Authorization Survey Results & Use Cases Presentation to Concordia Working Group

Similar documents
[GSoC Proposal] Securing Airavata API

1 Introduction Product Description Strengths and Challenges Copyright... 6

EnterSpace Data Sheet

Federated Authentication with Web Services Clients

SAML-Based SSO Solution

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Virtual Machine Encryption Security & Compliance in the Cloud

Top Reasons To Audit An IAM Program. Bryan Cook Focal Point Data Risk

GLOBUS TOOLKIT SECURITY

Novell Access Manager 3.1

SAML-Based SSO Solution

The EGI AAI CheckIn Service

SAP Security in a Hybrid World. Kiran Kola

Integrating AirWatch and VMware Identity Manager

NAC 2007 Spring Conference

Identity, Authentication and Authorization. John Slankas

Check Point Virtual Systems & Identity Awareness

SOLUTION ARCHITECTURE AND TECHNICAL OVERVIEW. Decentralized platform for coordination and administration of healthcare and benefits

Red Hat Single Sign-On 7.1 Authorization Services Guide

Identity in the Cloud PaaS Profile Version 1.0

PERMIS An Application Independent Authorisation Infrastructure. David Chadwick

Mashing Up, Wiring Up, Gearing Up: Solving Multi-Protocol Problems in Identity

Index. NOTE: Boldface indicates illustrations; t indicates a table. 209

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

TRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model

Managing Your Privileged Identities: The Choke Point of Advanced Attacks

WorldSpace Assure 1.4 for System Administrators

VMware AirWatch Tizen Guide

Identity in the Cloud PaaS Profile Version 1.0

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Mozy. Administrator Guide

Oracle Fusion Middleware

Magento GDPR Frequently Asked Questions

extensible Access Control Language (XACML)

Ramnish Singh IT Advisor Microsoft Corporation Session Code:

REVIEWERS GUIDE NOVEMBER 2017 REVIEWER S GUIDE FOR CLOUD-BASED VMWARE WORKSPACE ONE: MOBILE SINGLE SIGN-ON. VMware Workspace ONE

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

ArcGIS Online A Security, Privacy, and Compliance Overview. Andrea Rosso Michael Young

INDIGO-Datacloud Identity and Access Management Service

CA Adapter. CA Adapter Installation Guide for Windows 8.0

Identity Management for Networks

The Modern Web Access Management Platform from on-premises to the Cloud

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

CA Adapter. Installation and Configuration Guide for Windows. r2.2.9

Access Management and Identity Federation for the Connected World

CERTIFICATE POLICY CIGNA PKI Certificates

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

Coveo Platform 7.0. Yammer Connector Guide

Integration Guide. SafeNet Authentication Service. Protecting Microsoft Internet Security and Acceleration (ISA) Server 2006 with SAS

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

Warm Up to Identity Protocol Soup

Access Control Service Oriented Architecture

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Liferay Security Features Overview. How Liferay Approaches Security

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Oracle Service Cloud. Release 18D. What s New

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

SWAMID Identity Assurance Level 2 Profile

IBM Security Access Manager Version 9.0 October Product overview IBM

TECHNICAL WHITE PAPER DECEMBER 2017 VMWARE HORIZON CLOUD SERVICE ON MICROSOFT AZURE SECURITY CONSIDERATIONS. White Paper

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with SonicWALL E-Class Secure Remote Access

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

CSE 565 Computer Security Fall 2018

Security context. Technology. Solution highlights

Business White Paper IDENTITY AND SECURITY. Access Manager. Novell. Comprehensive Access Management for the Enterprise

Securing ArcGIS Server Services An Introduction

From UseCases to Specifications

W H IT E P A P E R. Salesforce Security for the IT Executive

eidas Regulation eid and assurance levels Outcome of eias study

Oracle Audit Vault. Trust-but-Verify for Enterprise Databases. Tammy Bednar Sr. Principal Product Manager Oracle Database Security

Getting Started with VMware Horizon Cloud Service on Microsoft Azure

DEPLOYING MULTI-TIER APPLICATIONS ACROSS MULTIPLE SECURITY DOMAINS

DIX BOF Digital Identity exchange. 65 th IETF, Dallas March 21 st 2006

A Practical Step-by-Step Guide to Managing Cloud Access in your Organization

The Device Has Left the Building

Session 2: Understanding the payment ecosystem and the issues Visa Europe

VMware Identity Manager Administration

Q u e s t i o n m a r k C o n f e r e n c e

CLI users are not listed on the Cisco Prime Collaboration User Management page.

