cis14: the very latest in authorization standards

The  Very  Latest  in  Authorization  Standards  and  Trends  

Cloud Identity Summit - 2014

Gerry Gebel Axiomatics gerry@axiomatics.com @ggebel

© 2014 Axiomatics AB 1

Preamble  Authorization v.Next

Cloud Identity Summit 2014

© 2014 Axiomatics AB 2

© 2014 Axiomatics AB 3

© 2014 Axiomatics AB 4

© 2014 Axiomatics AB 5

Having a policy language is a key differentiator for ABAC/XACML

© 2014 Axiomatics AB 6

OAuth

UMA

JWT

XACML Finding the right combination

Agenda  

§  Business trends that are influencing authorization requirements

§  Externalized Authorization and ABAC

§  Standards update §  JSON, REST, ALFA and more

§  Prognostications

Cloud Identity Summit 2014

© 2014 Axiomatics AB 7

Business  Trends  &  AuthZ  

Cloud Identity Summit 2014

© 2014 Axiomatics AB 8

© 2014 Axiomatics AB 9

© 2014 Axiomatics AB 10

Next generation information security = dynamic authorization = attribute based access control

Legacy  access  controls  fail  in  dynamic  environments    

© 2014 Axiomatics AB 11

ABAC  thrives  in  dynamic  environments

© 2014 Axiomatics AB 12

Who

What Sensitive / business critical Information

Grant or deny access based on the following attributes

When

Where

Why

How

© 2014 Axiomatics AB 13

By 2020, 70 percent of enterprises

will use ABAC as the dominant

mechanism to protect critical assets,

up from less than 5 percent today.

“ ”

Gartner Predicts, March 2014

Externalized  Authorization    and  ABAC  

Cloud Identity Summit 2014

© 2014 Axiomatics AB 14

NIST  Special  Pub  800-­‐162  *  

§  “[ABAC] flexibility provides the greatest breadth of subjects to access the greatest breadth of objects without specifying individual relationships between each subject and each object”

© 2014 Axiomatics AB 15

* nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf

Example  from  NIST  report  §  Nurse Practitioners in the Cardiology Department can View the Records of

Heart Patients §  Variables in the policy language enable very efficient policy structures – reducing the

maintenance load §  Management of heart patient records is part of the business application – not an IT

function §  Multiple attributes must be available for policy evaluation – either as part of the access

request or retrieved from an authoritative source

© 2014 Axiomatics AB 16

NIST  example  -­‐  expanded  §  Nurse Practitioners can View the Records of Patients in the same Department

they are assigned to §  This rule can apply to all departments in the hospital §  Add a new department or change names of department and the rule does not change §  Rule compares department of the Nurse Practitioner to the department of the Patient §  Avoids the role explosion effect of RBAC models

© 2014 Axiomatics AB 17

Applying ABAC to every layer of your application

ADAF

© 2014 Axiomatics AB 18

REST,  JSON,  &  ALFA  What’s new on the XACML standards front?

© 2014 Axiomatics AB 19

§  Profiles add functionality §  REST §  JSON §  Export Control §  IP Protection §  Hierarchal Resources §  Etc.

What’s in the XACML standard

XACML

Reference Architecture

Policy Language

Request / Response Protocol

© 2014 Axiomatics AB 20

The Request/Response format

•  Subject User id = Alice Role = Manager

•  Action Action id = approve

•  Resource Resource type = Purchase Order PO #= 12367

•  Environment Device Type = Laptop

XACML Request

Can Manager Alice approve Purchase Order 12367?

XACML Response

Yes, she can

•  Result Decision: Permit Status: ok

© 2014 Axiomatics AB 21

XML encoding of an authZ request

<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" > </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">hello</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">say</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> </xacml-ctx:Request>

Can Alice Say

Hello?

