purpose of data use has changed Internet of Things E-Municipality E-Government Smart cities Mobility Environment Commodities Medical Safety Living Drone delivery Robot distribution Physical surveillance
![Page 9: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/9.jpg)
© Axiomatics 2016 9
6) Globalisation & data correlation Connectivity across Datasets Applications “Things” Value chains Companies Continents Jurisdictions Platforms Devices Clouds API´s interoperability
![Page 10: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/10.jpg)
© Axiomatics 2016 10
7) Big data analytics Visual data discovery Automated decision-making 70% of large organizations Purchase external data 100% by 2019 (Forbes) 180.000 data analysts in US 2018 E.g. fraud detection Well combined with physical security tools This requires Access Management BaaS = Back-end of IoT as a service
![Page 11: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/11.jpg)
© Axiomatics 2016 11
8) Increased control, legislation & regulation
Data protection - GDPR 1) Consistency across European Union
1) One-stop-shop for citizens and business 2) Scope: service providers outside Europe delivering EU services 3) Right to be forgotten-Right to erasure:
1) “Privacy by design” & “privacy by default” 2) Right to be forgotten also applicable to third parties
4) Notification of breach mandatory 1) High fines
5) Payment Services Directive II 1) Mandatory to share customers profiles and data with 3rd parties 2) On request (with customers consent & still adhering to the 3) data protecting regulation)
![Page 12: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/12.jpg)
© Axiomatics 2016 12
Responding to all trends with old school static IAM ?
Transaction request
Authorisation Entitlements For the ID
Assets +
data
authentication Identity
+ properties
Password Token PIN Biometric Multifactor Behaviour
![Page 13: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/13.jpg)
© Axioma)cs 2016 13
By 2020, 70 percent of enterprises will use ABAC as
the dominant mechanism to protect critical assets
“
70% ”
Gartner, 2013
NO ! - Dynamic and fine-grained IAM on data level required
![Page 14: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/14.jpg)
© Axiomatics 2016 14
Application access = OUT Services, Big data, Federation = IN
Access control on application level falls short RBAC is too static Security is required on the level of datasets, data subject Data Centric Security Attibute Based Access Control
Transaction request
![Page 15: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/15.jpg)
© Axiomatics 2016 15
Every single transaction request…
The only thing persistent is The request for a transaction
(with all its relevant properties)
![Page 16: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/16.jpg)
© Axiomatics 2016 16
deserves an individual VIP treatment
Access decision engine” • real time • context aware • rule based • customised • flexible • fine-grained access decisions
![Page 17: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/17.jpg)
© Axioma)cs 2016 17
⁃ Policies to protect assets / IP ⁃ Policies to prevent fraud ⁃ Policies to comply with external regulations ⁃ Policies to be more efficient ⁃ Policies to enable new business
⁃ CEOs, CIOs, CISOs, CDOs and other CXOs have responsibilities to define and implement these policies
⁃ Security and compliance are board-level issues: requires key policies in place to protect the Enterprise’s interests, IP and to safeguard their investments
Modern Enterprises need to be policy-driven
![Page 18: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/18.jpg)
© Axiomatics 2016 18
⁃ Modern dynamic enterprises need modern dynamic authorization models to meet requirements for ease of change and centralization
⁃ Authorizations to… ⁃ Protect sensitive data ⁃ Protect critical assets ⁃ Protect critical transactions
Attribute Based Access Control is the new dynamic model
Access Policies
![Page 19: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/19.jpg)
© Axiomatics 2016 19
Security everywhere Centralized Rules Management
Data Layer
Service Layer
Process layer
Presentation Layer
Distributed rules enforcement
![Page 20: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/20.jpg)
© Axiomatics 2016 20
Finegrained context aware access mmnt - building blocks
user profile database
identity federation trust level framework
framework to manage interaction of rule sets e.g conflicting rules, hierarchy, veto, ownership
rulesets in rule engines
![Page 21: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/21.jpg)
© Axiomatics 2016 21
Attribute Based Access Control “Context Based”, or “Rule Based” Access Control: • Fine-grained • Additional authentication if reqiured (“step-up”) • Flexible – Easy access if possible, complex when required • Configuration of rules in IAM: short time-to-market (not programmed in applications) • Risk level on dataset or transaction • Trustlevel on authentication context • Immediate intervention in case of compromise (trustlevel attribute) • From RBAC to ABAC or hybrid (role is also a rule!)
![Page 22: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/22.jpg)
© Axiomatics 2016 22
Attribute-Based Access Control A context-aware and dynamic authorization model
Who? What? When? Where? Why? How?
![Page 23: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/23.jpg)
© Axiomatics 2016 23
GDPR or PSD-2 is a opportunity to start using ABAC ⁃ DPR – GDPR requires changes in your rule and policy
governance ⁃ By using ABAC you don´t have to rework your rule and policy
governance in every application when changes are applied ⁃ You can include the Business in the process by using Business
processes when creating new policys
![Page 24: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/24.jpg)
© Axiomatics 2016 24
Compared to legacy RBAC models…
⁃ Permissions assigned to roles
⁃ Roles assigned to users
⁃ Applications handle access
control intentionally
![Page 25: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/25.jpg)
© Axiomatics 2016 25
Using ABAC to extend role definitions
⁃ ABAC uses attributes and policies to implement precise controls
⁃ ABAC extends roles with ⁃ Context and ⁃ Relationships
⁃ ABAC utilizes attributes of the user as well as the resource to represent relationships
![Page 26: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/26.jpg)
© Axioma)cs 2016 26
Axiomatics provides enterprise software for access control
![Page 27: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/27.jpg)
© Axiomatics 2016 27
Who we are… About Axiomatics...
Offices in USA and Sweden
Venture-backed since 2013
90% growth in 2015
![Page 28: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/28.jpg)
© Axiomatics 2016 28
Our Customers
⁃ Fortune 500 ⁃ Government Agencies ⁃ Vertical market expertise
⁃ Financial services (banking, insurance) ⁃ Highly-regulated industries (pharmaceuticals, aerospace, automotive…) ⁃ Media companies
![Page 29: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/29.jpg)
Success stories
⁃ Securing online payments for 200 million users ⁃ Securing exchange of clinical trial data in
pharmaceutical research ⁃ Millions of transactions a day secured for one of the
world’s largest banks ⁃ Protecting privacy for insurance company’s clients ⁃ Compliance with Export Control regulations for aircraft
manufacturers ⁃ Copyright-protected streaming media for authorized users only ⁃ Improving speed and quality of health IT systems for
veterans nationwide
![Page 30: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/30.jpg)
© Axiomatics 2016 30
Axiomatics Solutions ⁃ Authorization for Applications
⁃ Business logic and middleware ⁃ APIs and web services ⁃ On-premise and cloud applications
⁃ Authorization for Databases ⁃ Relational databases ⁃ Big Data
⁃ Access Review on policies ⁃ Prove regulatory compliance and
permissions of users or groups ⁃ Real-time review of dynamic authorization ⁃ Internal reporting and auditing needed at
various levels of user ⁃ Review what your employees can do
![Page 31: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/31.jpg)
© Axiomatics 2016 31
31
Structuring the Policies The Authorization Policy Lifecycle
![Page 32: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/32.jpg)
© Axiomatics 2016 32
Deploy the architecture – Defence in Depth
![Page 33: Next generation access controls](https://reader034.fdocuments.in/reader034/viewer/2022042906/58a6ee651a28abcf0e8b5a53/html5/thumbnails/33.jpg)
© Axiomatics 2016 33
Questions?