Do you have a business case for Attribute Based Access Control (ABAC)?

29 %
71 %
Information about Do you have a business case for Attribute Based Access Control (ABAC)?

Published on April 4, 2014

Author: Axiomatics



This is the slide deck from an Axiomatics webinar held on April 3, 2014. To see the webinar recording itself, visit the webinar section on the Axiomatics home page. There you will also find the questions and answers section - there were a few interesting discussions at the end of the session.

© 2014 Axiomatics AB 1 Do you have a business case for Attribute Based Access Control (ABAC)? Webinar: April 3, 2014

© 2014 Axiomatics AB 2 Do you have a business case for Attribute Based Access Control (ABAC)? Count-down for webinar start: Webinar: April 3, 2014

Guidelines © 2014 Axiomatics AB 3 You are muted centrally The webinar is recorded Slides available for download Q&A at the end

Today’s speakers © 2014 Axiomatics AB 4 Finn FrischGerry Gebel

@axiomatics #XACML © 2014 Axiomatics AB 5 Twitter

6 Introduction Overview and preamble © 2014 Axiomatics AB  Business drivers – why organizations invested in ABAC  Business challenges – what problems they solved  Business values – what benefits they gained

TheABAC trend 7 2005 XACML version 2.0: Concept production-ready for enterprise needs. 2009 US Federal CIO Council – (FICAM) Roadmap and Implementation Plan v1.0 advocates ABAC 2006 Axiomatics founded. First project: a nation- wide eHealth service. 2011 FICAM v2.0: ABAC recommended access control model for promoting information sharing between diverse and disparate organizations. 2013 XACML version 3.0 2014 NIST Guide on ABAC 2014 Gartner predicts: ”By 2020, 70% of all businesses will use ABAC as the dominant mechanism to protect critical assets, up from 5% today.” ABAC = Attribute Based Access Control © 2014 Axiomatics AB Introduction

What is Attribute Based Access Control (ABAC)?  A mode of externalized authorization  Authorization policies/rules are managed in a centralized service (deployment can be centralized/distributed/hybrid)  The Extensible Access Control Markup Language (XACML) is an example of an ABAC system  Policies utilize attributes to describe specific access rules, which is why it is called attribute based access control © 2014 Axiomatics AB 8 Introduction

Example from NIST report  “This flexibility [of ABAC] provides the greatest breadth of subjects to access the greatest breadth of objects without specifying individual relationships between each subject and each object”  Nurse Practitioners in the Cardiology Department can View the Records of Heart Patients  Variables in the policy language enable very efficient policy structures – reducing the maintenance load  Management of heart patient records is part of the business application – not an IT function  Multiple attributes must be available for policy evaluation – either as part of the access request or retrieved from source © 2014 Axiomatics AB 9 Introduction

NIST example - expanded  Nurse Practitioners can View the Records of Patients in the same Department they are assigned to  This rule can apply to all departments in the hospital  Add a new department or change names of department and the rule does not change  Rule compares department of the Nurse Practitioner to the department of the Patient  Avoids the role explosion effect of RBAC models © 2014 Axiomatics AB 10 Introduction

Why are we seeing this shift to ABAC?  Todays‟ business environment is more global, dynamic and collaborative  First generation access models cannot cope in a “need to share” world  Users demand access to any data, from any device, at any time © 2014 Axiomatics AB 11 Introduction

Why organizations invest in ABAC technology © 2014 Axiomatics AB 12 Consolidated infrastructure Enhanced security Business enabler Compliance Expose data and APIs to customers and partners Write once, Enforce everywhere Consistent authorization enforcement across applications Implement legal frameworks Business drivers

Attribute Based Access Control (ABAC) objectives  Get competitive advantage and create new revenue streams  Minimize the risk of fraud with dynamic, real-time access control  Meet global regulatory and privacy requirements  Cut time to market and streamline internal development © 2014 Axiomatics AB 13 Business drivers

© 2014 Axiomatics AB 14 Collaboration …depends on efficient information sharing… … which depends on precision in access controls… Business challenge

Legacy access control Attribute based access control © 2014 Axiomatics AB 15 Legacy access controls fail in dynamic environments Business challenge

Achievements made – return on investment (ROI)  Question: Before you went for Attribute Based Access Control (ABAC), how would you have approached the type of solution you now have built?  Answer: We wouldn‟t. It would simply not have been possible to build this type of service with the access control models we used before. © 2014 Axiomatics AB 16 ROI=ROI of new service which gives a competitive advantage Business values

ABAC enables secure information sharing Challenge: Collaboration Objective: Increase revenue © 2014 Axiomatics AB 17 Conclusion

© 2014 Axiomatics AB 18 Speed in business transactions …depends on efficient delegation of powers… … while losses due to fraud or excessive risk taking are minimized… Business challenge

The RBAC Sudoku © 2014 Axiomatics AB 19 Business challenge A B C

Using ABAC to overcome the RBAC weakness  Solution: To authorize a Service Entry and Release, enforce the following XACML rule:  PERMIT Service Entry and Release for users with Cost Center Signature Authority for Purchase Orders of their own Cost Centers providing they were not previously involved in the creation, editing or approval of the related Purchase Order or the corresponding Vendor or Service provider account.  Result: Multiple attributes combined [cost center, PO and Vendor approver etc.] – not just the role of the user – are considered to minimize the risk (in our example the risk of individuals releasing service entries for their own fraudulent purchase orders.) © 2014 Axiomatics AB 20 Business challenge

