This document discusses fine-grained authorization for web services. It begins by explaining the difference between fine-grained and coarse-grained authorization, and the challenges of implementing fine-grained authorization. It then discusses how to leverage existing identity infrastructure and use policy enforcement intermediaries to enforce entitlement policies. The document provides examples of how conditions can be used for fine-grained authorization requests. It also summarizes the Layer 7 SecureSpan solution, which uses a Policy Decision Point and Policy Enforcement Point to intercept requests and make authorization decisions based on policies.
Automating Google Workspace (GWS) & more with Apps Script
Fine grained authorization for Web Services
1. Fine grained authorization for
Web Services
Jonathan Gershater
Solution Architect
http://www.layer7tech.com
2. What you will learn in this session?
1. The difference between fine grained and coarse
grained authorization
2. The challenge with implementing fine grained
authorization in service based architectures
3. How to leverage existing identity infrastructure for
entitlements management
4. How to use policy enforcement intermediaries to
enforce entitlement preferences
March 2008
4. Traditional enterprise security
Protected by
•A gate-keeper firewall primarily offering network level
TCP/IP protection.
•URL only protection using agent based SSO solutions.
March 2008
5. The New Enterprise:SaaS, Web2.0, Legacy
The challenge:
•Mixed application and integration environment
•Diverse credential requirements
•Existing SSP and user directories
•No centralized policy control and audit.
• Services requiring fine grained authorization.
March 2008
8. WebServices authentication:
The Many-To-Many Problem
Tokens
Transport (HTTP hdr, Request
x509, etc…)
Message (UTP,
x509,…) Web
Services
Authentication
LDAP Directory
Proprietary IAM …
Certificate Servers
(OCSP, CRLs, etc)
etc…
9. Complexity grows!
Multi-platform, multi-development environment
–.NET, J2EE Frameworks, other
•Support Mobile users / disconnected applications
•Support conditional expressions for authorization
*Use existing authentication sources
March 2008
10. Quick review of AAA
•Authentication – who are you?
•Authorization – what can you do?
•Auditing – who did what?
March 2008
11. What is coarse versus fine grained authorization?
What is authorization?
The difference between coarse grained authorization
(static)
By job role
By IT defined role
By group membership
and fine grained authorization
(dynamic)
By transaction type
By time of day or day of week
March 2008
12. Sample fine grained AZ request
Stock quote can be anonymous
Stock purchase during trading hours must be:
•Authenticated
•over SSL
•working hours
•not from suspect network
(user=Name_of_Stockbroker)
AND
(SSL=TRUE)
AND
((hour > 6am) AND (hour < 1pm))
AND
(ip_address_segment != 155.154.133.0)
March 2008
13. Solution
Policy Decision Point (PDP) that intercepts and examines
XML packets at the application layer:
• Identifies service endpoint
• Authenticates requester with support for diverse
credential types
• Integration with diverse SSO, Federation and user
directories
• Performs fine-grained authorization of of an operation
within a service
• Credential chaining and translation
• SAML issuing for downstream consistency
March 2008
16. Other solutions – an XCAML query
Policy EnforcementPoint (PEP) makes an XACML query
to a PolicyDecisionPoint (PDP).
•PEP executes XACMLAuthzDecisionQuery
•PDP returns XACMLAuthzDecisionStatement
March 2008
18. Layer 7 solution for fine grained authorization
Policy Decision Point (PDP):
•Highly available / clustered.
• Integrates with several of Web SingleSignOn and
PolicyDecisionPoint sources.
•Supports any information store: Databases, or
SecureTokenServices.
• Generates appropriate SAML assertion to make
authorization decisions.
March 2008
19. Appliance, software or virtual machine solution
Message level
intermediary between
services and requesters
Internal
Application
Consumers
External
Application Services
Consumers
March 2008
20. Layer 7 SecureSpan Gateway
Runtime Governance - Policy Enforcement Point
PEP validates policy compliance
and applies security decorations
Security requirements
defined by an
administrator.
Policies become
effective independently
of the actual services.
Services
March 2008
21. SecureSpan Solution Advantages, Differentiators
Sophisticated policy language enables complex governance
requirements
Available as hardware appliance with XML accelerator or as
software
Quick deployment, ease of use
Extensible through APIs
Instant policy application (no service downtime)
Standard based
Industry leadership
March 2008
22. Thanks and questions
Jonathan Gershater
jg@layer7tech.com
http://www.layer7tech.com
http://layer7blog.blogspot.com/
March 2008