Posts Tagged ‘Todd Rossin’

« Older Entries

Writing Policy in an XACML World

Wednesday, September 21st, 2011

There is a lot of chatter going on right now in trying to figure out who will be responsible to write those nagging IF, THEN, ELSE statements that will be the norm in the XACML implementations around the world.  So who should write the policies to begin with?  That is a question I think needs to be broken down into a few components before it can be answered.

1)      Education – How do I write XACML policy to begin with?  That will depend on version but the sake of this blog entry I plan to stick with XACML 3.0.

2)      Role – Does the organization view the business or IT side of the house as the responsible party and more importantly, should they? 

3)      Technology – This is a question of whether we put the proverbial cart before the horse.  The question being what role the XACML coders themselves will have in the policy implementation?  Also, what technology are we using to write the policies, translate them and implement them?

Education

The IF statement is simple in that we wish to define the attributes and their associated values that will let me get to the THEN statement?  IF the user is located in RENO and has a title of SVP or IT Manager THEN…

Within XACML 3.0 we start off with the concept of Permit or Deny and add in to the mix Obligations and Comments.  Basically, what authorized actions can I take post-authentication (typically), what am I allowed to do (permitted or denied) and are there any hoops I have to jump through in addition to simply a Permit/Deny scenario.  This bit of confusion being the THEN statement.

ELSE should be self-explanatory but I will sum it up as follows, “If all else fails, do the following”.

You may be asking yourself why I bothered to write the above.  I did so because the folks writing policy may be doing so in MS Word or Excel.  So let’s segue into our Role conversation.

Role

This is the bigger question surrounding policy.  Should the business write the policies?  Should the IT group write the policies? Should the lawyers write the policies?  There is no simple answer but I can make a few suggestions I have found reasonable with previous customers. 

1)      If you have an IT or Business Governance group, they should be on the hook for policy.  In lieu of Governance, IT Security is a great place to start.

2)      Within Governance or Security, an SME is always welcome, followed by an IT Architect.  This has to be weighed with Functional vs. Technical.  I have met many IT Architects in my day and they fall into two buckets.  The Technical Architect is the person you want defining ports and protocols, services and well, technology.  The Functional Architect is the person who can and usually does, double as an Analyst.  A guiding force as it were along the lines of an SME.  The Functional Architect is the person you want meeting with your business and IT teams and pulling out the policies one tooth at a time.

3)      Once Policy has been built, and I truly mean built, through questionnaires, meetings and workshops, it needs to go to the business and IT teams for review and approval.

4)      Post approval I recommend a legal review and possibly a Governance review.  Make sure no HIPAA, SOX, FERC, etc. regulations have been violated and that proper Separation of Duties (SOD) exists.

Technology

So how are our Functional Architects supposed to deliver policies to the “Policy Administrators” that will implement them?  This really depends on the strength of your education to the business and IT units and the delivery your SME/Function Architect/Analyst is most comfortable with.  My own preference is to use a basic tool that will allow an easy understanding when presented to Auditors, Lawyers, and the Business.  This can easily be Microsoft Word, Excel or Access (all of which can be saved in XML format).  The goal being that these policies will need to be converted to XACML policies in either an editor or vendor application.  The policy administrators must be keepers of code from a create/change/remove perspective so that we have a built in checks and balance approach to Policy validation.  Whatever you do, stop before you write a line a code and determine if the steps outlined in the Role discussion above have been fulfilled.  The biggest mistake we make is implementing technology before we have defined what we are trying to implement in the first place.  Never code side by side while you are writing requirements.  There is an order to things that if followed results in less wasted work.

So whether you are deciding to bring in a vendor or go it alone in the XACML, ABAC, PBAC spaces just remember Policy is what you make it and if you plan it out effectively then there will be less roadblocks that lead you to project failure.

Looking for a PBAC, XACML and/or ABAC SME, Functional Architect, Analyst or Implementor?  Feel free to reach out to the IDMWorks ABAC team.

Tags: , , , , , , , , , , , , , ,
Posted in Attribute Based Access Control (ABAC), Best Practices, Policy Based Access Control (PBAC), XACML | No Comments »

The ABAC tie in to RBAC, RAdAC and SAML

Monday, September 19th, 2011

I was in a conversation recently in regards to Extensible Access Control Mark-up Language (XACML) and  Attribute Based Access Control’s (ABAC) role in Role Based Access Control (RBAC), Risk Adaptable Based Access Control (RAdAC) and Security Access Mark-up Language (SAML).  The question surrounded whether ABAC can or should replace the other Access Control models and/or the open standard languages.

The short answer is no, and well, kind of yes.

Let me expound upon my vagary if you will.

Role Based Access Control (RBAC)

To start with Role Based Access Control we should start with what works.   The RBAC tools on the market have an advantage of tying the Identity to a Role that can be used for high level access rights that don’t need to change all that often.  Aveksa, Sailpoint, Oracle Identity Analytics, etc. pride themselves on the ability to role mine your application stack and set the role to the associated entitlements.  This allows the organization to fulfill most security audits and allows for easy re-certification of said roles quarterly, bi-annually, annually or whatever the requirement states.  The failing, if you were to call it such, is that to change the entitlements typically becomes very intricate as the roles the organization has explodes.  This forces the governance model to keep roles shallow at best.