© 2014 Axiomatics AB 22

JSON encoding of an authZ request

{"subject": {"attribute":[{ "attributeId":"username", "value":"alice"}]},

"resource": {"attribute":[{ "attributeId":"resource-id", "value":"hello"}]},

"action": {"attribute":[{ "attributeId":"action-id", "value":"say"}]}}

© 2014 Axiomatics AB 23

JSON vs. XML

0

10

20

30

40

50

Word count

XML JSON

0 200 400 600 800

1000 1200 1400

Char. Count

XML JSON

Size of a XACML request

© 2014 Axiomatics AB 24

REST  Profile  

XML over HTTP

XML over HTTP

JSON over HTTP

JSON over HTTP

© 2014 Axiomatics AB 25

ALFA  –  Abbreviated  Language  for  Authorization  §  Domain Specific Language (DSL) that provides an abstraction over XACML

§  Pseudo language is similar to C# or Java

§  Author policies in Eclipse IDE, plug in automatically generates XACML

© 2014 Axiomatics AB 26

Axiomatics has committed to submit ALFA as an XACML profile

A policy example, in English

/**

* A manager can approve a transaction if their approval limit is greater than

* the transaction amount and if the risk is less than 5

*/

Let’s take a look at this policy in XACML and ALFA

© 2014 Axiomatics AB 27

A policy example, in XACML (1)

<?xml version="1.0" encoding="UTF-8"?> <!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).> <xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="http://axiomatics.com/alfa/identifier/policing.principles.allowTransaction" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"> <xacml3:Description>Let a manager approve a transaction if their approval limit is greater than the transaction amount and if the risk is less than 5</xacml3:Description> <xacml3:PolicyDefaults> <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion> </xacml3:PolicyDefaults> <xacml3:Target> <xacml3:AnyOf> <xacml3:AllOf> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="userRole" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false" /> </xacml3:Match> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">approve</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" MustBePresent="false" />

© 2014 Axiomatics AB 28

A policy example, in XACML (2)

</xacml3:Match> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">transaction</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="resourceType" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> </xacml3:Match> </xacml3:AllOf> </xacml3:AnyOf> </xacml3:Target> <xacml3:Rule Effect="Permit" RuleId="http://axiomatics.com/alfa/identifier/policing.principles.allowTransaction.allowIfLowRiskScore"> <xacml3:Description /> <xacml3:Target /> <xacml3:Condition> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:double-greater-than"/> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#double">5.0</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="transactionRiskScore" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" />

© 2014 Axiomatics AB 29

A policy example, in XACML (3)

</xacml3:Apply> <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any"> <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:double-less-than-or-equal"/> <xacml3:AttributeDesignator AttributeId="transactionAmount" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false" /> <xacml3:AttributeDesignator AttributeId="userApprovalLimit" DataType="http://www.w3.org/2001/XMLSchema#double" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false" /> </xacml3:Apply> </xacml3:Apply> </xacml3:Condition> </xacml3:Rule> </xacml3:Policy>

© 2014 Axiomatics AB 30

A policy example, in ALFA

policy allowTransaction{

target clause userRole=="manager" and actionId=="approve" and resType=="transaction"

apply firstApplicable

rule allowIfLowRiskScore{

condition (transactionRiskScore < 5) && (transactionAmount <= userApprovalLimit)

permit

}

}

© 2014 Axiomatics AB 31

OAuth  &  XACML?  Further  simplification  of  XACML?  

Prognostications

© 2014 Axiomatics AB 32

How  can  OAuth  and  XACML  complement  each  other?  

§  OAuth: popular authZ mechanism for API security and consumer scenarios

§  Missing from OAuth: declarative policy language

© 2014 Axiomatics AB 33

§  XACML policies were used to control scopes for OAuth tokens

What  if?  

Easy  consumption  of  JWT  tokens  for  advanced  authorization  via  XACML-­‐based  service  

© 2014 Axiomatics AB 34

{"subject": {"attribute":[{ "attributeId":"username", "value":"alice"}]},

"resource": {"attribute":[{ "attributeId":"resource-id", "value":"hello"}]},

"action": {"attribute":[{ "attributeId":"action-id", "value":"say"}]}}

JWT

On  the  further  simplification  of  XACML    

§  REST and JSON profiles greatly simplify the developer experience §  See David Brossard’s workshop material from Sunday

§  But what about the policy language?

© 2014 Axiomatics AB 35

© 2014 Axiomatics AB 36

SCIM + XACML

Questions?  Thank you for listening