Achievements made – return on investment (ROI)  “Maintain separation of duties so that no one person has too much control”  “Reduce risks of data breaches, data leakage and identity theft”  “Prevent or limit unauthorized bank system access or use” © 2014 Axiomatics AB 21 Business values

ABAC enables delegation of powers for secure transactions Challenge: Speed in transactions Objective: Minimize loss © 2014 Axiomatics AB 22 Conclusion

© 2014 Axiomatics AB 23 Regulatory compliance …depends on efficient IT governance … …which in turn depends on correct and verifiable authorizations … Business challenge

© 2014 Axiomatics AB 24 Business challenge

Achievements made – return on investment (ROI) “[…] is a multi-national company and must comply with financial regulations in multiple jurisdictions. […] Application-external authorization must ensure applications at all times comply with changing and country specific regulations.” © 2014 Axiomatics AB 25 ROI=Avoiding fines, avoiding reputational damage Business values

ABAC auditably controls who has access to what, where, when, why and how Challenge: Compliance / Governance Objective: Avoiding fines / reputational damage © 2014 Axiomatics AB 26 Conclusion

© 2014 Axiomatics AB 27 Timely service delivery …depends on efficient software development… …and change management not causing delays Business challenge

Costly access control – expensive change management © 2014 Axiomatics AB 28 Business challenge

Legacy access control  Authorization checks repeated over and over in code: if (!User.IsInRole("Administrators")) { Msg.Text = “Acccess denied."; ListBox.Visible = false; return; }  Imagine more conditions: data classification, ListBox.DataSource, administrator‟s clearance level …. Attribute based access control  Write once, use many times – simply send an access request to the authorization service Req=BuildRequest(UserID,ListBox) if (!PDPPermit(Req)) …. © 2014 Axiomatics AB 29 Implementing authorization in applications Business challenge

 $312 billion: Estimated global expenditure on software debugging in 2012  52 %: Portion of total effort spent fixing „architecturally complex defects‟, which account for only 8% of all defects* ROI = reduced software development costs + improved quality + reduced time-to-market for new service Code maintenance – return on investment (ROI) © 2014 Axiomatics AB 30 * Scott Buchholz, director, Deloitte Consulting LLP and David Sisk, director, Deloitte Consulting LLP, “Technical debt reversal, Lowering the IT debt ceiling” in “Tech Trends 2014: Inspiring Disruption”, Business values

ABAC enables “write once, use many” patterns which reduces code complexity and release cycles Challenge: Software maintenance Objective:Time-to-market gains, cost reduction © 2014 Axiomatics AB 31 Conclusion

© 2014 Axiomatics AB 32 References Reading materials Upcoming webinars

Reading materials  Axiomatics White Paper: The Business Case for Attribute Based Access Control  Axiomatics White Paper: Getting Started with ABAC  NIST paper on ABAC  © 2014 Axiomatics AB 33 References Webinars  Get started now! Attribute Based Access Control (ABAC) for applications. April 10, 2014  Protect business critical data with dynamic authorization for databases. May 8, 2014

© 2014 Axiomatics AB 34 Questions? Thank you for listening

#xacml presentations

Add a comment

Related presentations

Speaker: Matt Stine Developing for the Cloud Track Marc Andressen has famou...

This presentation explains how to develop a Web API in Java using (JAX-RS or Restl...

1 App,

1 App,

November 10, 2014

How to bring innovation to your organization by streamlining the deployment proces...

Cisco Call-control solutions can handle voice, video and data

Nathan Sharp of Siemens Energy recently spoke at the SAP Project Management in Atl...

Related pages

Do You Have a Business Case for Attribute Based Access ...

Do You Have a Business Case for Attribute Based Access Control (ABAC)?
Read more

Webinar: Do you have a business case for Attribute Based ...

Gartner recently predicted that "by 2020, 70 % of enterprises will use attribute-based access control (ABAC) as the dominant mechanism to ...
Read more

Role-based access control - Wikipedia, the free encyclopedia

... role-based access control ... Attribute-based access control or ABAC is a model which evolves from RBAC to consider ... Role Based Access Controls at ...
Read more

Role Based Access Control (RBAC) and Role Based Security

RBAC vs. ABAC - attribute based access control ... RBAC Case Studies. Implementing RBAC? - you may ... D.R. Kuhn, R. Chandramouli, Role Based Access ...
Read more

How role-based security can be used to control access to ...

... to control access to entities in Microsoft ... you create for your business unit ... the user's business unit. Users who have Deep access ...
Read more

Implementing Supplier Profile Management - Oracle Help Center

Implementing Supplier Profile Management. ... Attribute Group Access Control ... row identifying attributes to the display format. If you do not ...
Read more

Proactive user-centric secure data scheme using attribute ...

Use the attribute-based semantic access control to ... using Attributed-Based Access Control (ABAC) ... do not have a direct ...
Read more

Data Modeling with Access and Visio

... (in our case, Microsoft Access). ... any tables that you do have ... for the Contact attribute of the Shippers table. Once you're ...
Read more

Information security - Wikipedia, the free encyclopedia

Examples of common access control mechanisms in use today include role-based access control ... business. How do ... Information Security controls ...
Read more