AAA and the Local Database

Trust Eleva,on Architecture v03

THE ESSENTIAL OAUTH PRIMER: UNDERSTANDING OAUTH FOR SECURING CLOUD APIS

Electronic ID at work: issues and perspective

vrealize Operations Manager Customization and Administration Guide vrealize Operations Manager 6.4

Oracle Access Manager Integration Oracle FLEXCUBE Payments Release [Feb] [2018]

Security in the Privileged Remote Access Appliance

Square up. AWS Multi-Account Configuration Guide

Managing BYOD Networks

R E F E R E N C E TCG. Trusted Multi-Tenant Infrastructure Work Group. Use Cases. Version 1.1. November 15, 2013

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

INFORMATION ASSURANCE DIRECTORATE

Architecture Assessment Case Study. Single Sign on Approach Document PROBLEM: Technology for a Changing World

IBM Fundamentals of Applying Tivoli Security and Compliance Management Solutions V2.

SSO Integration Overview

Identity in the Cloud Outsourcing Profile Version 1.0

Transcription:

Authorization Survey Results & Use Cases Presentation to Concordia Working Group Identity and Authorization Services Working Group (IAS-WG) John Tolbert (Boeing) Gavin Illingworth (BMO Financial Group) July, 2010

Agenda Today we will cover the following topics: 1. Overview of Identity & Access Working Group 2. Results of the AuthZ survey conducted by John Tolbert 3. Review seven sample AuthZ Use Cases we have gathered 2

Overview of IAS-WG objectives Grew from an informal identity group hosted by Burton Group Kevin Kampman and Anne Thomas Manes Chartered in Kantara Dec 2009 20 voting and non-voting members to-date A primary objective is to develop a logical architecture for AuthZ, similar to the one the original group developed for AuthN 3

Question Summary Survey conducted during January March 2010 22 respondents replied anonymously through the Concordia mailing list 1. To help us understand the context of your answers we'd like to know how many users your organization is authorizing? 2. What are the primary use cases and/or business drivers for authorization? 3. Do you currently have a centralized access management system? 4. What type of access management system do you use? 5. Which access control models are supported by your access management system? 6. What types of factors/assertions/claims are supported by your access management system? 7. Does your access management system provide for policy lifecycle management? 8. Does your access management system provide mechanisms for sharing and/or distribution of policies? 9. Does your access management system support the following protocols (Current/Future)? (check all that apply) 10. With which other types of systems does your access management system integrate? (Current/Future) 11. Rate the following features of an access management system in terms of importance for your deployment: 12. Rate your organization's maturity in its ability to manage its information sufficiently for effective and compliant access control to sensitive data resources. 13. Additional comments regarding access management systems: 14. If you are willing to have a follow up conversation, please provide the following information. We will not use this information for any other purpose and will delete it once the survey is processed. 4

Question 1 1. To help us understand the context of your answers, how many users your organization is authorizing? 5

Question 2 2. What are the primary use cases and/or business drivers for authorization? 14 12 10 8 6 4 2 0 National security Export compliance Intellectual property protection Privacy Need-to-know Sector regulatory compliance (HIPAA, SOX, etc.) 6

Questions 3 and 4 3. Do you currently have a centralized access management system? Yes = 13 No = 8 5. What type of access management system do you use? COTS = 11 Custom = 9 Decentralized = 10 7

Question 5 5. What type of access management system do you use? 12 10 8 6 4 2 0 RBAC ABAC DAC 8

Question 6 6. What types of factors/assertions/claims are supported by your access management system? 25 20 15 10 5 0 Identity and authority based Resource based Environmental based 9

Questions 7 and 8 7. Does your access management system provide for policy lifecycle management? Yes = 7 No = 15 8. Does your access management system provide mechanisms for sharing and/or distribution of policies? Yes = 8 No = 14 10

Question 9 9. Does your access management system support the following protocols (Current/ Future)? (check all that apply) 20 18 16 14 12 10 8 6 4 2 0 XACML SAML LDAP SQL Proprietary/custom 11

Question 10 10. With which other types of systems does your access management system integrate? (Current/ Future) 12

