Más contenido relacionado La actualidad más candente (20) Similar a Presentation of Authzforce project, OWcon'19, June 12-13, 2019, Paris. (20) Presentation of Authzforce project, OWcon'19, June 12-13, 2019, Paris. 4. 4
OPEN
Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorin
partordisclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2015Allrightsreserved.
June 2019
Thales / Template : 87204467-DOC-GRP-EN-002
AuthzForce overview - Why
By 2020, the majority of enterprises will use attribute-based access control
(ABAC) as the dominant mechanism to protect critical assets, up from less
than five percent today.
--Gartner
Source: 2013 ISSA International Conference, The Gartner Identity and Access Management Scenario, 2014-2020.
6. 6
OPEN
Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorin
partordisclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2015Allrightsreserved.
June 2019
Thales / Template : 87204467-DOC-GRP-EN-002
AuthzForce – What?
▌ Attribute-Based Access Control framework (NIST standard)
100% XACML standard compliant (OASIS standard)
▌ AuthzForce & OW2 (Gitlab, award 2016, etc.)
▌ Latest news
Thales now contributes to the standard (although not XACML TC member)
CLI tool for quick & easy testing
XACML JSON Profile standard (v1.1 released 03/2019)
Other REST/JSON API improvements
Improved packaging (.deb, Docker), quality check, unit tests…
▌ Use cases
Domains: cloud, Big Data, IoT, 5G, telephony, real-time multimedia, crisis mgt, etc.
Collaborative projects: Easi-clouds, openCloudware, AU2EU, FIWARE, CHOReVOLUTION, 5G-
ENSURE, SENDATE, DRIVER+, PODIUM…)
THALES business
8. 8
OPEN
Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorin
partordisclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2015Allrightsreserved.
June 2019
Thales / Template : 87204467-DOC-GRP-EN-002
Use case focus – Matrix framework overview
▌ Matrix/Synapse/Riot: what’s that?
▌ Thales interest
Thales Citadel
Also used by French government: Tchapp
▌ Security limitations for enterprise use (in Synapse)
No strong auth, SSO (except CAS) or identity federation out-of-the-box
Designed for DAC (Discretionary Access Control) only, not RBAC/ABAC/MLS:
- Each room admin is responsible for the AC policy on his/her own room(s)
- The room admin assigns permissions/roles (power levels) to each user individually
▌ Good news in latest Matrix framework developments:
Matrix Client-Server API: latest spec(still labeled « unstable ») supports SSO
Client-side implementation: generic Web SSO support in Riot-web and Riot-Android clients
(2019 versions)
Server-side implementation: Synapse extensible with custom auth modules
Matrix rooms now support tags (not yet usable in Riot UI but with web API) security labels
10. 10
OPEN
Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorin
partordisclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2015Allrightsreserved.
June 2019
Thales / Template : 87204467-DOC-GRP-EN-002
FIDO for (strong) authentication
▌ FIDO UAF/U2F/2.0 & WebAuthn standards
▌ Standard user-friendly & developer-friendly strong authentication
framework for smartphones, tablets, PCs, etc.
▌ Max interop within FIDO alliance (GAFAMI, most OS & device vendors)
▌ Large choice of cheap FIDO products for USB/Bluetooth/NFC,
biometrics, etc.
21. 21
OPEN
Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorin
partordisclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2015Allrightsreserved.
June 2019
Thales / Template : 87204467-DOC-GRP-EN-002
Why XACML for ABAC
▌ OASIS standard: XACML = eXtensible Access Control Markup Language
▌ Why XACML?
Standard technical implementation of ABAC
Rationale: enterprise security policy (if exists) managed in different places (HR, Legal, Finance, IT, etc.), enforced in
many points: network access, mail, intranet, business apps, etc.
Assurance that your enterprise access control policy (including “best practices”) is consistently applied globally
is VERY VERY HARD to get when using different technologies and languages everywhere
▌ XACML is the only international standard that defines concrete languages and models for:
Expressing security policy
Authorization decision request-response format
24. 24
OPEN
Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorin
partordisclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2015Allrightsreserved.
June 2019
Thales / Template : 87204467-DOC-GRP-EN-002
XACML Request
XACML Request
….
