1 Introduction Product Description Strengths and Challenges Copyright... 6

Transcription

1 KuppingerCole Report EXECUTIVE VIEW by John Tolbert September 2017 offers an authorization solution that provides Policy Based Access Control (PBAC) for common on-premise, SaaS, and even homegrown applications. s scalable technology enables customers to easily externalize authorization decisions from applications, achieving higher efficiencies, more fine-grained access controls, and improved security. by John Tolbert jt@kuppingercole.com September 2017 Content 1 Introduction Product Description Strengths and Challenges Copyright... 6 Related Research Advisory Note: Unifying RBAC and ABAC in a Dynamic Authorization Framework Report No.: 70358

2 1 Introduction Identity and Access Management (IAM) is a complex discipline and technologies composed of elements such as identity vetting, assurance, credential issuance, authentication, authorization, reconciliation, and governance and lifecycle management. Each of these components are necessary for a strong IAM infrastructure and cybersecurity. In recent years, many conceptual and technical advancements have been made in these areas. Authentication technologies, including multi-factor, risk adaptive, and biometrics, have received the most fanfare and press. But, once a user or device is authenticated, it still must be authorized. Authentication is usually defined as the process of proving or demonstrating that a user, device, or now even an application is what it says it is. Username/password authentication has been the norm for decades, but is insecure and is increasingly being phased out where possible. New authenticators, such as USB keys, Smart Cards, and mobile biometrics are becoming more popular. Authorization is the process of determining whether a user, device, or application should be allowed to perform an operation. Many factors influence access control decisions, including but not limited to: User attributes - group membership, roles, nationality, clearance, customer type/status, authentication strength Resource attributes resource type, classification, sensitivity, file type, application type Environmental attributes geo-location of requester, IP address, security posture of requesting device, user behavioral analysis, user history Action attributes type of request: create, read, update, delete, etc. OASIS XACML (extensible Access Control Markup Language) and IETF OAuth are two notable standards for access control. XACML defines an access control architecture, policy language, and request/decision/response protocol, based on XML. XACML now includes REST and JSON profiles for modern applications. OAuth uses the bearer-token approach for a decentralized, federated authorization model. OAuth 2.0 tends to be more widely utilized across the web, and is extensible: OpenID Connect and User Managed Access are built around OAuth 2.0. Applications today are ever more complex, with dependencies on other applications and factors that must be considered before granting users access. Authentication is a necessary first step, but finegrained authorization in accordance with specific policies is an increasingly common business requirement, especially in industries such as finance, health care, pharmaceutical, defense, aerospace, and insurance., headquartered in Israel, was founded in The company focuses on delivering fine-grained authorization functionality that scales for large enterprise applications. realizes that sometimes the same access control policies apply across many different applications and computing environments. To achieve economies of scale and better security, authorization in many cases should occur outside individual applications. The company is partnering with other technology vendors and has customers on several continents in the financial sector. Report No.: Page 2 of 8