Question 11 11. Rate the following features of an access management system in terms of importance for your deployment: 13

Survey Conclusions Reliability, scalability, performance, extensibility, and support for standards are critical. Most respondents do not consider themselves very mature in the authorization space. More use of centralized authorization systems reported than anticipated. 14

AuthZ Use Case 1 - Web SSO via Web Access Management (WAM) System Principal User/device Environment Time/Location PEP WAM plug-in Target Resource HTML or web app PDP WAM Server PIP LDAP PAP WAM console 15

Use case details Web SSO via Web Access Management (WAM) System Author: Brief Description: Goal: Actors: Initial conditions: Steps or flow: Post-conditions: John Tolbert Human user requesting access to an html document protected by a web access management system (WAM). Policy information stored in LDAP, authored within WAM. Human user gains access to authorized document or application. User, PEP, PDP, PIP, PAP, resource. User clicks link to protected resource User clicks link to protected html resource; WAM plug-in on host system asks PDP if the user can get access; PDP relies on pre-authored LDAP policy data; PDP returns result to PEP, host system delivers document to user. Transaction logged. Non-functional requirements: Business rules: Issues: Optional rules to consider include regulations (export, HIPAA, SOx), privacy, intellectual property controls, national security, need-to-know, etc. PEP and PDP deployments in this case are limited to platforms served by the WAM agent and server. 16

AuthZ Use Case 2 - Web SSO via SAML Principal User/device Environment Time/Location PEP SAML-enabled Web app Target Resource HTML or web app PDP SAML server PIP LDAP PAP LDAP & SAML consoles 17

Use case details Web SSO via SAML Author: Brief Description: Goal: Actors: Initial conditions: Steps or flow: Post-conditions: John Tolbert Human user requesting access to an html document protected by a web application that accepts SAML assertions. Policy information stored in LDAP, authored within LDAP/SAML/other utilities. Human user gains access to authorized document or application. User, PEP, PDP, PIP, PAP, resource. User clicks link to protected resource User clicks link to protected html resource; SAML assertion with appropriate attributes created and passed to application; application on host system asks PDP if the user can get access; PDP relies on pre-authored LDAP policy data; PDP returns result to PEP, host system delivers document to user. Transaction logged. Non-functional requirements: Business rules: Issues: Optional rules to consider include regulations (export, HIPAA, SOx), privacy, intellectual property controls, national security, need-to-know, etc. PEP and PDP deployments in this case are limited to platforms served by the SAML-enabled application. 18

AuthZ Use Case 3 File access mediated by operating system (OS) Principal User/device Environment Time/Location PEP OS Target Resource File PDP OS PIP OS PAP OS utilities 19

Use case details File access mediated by operating system (OS) Author: Brief Description: Goal: Actors: Initial conditions: Steps or flow: Post-conditions: John Tolbert Human user requesting access to a file controlled by an operating system (OS). Policy information stored within OS structures, authored by OS utilities. Human user gains access to authorized document or application. User, PEP, PDP, PIP, PAP, resource. File created with permissions, access determined in advance by entitlement creation using OS utilities. User attempts to access a file protected by an OS. OS makes decision based upon entitlements created by OS utilities. File delivered to user. Transaction logged. Non-functional requirements: Business rules: Issues: Optional rules to consider include regulations (export, HIPAA, SOx), privacy, intellectual property controls, national security, need-to-know, etc. PEP and PDP deployments in this case are dependent on the OS and its mechanisms. 20

AuthZ Use Case 4 remote network access to virtual private network (VPN) Principal User/device Environment Time/Location PEP VPN Target Resource Network PDP RADIUS PIP RADIUS DB PAP RADIUS utilities 21

Use case details remote network access to virtual private network (VPN) Author: Brief Description: Goal: Actors: Initial conditions: Steps or flow: Post-conditions: John Tolbert Human user and/or requesting access to a network controlled by a VPN device. Policy information stored within RADIUS (or TACACS or LDAP), authored by RADIUS utilities. Human user gains access to authorized network. User, PEP, PDP, PIP, PAP, resource. Entitlements created in advance by RADIUS utilities. VPN client software installed. User attempts to access a remote network. VPN device makes decision based upon entitlements created. Network access granted to user. Transaction logged. Non-functional requirements: Business rules: Issues: Optional rules to consider include regulations (export, HIPAA, SOx), privacy, intellectual property controls, national security, need-to-know, citizenship, etc. PEP and PDP deployments in this case are dependent on the OS and its mechanisms. 22