Category subject
Category x Attribute Y
Attribute Type
(string, date, integer, …)
Category resource
Category action
Attribute Y
Attribute Value
(romain, 1970-01-01, …)
Attribute ID
(subject-id, subject-role, …)
Category n
26. 26
OPEN
Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorin
partordisclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2015Allrightsreserved.
June 2019
Thales / Template : 87204467-DOC-GRP-EN-002
Scenario
subject-id=charles
resource-
id=MissionManager
mission-id=47
action-id=update
PEP
PDP
MissionManager
LDAP Mission
Database
Get members
of mission 47 ?
<Rule RuleId="update_Mission" Effect="Permit">
<Description>update_Mission_Rule</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="string-equal>
<AttributeValue DataType="string">update</AttributeValue>
<AttributeDesignator AttributeId="action-id"
Category=“Action” DataType="string"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition> <Target>
<AnyOf>
<AllOf>
<Match MatchId="string-equal>
<AttributeValue DataType="string"> Mission_Manager </AttributeValue>
<AttributeDesignator AttributeId=“subject-role"
Category=“Subject” DataType="string"/>
</Match>
<Match MatchId="string-equal>
<AttributeValue DataType="string"> Activity_Manager </AttributeValue>
<AttributeDesignator AttributeId=“subject-role"
Category=“Subject” DataType="string"/>
</Match>
<Match MatchId=" string-at-least-one-member-of” >
<AttributeValue DataType="string"> subject-id </AttributeValue>
<AttributeDesignator AttributeId=“mission-member "
Category=“Resource” DataType="string"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Condition>
</Rule>
29. 29
OPEN
Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorin
partordisclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2015Allrightsreserved.
June 2019
Thales / Template : 87204467-DOC-GRP-EN-002
Role Based Access Control – Limitations (1/2)
▌ Role explosion example:
Roles in a bank: Teller, Supervisor, Branch director
Many bank agencies: Paris, London, Berlin
What about Teller in Paris, Teller in London, Teller in Berlin, Supervisor in Paris, Supervisor
in London…? 9 roles!
▌ RBAC / ABAC : Doctor-patient and patient-record relationships
Doctor may only access medical records of his/her own patients
If resource.type = ‘MEDICAL_RECORD’
AND action.id in {‘read’,’write’}
AND user.id = medical_record.doctor_id, then Permit
A patient may only access medical records about him/herself
If resource.type = ‘MEDICAL_RECORD’
AND action.id =‘read’
AND user.id = medical_record.patient_id, then Permit
31. 31
OPEN
Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorin
partordisclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2015Allrightsreserved.
June 2019
Thales / Template : 87204467-DOC-GRP-EN-002
US Standardization Activities (NIST, DoD…)
▌ NIST/NCCoE publications on ABAC/XACML
- NCCoE publications on « ABAC » building block, in partnership with Cisco,
Microsoft, Symantec, RSA… [2], in particular:
– NIST Cybersecurity Practice Guide SP 1800-3 (septembre 2017).
- NIST SP 800-162: Guide to ABAC
- NIST SP 800-178: Comparison of ABAC standards for Data Service Applications
- NIST SP 800-192: Verification and Test Methods for Access Control Policies/Models,
made a tool for editing and validating XACML policies (GUI is very technical,
expert-oriented)
▌ DoD
US Army IdAM (Identity & Access Mgt) architecture requirements include XACML
33. 33
OPEN
Thisdocumentmaynotbereproduced,modified,adapted,published,translated,inanyway,inwholeorin
partordisclosedtoathirdpartywithoutthepriorwrittenconsentofThales-©Thales2015Allrightsreserved.
June 2019
Thales / Template : 87204467-DOC-GRP-EN-002
Code to product
▌ Source
Community: GitHub, OW2 Gitlab
Enterprise: Thales internal GitLab
▌ Continuous integration
Community: Github/Travis
CI/Maven Central
Enterprise: internal Jenkins/Nexus
▌ Quality check
Unit tests
PMD, FindBugs + Find Security
Bugs, Sonar, OWASP
dependency check
CII Best Practices
FOSSA license check
▌ Documentation
OW2 wiki
AuthzForce Server (readthedocs)
▌ Ticketing system
Community: GitHub issues
Enterprise: internal Gitlab issues
▌ Conventions
Keepachangelog.com
Semantic Versioning
▌ Distribution
.deb, .tar.gz, Docker