3 2 Product Description is Linux-based authorization engine, which can be deployed either on-premises or in IaaS providers such as Amazon AWS or Microsoft Azure. is designed to centralize access control policies and facilitate externalized authorization across the enterprise. Most access decisions in enterprises today are governed by static policies. Access control decisions happen in almost every application, in IAM and IGA systems, network devices, and API gateways. Group membership and roles are the two most prevalent attributes used for determining access to digital resources. These two attributes can easily be stored in LDAP or Active Directory repositories, and they generally do not change frequently. In many cases then, enterprise authorization occurs as application administrators write access control policies referencing group membership or roles. Given that most applications do not share or integrate security models, these access control policies must be built on a per-application basis, further compounding the access control problem. All large organizations have written security policies, are subject to a variety of regulations, and need to enforce Segregation of Duties. These types of policies may need to be applied evenly across the enterprise, but are difficult to centrally publish, manage, and enforce. In places where dynamic context information is needed, often it is performed with an adaptive authentication solution, which evaluates certain risk factors such as where and how a user is attempting to authenticate. These adaptive authentications solutions help solve real business problems, and may, in fact, be considered authorization solutions; however, they do not address all complex access control scenarios that businesses commonly encounter. For that, dedicated authorization engines are needed. implements what they term Policy Based Access Control (PBAC), which is a union of the older Role Based Access Control (RBAC) and the newer Attribute Based Access Control (ABAC) models. Thus, provides support for RBAC systems while allowing enterprise administrators to take advantage of more attributes, including environmental conditions, for more granular access control policies. defines access policies as composed of business policy and implementation policy. The business side contains elements such as identities, roles, attributes, conditions, and entitlements. Entitlements are granted or assigned by other provisioning systems. The implementation component of the policy covers applications and resources, which may include documents, other unstructured data files, devices, or other applications. supports XACML 2.0, and some elements of 3.0, such as Obligations. In addition to the XACML protocol, adheres to the XACML reference architecture, mapped below: Policy Administration Point (PAP) Management Console / Dynamic Authorization Management Policy Information Point (PIP) Dynamic Information Provider Policy Decision Point (PDP) Dynamic Authorization Server Policy Enforcement Point (PEP) Dynamic Authorization Provider Report No.: Page 3 of 8

4 The Management Console allows enterprise administrators to graphically build policies without needing an in-depth understanding of complex XACML syntax. Admins can select identity stores, applications, and resources, and drill down to choose which attributes and conditions are necessary for permit or deny decisions. Moreover, the Management Console provides a sandbox to test the effects of policies and policy changes prior to rolling them out across an enterprise. Strong authentication via LDAP, AD, IWA, x.509, etc., to the management console can be configured, as it supports JBoss, however the default is username/password. The Dynamic Information Provider provides an abstraction layer between the policy administrator and the underlying repositories, which can include Active Directory, LDAP, SQL, or RDF. Administrators can also craft custom calls via REST APIs. The Resource Repository is based on RDF, and is addressed via a SPARQL interface. Auxiliary data repositories can be defined, including endpoint security and patch management systems, in order to get up-to-date information about devices security posture at runtime. The Dynamic Authorization Server, though XACML 2.0 conformant, does not process access requests in XACML or XML natively. Therefore, access control policies do not need to be stored in separate LDAP or SQL databases. Dynamic Authorization Server stores policies in process using a graph database. By storing the policies in an optimized but non-standard way, and by running the graph database in the main executable process, is able to evaluate policies and relevant attributes more expeditiously. Rather, for performance enhancement reasons, utilizes a proprietary authorization mechanism. The Management Console can, however, output policy in JSON, which can then be converted to XACML or XML for import into other systems. Administrators can write policies that draw attribute information from disparate repositories. Though a master identity repository must be defined, additional user or resource data can be retrieved and evaluated as needed. Administrators can either use virtual directory interfaces, or use the Management Console to define and utilize multiple Dynamic Information Providers per policy. The Dynamic Authorization Server can also allow for attribute normalizations between systems. For example, Department may be the attribute name in one repository, whereas Business Unit may be its equivalent in another repository that is called for policy evaluation. Administrators can define the attribute mapping in the Management Console, which is then interpreted as a Virtual Identity Type by the Dynamic Authorization Server. The Dynamic Authorization Server can also evaluate conditions, or environmental attributes in XACML parlance. Conditions may include authentication method, date, time, location, events, and other parameters as needed. Events can be triggered by external systems using a feed provided by the system, and thus influence the access decision. The Dynamic Authorization Provider can interface with IAM and WAM systems. It also integrates with SailPoint, IBM, Okta and CA Technologies. In the case of CA Technologies SSO / Siteminder, can read and write its SSO cookies. Dynamic Authorization Provider can directly serve as a PEP for applications which support externalized authorization: the JAAS plug-in can be deployed either in conjunction with the Dynamic Authorization Provider, or co-located with calling applications for improved performance. The Dynamic Authorization Provider can also be configured to cache authorization request results to improve performance if desired. Report No.: Page 4 of 8

5 Dynamic Authorization Provider also supports OAuth 2.0. It can function as an OAuth 2.0 authorization server, responding to requests and issuing tokens and scopes. It currently supports the OAuth Assertions Framework and Token Introspection profiles. In addition to runtime authorization requests, the Dynamic Authorization Provider has a feature that calls Full Access List Client, which allows the enumeration of complete entitlement lists per identity. This feature is useful in investigations, identity governance, and auditing. For example, the results of the Full Access List Client operation can be used for access reconciliation purposes. Both the Dynamic Authorization Provider and Server save policies and operational history for auditing purposes. supports syslog, and can send all requests/responses to Kafka for further analysis by HBase, Splunk, etc. integrates with Amazon AWS, Google Apps, IBM Security Identity Manager, Microsoft Azure, Salesforce, and SailPoint IdentityIQ for additional SaaS provider authorization scenarios. Integration with Box is on the horizon. can be deployed in a hierarchical, load-balanced architecture to support geographically distributes enterprises. The product allows enterprise administrators to define the master environment, where policies are written, stored, and pushed to regional instances as necessary. Policy managment can be limited to the relevant subset for each location. Thus, Dynamic Authorization Providers are directed to local Dynamic Authorization Servers for better performance. With PSD2 coming into effect in the EU, complex authorization capabilities will be needed by both banks and Third-Party Providers (TPPs). PSD2 mandates that banks expose many of their core banking functions to TPPs via APIs. In order to prevent fraud, banks will need to put API gateways into place to protect misuse of the banking APIs. can work with API gateways, reading and issuing tokens, and perform federated fine-grained authorization to provide higher security for these exposed banking functions. Report No.: Page 5 of 8

6 3 Strengths and Challenges offers a purpose-built authorization solution that allows IAM architects to simplify authorization and entitlement management. Almost every organization must enforce compliance with pertinent regulations, internal security policies, and separation of duties. presents a toolset that gives enterprise security administrators a way to centralize policy creation, evaluation, and monitoring. With a JAAS plug-in, encourages authorization externalization. The broad protocol support promotes interoperability with existing IAM, IGA, and WAM solutions. In cases where more sophisticated authorization is needed rather than just step-up authentication, provides the capabilities to meet or exceed business requirements. Though is a young company, they have garnered a significant customer base in the financial industry. The product will benefit by supporting additional standards and upgrading support for XACML to 3.0. These features are on the roadmap. With authorization and access control, the Last Mile is usually the hardest to cross. Providing toolkits and SDKs for application integration will be needed to be able to fully allow for authorization externalization and policy centralization. Strengths Administrative GUI for writing policy obviates the need for deep XACML expertise Policy modeling tools allows administrators to test effects of policies and changes Hierarchical deployment model for distributed environments Virtual identity type allows administrators to pull attributes from multiple identity repositories without needing a dedicated virtual directory Proprietary PDP technology for high performance Standards support for interoperability Challenges XACML 3.0 not fully supported yet JWT not supported yet Needs SDK for more legacy application support Default username/password authentication to management console, though stronger methods are configurable 4 Copyright 2017 Kuppinger Cole Ltd. All rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion Report No.: Page 6 of 8

7 expressed may be subject to change without notice. All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them. Report No.: Page 7 of 8

8 The Future of Information Security Today KuppingerCole supports IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst company, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business. KuppingerCole, founded in 2004, is a global Analyst Company headquartered in Europe focusing on Information Security and Identity and Access Management (IAM). KuppingerCole stands for expertise, thought leadership, outstanding practical relevance, and a vendor-neutral view on the information security market segments, covering all relevant aspects like: Identity and Access Management (IAM), Governance & Auditing Tools, Cloud and Virtualization Security, Information Protection, Mobile as well as Software Security, System and Network Security, Security Monitoring, Analytics & Reporting, Governance, and Organization & Policies. For further information, please contact clients@kuppingercole.com Kuppinger Cole Ltd. Sonnenberger Straße Wiesbaden Germany Phone +49 (211) Fax +49 (211)