AuthZ Use Case 5 Database access using local DB accounts Principal User/device Environment Time/Location PEP DB Target Resource Rows, columns, or tables PDP DB PIP DB security tables PAP DB utilities 23

Use case details Database access using local DB accounts Author: Brief Description: Goal: Actors: Initial conditions: Steps or flow: Post-conditions: John Tolbert Human user requesting access to data stored in a database. Policy information stored in internal database security structures (user, group, permissions tables), created by DB utilities. Human user gains access to authorized document or application. User, PEP, PDP, PIP, PAP, resource. User executes SQL query against database. User executes SQL query against database. Database security functions match user context information against pre-configured values in the user, group, and permissions table structures within the database itself. If conditions are met, results will be returned. Transaction logged. Non-functional requirements: Business rules: Issues: Optional rules to consider include regulations (export, HIPAA, SOx), privacy, intellectual property controls, national security, need-to-know, etc. PEP and PDP deployments in this case are limited to platforms which can operate within the database program. 24

AuthZ Use Case 6 Database access via web application Principal Web app/ Service account Environment Time/Location PEP DB Target Resource Rows, columns, or tables PDP DB PIP DB security tables PAP DB utilities 25

Use case details Database access using Database access via web application Author: Brief Description: Goal: Actors: Initial conditions: Steps or flow: Post-conditions: John Tolbert Human user requesting access to data stored in a database via a web application. Policy information stored in internal database security structures (user, group, permissions tables), created by DB utilities. Human user gains access to authorized document or application. User, PEP, PDP, PIP, PAP, resource. User clicks link in web application that launches a SQL query against a back-end database. User clicks link in web application that launches a SQL query against a backend database. Web application executes SQL query on behalf of the user, either using impersonation or a service account. Database security functions match user or service account context information against pre-configured values in the user, group, and permissions table structures within the database itself. If conditions are met, results will be returned. Transaction logged. Non-functional requirements: Business rules: Issues: Optional rules to consider include regulations (export, HIPAA, SOx), privacy, intellectual property controls, national security, need-to-know, etc. PEP and PDP deployments in this case are limited to platforms which can operate within the database program. WAM may also front-end the web application. 26

AuthZ Use Case 7: Multi-channel access to financial service Typical self-serve channels include online, ABM, IVR, Mobile Principal Involved Party/channel Environment Channel type*, Location PEP Channel Credential Collector Target Resource Financial web Application or service PDP AuthZ Web Service PIP LDAP Policy Store PAP Admin point 27

Use case details: Multi-channel access to financial services Author: Brief Description: Gavin Illingworth Involved Party (IP) is a subject who may play a role of (bank) customer, guarantor, trustee or similar. IP uses bank-issued credentials to first authenticate to a channel. IP is then authorized to access one or more services. Which services are permitted depends on the following factors: Goal: Actors: Managed access to financial applications User, PEP, PDP, PIP, PAP, resource. Initial conditions: Subject has authenticated to a channel. Subject has been assigned several credentials of varying strength. Steps or flow: 1. Subject authenticates to channel 2. Authentication Service gets channel properties, credential, credential type and assurance level of identity 3. The assurance level assigned to a subject at registration time (depends on bona fides, such as driver s license, submitted by the subject at a branch). This is a static value 4. A session assurance level is calculated as determined by the strength of the supplied credential and channel properties, such as channel type and location 5. Uses authorization rules in the Policy Store to calculate decisions 6. The session assurance value is used (in prior step) to assess what entitlements are operational during the session. 7. Returns authorization decision back to the invoking applications. 8. The conditional return value may result in a request to the customer/user to provide additional credentials to increase the session assurance level (stronger credential). 9. Subject may be granted resource access 28

Use case details: Multi-channel access to financial service (2) Business rules: Issues: The list of services during a session is not fixed, but is dynamically calculated as shown. The implication for the UI is that, although there is a list of (all) available services determined by entitlements (at enrolment time), the authorization decision during a session may render some of them non-permissible. Do you present both and remind the subject that additional AuthN is required for any services greyed out in the session? Or do you present only the ones permissible for that AuthZ decision? 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback