OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?

50 %
50 %
Information about OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?

Published on October 31, 2016

Author: DavidBrossard

Source: slideshare.net

1. What is Attribute Based Access Control? OWASP Chicago October 2016

2. © Axiomatics 2016 2 I know who you are…

3. © Axiomatics 2016 3 I know who you are… But how do I control what you want to do?

4. © Axiomatics 2016 4 A trip throughout the IT universe

5. © Axiomatics 2016 5

6. © Axiomatics 2016 6 Security

7. © Axiomatics 2016 7 Security IAM Identity & Access Management

8. © Axiomatics 2016 8 Security IAM EAM Externalized Authorization Management

9. © Axiomatics 2016 9 What is IAM? Access Management Identity Management Authentication Authorization User Management Central User Repository Identity & Access Management Providing the right people with the right access at the right time

10. © Axiomatics 2016 10 Overview of Existing Access Control Mechanisms

11. © Axiomatics 2016 11 Authentication (AuthN) username ******** Submit

12. © Axiomatics 2016 12 Authorization (AuthZ)

13. © Axiomatics 2016 13 Authorization (AuthZ) defined ⁃ Sometimes called Access Control ⁃ From a physical perspective (e.g. doors and locks) ⁃ Also known as (aka) ⁃ Externalized authorization ⁃ Dynamic authorization ⁃ Fine grained authorization ⁃ Entitlement management ⁃ “The function of specifying access rights to resources…*” ⁃ “To define an access policy*” ⁃ “Specifies what a subject can do*” * source: Wikipedia

14. © Axiomatics 2016 14 Legacy authorization models Access Control List • Named subjects or groups are directly associated with resource objects • File systems are a common example for the use of ACLs Group List • Common in LDAP directory systems and email services Role Based Access Control (RBAC) • Since 1992 • User  Role  Permission

15. © Axiomatics 2016 15 Role-Based Access Control & Limitations

16. © Axiomatics 2016 16 What is RBAC? ⁃ Role-based access control ⁃ Model formalized in 1992 by NIST ⁃ Access is granted via roles, instead of individual userID ⁃ A role is essentially a collection of permissions or entitlements Manager Senior Manager Admin Regional Manager Assistant IT Manager

17. © Axiomatics 2016 17 How does RBAC work? ⁃ Permissions are granted to each role based on requirements ⁃ Users are assigned to a specific role ⁃ Users can be also be assigned to multiple roles Permission Permission …

18. © Axiomatics 2016 18 Benefits of RBAC ⁃ Primarily used for administration-time access control ⁃ Gives administrators easier control of large user populations ⁃ Widespread and mature ⁃ Hierarchy of roles ⁃ Manager ⁃ US Manager ⁃ European Manager ⁃ Static segregation of duty ⁃ Purchaser role ⁃ Approver role

19. © Axiomatics 2016 19 RBAC was designed for a simpler world

20. © Axiomatics 2016 20 Limitations of RBAC ⁃ Role engineering ⁃ Determining the permissions roles will be assigned is time-consuming ⁃ Different business needs lead to new role hierarchies ⁃ RBAC requires attention all the time ⁃ In RBAC, the joiner-mover-leaver process is critical ⁃ Users can easily accumulate roles which leads to excess permissions ⁃ RBAC does not scale ⁃ Many organizations claim a 10-to-1 role-to-employee ratio This is the infamous role explosion

21. © Axiomatics 2016 21 Role Explosion

22. © Axiomatics 2016 22 RBAC – the Never Ending Sudoku… ⁃ Users ⁃ Roles ⁃ Permissions ⁃ Removing conflicting permissions from Role 1 and/or Role 2 may solve problem for user group 2 but create new problems for user group 1 and 3. SoD violation

23. © Axiomatics 2016 23 The Never Ending Sudoku cross-application SoD violation SoD violation SoD violation App 1 App 2

24. © Axiomatics 2016 24 RBAC is ego-centric ⁃ RBAC is self-centered ⁃ RBAC is mainly about who the user is ⁃ Identity-centric ⁃ RBAC doesn’t take into account other parameters ⁃ Object metadata ⁃ Actions ⁃ Environmental context ⁃ RBAC is not dynamic or context-aware ⁃ RBAC cannot cater to time, location, or risk

25. © Axiomatics 2016 25 RBAC is not paying attention… ⁃ RBAC is primarily implemented for admin-time access control ⁃ The user provisioning process ⁃ But also for access review and certification ⁃ For run-time access, RBAC has a limited role ⁃ Fine for simple use cases ⁃ In complex scenarios, the application must do the heavy lifting This is the infamous hard-coded access logic within applications

26. © Axiomatics 2016 26 Hundreds or thousands of if-clauses scattered all over your code… If project X is in planning phase then… else… If the user is member of project X then … else … If user is project lead then … else … If project X is in production phase then … else … If project X has been approved then … else …

27. © Axiomatics 2016 27 RBAC cannot handle relationships

28. © Axiomatics 2016 28 Why can’t RBAC handle relationships? ⁃ Example ⁃ Nurses can view medical records in their unit ⁃ Doctors can edit medical records of patients they are assigned to ⁃ How would one implement an assignment role? ⁃ Define a nurse_unit role? ⁃ Define the primary_physician role? ⁃ Does it scale? ⁃ How would one implement delegations? ⁃ Doctors can view medical records of patients assigned to other doctors for whom they are filling in for

29. © Axiomatics 2016 29 Is your access control broken?

30. © Axiomatics 2016 30 The Basic Elements of Attribute-Based Access Control

31. © Axiomatics 2016 31 Did you say ABAC? Externalized Centralized Policy Driven Attribute Based Standardized

32. 70% By 2020, 70 percent of enterprises will use ABAC as the dominant mechanism to protect critical assets, up from less than 5 percent today. Gartner, 2013 “ ”

33. © Axiomatics 2016 33 Policies Attributes

34. © Axiomatics 2016 34 Attributes are labels that describe anyone and anything

35. © Axiomatics 2016 35 Attributes are Multi-Dimensional Who What Where When Why How

36. © Axiomatics 2016 36 Attributes are Multi-Valued Department Department Sales EngineeringFinance Sales EngineeringFinance

37. © Axiomatics 2016 37 Policies bring attributes together to make it all work

38. © Axiomatics 2016 38 “Managers can view accounts in their region” “Customers can create transfers up to $1,000” “A user cannot approve a transfer they requested” “Tellers can view transactions in their own region”

39. © Axiomatics 2016 39 Policies Accessgrant deny&

40. © Axiomatics 2016 40 Policies that apply to a specific API or service Policies that apply across the enterprise / API sets Policies can be local or global

41. © Axiomatics 2016 41 Use ABAC to implement... Time-based policies “Deny access to the API outside office hours”

42. © Axiomatics 2016 42 Use ABAC to implement... Location-based policies “Cleveland players cannot hit a home run at Wrigley Field”

43. © Axiomatics 2016 43 Use ABAC to implement... Dynamic access control “Managers can view accounts that are in the same branch.”

44. © Axiomatics 2016 44 Use ABAC to implement... Dynamic Segregation of Duty “Employees cannot approve transactions they initiate.”

45. © Axiomatics 2016 45 Secure APIs start with ABAC... Any API Any Policy Any Attribute

46. © Axiomatics 2016 46 In ABAC, who gets to decide?

47. © Axiomatics 2016 47 Who gets to decide? User API I, Alice, want to view bank accounts Can Alice view account #123? Data

48. © Axiomatics 2016 48 The Guardian Angel

49. © Axiomatics 2016 49 Divide Responsibilities

50. © Axiomatics 2016 50 Authorization as Infrastructure User API I, Alice, want to view bank accounts Can Alice view account #123? Data APIGateway ABAC Authorization Service SQLProxy Which data can be retrieved?

51. © Axiomatics 2016 51 1.View record #123 6.View record #123 2. Can Alice view record #123? 5. Permit, Alice can view record #123 3. Evaluate policies Manage policies 4. Retrieve additional attributes ABAC Architecture

52. © Axiomatics 2016 52 ABAC, OASIS, NIST, & OWASP

53. © Axiomatics 2016 53 OASIS XACML – eXtensible Access Control Markup Language ⁃ Pronunciation ⁃ eXtensible Access Control Markup Language ⁃ OASIS standard ⁃ V 3.0 approved in January 2013 ⁃ V 1.0 approved in 2003 ⁃ XACML is expressed as ⁃ A specification document and ⁃ An XML schema ⁃ http://www.oasis-open.org/committees/xacml/

54. © Axiomatics 2016 54 What does OASIS XACML contain? XACML Reference Architecture Policy Language Request / Response Protocol

55. © Axiomatics 2016 55 ABAC research ⁃ NIST Special Publication 800-162 ⁃ Guide to ABAC Definition and Considerations ⁃ nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf ⁃ NIST Center of Excellence ⁃ Building blocks ⁃ Industry vertical projects ⁃ nccoe.nist.gov/

56. © Axiomatics 2016 56 HL7 - Health Level Seven International ⁃ The basis for healthcare interoperability ⁃ Defining common standards for structured content of healthcare data ⁃ Transport of that data between different systems ⁃ Applies to clinical and administrative data. ⁃ Founded in 1987 ⁃ One of the ANSI-accredited Standards Developing Organizations (SDOs) operating in health care ⁃ Widely adopted by vendors worldwide to define content. ⁃ HIPAA references several HL7 standards ⁃ HL7 has several workgroups including Security ⁃ Use Case: http://wiki.hl7.org/index.php?title=Security_and_Privacy_Ontology

57. © Axiomatics 2016 57 ABAC & OWASP

58. Questions? @davidjbrossard – @axiomatics

Add a comment