Where ABAC shines is by allowing a deeper, more fine-grained authorization model by using policy combined with attribute values in order to allow a level of authorization commensurate with the values presented.  To do this, ABAC essentially strips out the Identity and relies solely on those attribute values to make a decision.  This can extend an RBAC separation of duty (SOD) policy greatly and alleviate a lot of risk while making SOD decisions in real time.

So while “yes”, you can replace your RBAC vendor’s toolset with an ABAC solution the real question is why would you?  The tools work very well together and allow for a greater sum of their parts as opposed to their own private silos.  If I had my druthers within my customer sites I would have an Identity Provisioning system (to automate Identity creation and management) that ties into my RBAC vendor tool (to grant high-level entitlements and set automated recertification policy) that leverages my ABAC tool to authorize application access at a fine grained level (with perhaps an SSO tool to manage Authentication, which XACML/ABAC does not).

Risk Adaptive Based Access Control (RAdAC)

Ah RAdAC, the grand unknown!  RAdAC essentially is the process of taking information we know about the user, whether that is attributes, meta-data or some other method of taking a plethora (hopefully) of information, running said data into a risk engine algorithm and spitting out data to make a much more informed decision.  This is particularly important on highly classified systems.  In this case ABAC is a natural fit in conjunction with a RAdAC tool in which the RAdAC tool becomes the defacto decision engine with ABAC the data provider (potentially as this can be some data aggregator like a virtual directory) and the authorization enforcer.  ABAC vendors can enforce based on classifications (such as meta-tagging your data as “Secret”,  “Top Secret” and “Confidential”) and can run policy based on location or various credentials much in the same way a RAdAC system so you can replace but again the why comes into play here.  RAdAC vendor tools typically have a better risk engine to help you define the risk algorithms instead of having to determine the set, write the policy and hope it doesn’t change.  Once again ABAC plays nicely with the additional Access Control method.

Secure Access Mark-up Language (SAML)

This time let’s dissect Extensible Access Control Mark-up Language (XACML ) vs. SAML.  This really isn’t a “Vs.” situation.  SAML tends to be used in the Authentication side of the house with limits on how deep it can go into Authorization.  Try locking down individual attribute lines in a web based widget framework with SAML.  It isn’t going to happen, but that is OK.   The point to XACML when used in conjunction with SAML is that it can extend the security framework by providing a more robust Authorization framework (i.e. fine-grained).  So don’t throw away your Web SSO vendor integration yet.  Can you? Well, once again the answer is “yes”, but why would you?  Keep your infrastructure and expand.  ABAC should not be used as a rip and replace technology, it is a flexible architecture that can “add to” instead of “take away”.

Long story short, ABAC is the nice kid on the playground that plays by himself until someone walks up and asks him to play.  Then he plays well with others.

Questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , , , , , , , , , , ,
Posted in Access Management, Attribute Based Access Control (ABAC), Aveksa, Axiomatics, Best Practices, BiTKOO, Oracle Entitlements Server (OES), Oracle Identity Analytics, RAdAC, RBAC, Risk & Compliance, SAML, Single Sign On (SSO), XACML | No Comments »

Getting your PEP on: Creating a SharePoint 2010 Server Environment to apply an ABAC Solution On

Thursday, September 8th, 2011

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Very recently I was creating a SharePoint 2010 Server enviroment and thought I’d document the living hell out of it. The implementation was to run some tests of various vendor PEPs against and see how they faired. For you non-ABAC/XACML folks, the PEP, or Policy Enforcement Point, is the agent that intercepts a user request and runs it through the Policy and Attribute Service gamut.

If you are looking for a more robust version of what you see below, including screen grabs, feel free to reach out to us at IDMWorks.

(more…)

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in Attribute Based Access Control (ABAC), SharePoint, Tips & Tricks | No Comments »

Axiomatics Announces Partnership with IDMWorks

Thursday, July 28th, 2011

http://www.prweb.com/releases/prweb8679070.htm

San Diego, CA (PRWEB) July 28, 2011

Axiomatics, the leading independent XACML authorization solution supplier, has just signed a partnership agreement with IDMWorks, the specialist in Service Oriented Architecture and Identity Management-based solutions.
The IDMWorks staff has extensive experience in every aspect of Identity and Access Management (IAM) for clients in the United States and Internationally. With 200+ successful projects delievered to Private and Public organizations, IDMWorks and their staff, set the defacto standard for IAM implementations. IDMWorks’ consultants are experts in addressing the business process issues encountered across the entire enterprise, including leading edge technologies such as XACML and SAML based authentication.
“We are thrilled to include Axiomatic’s XACML based authorization technology in our implementation service offerings. The solutions offered by Axiomatics are exactly what we are being asked for by our customers,” said Todd Rossin, Managing Partner and Co-Founder of IDMWorks. “Our knowledge of XACML and Externalized Authorization Management (EAM) is currently benefitting many of our customers and we expect continued demand for EAM services in Cloud IAM environments.”
Successful IAM deployments rely on a combination of robust technologies and competent professional services. “This partnership enables us to offer our customers the support of IDMWorks’ exceptional professional competencies and experience, especially in the public sector,” said Gerry Gebel, President of Axiomatics Americas. “The IDMWorks staff has a proven track record of thought leadership and successfully delivered projects leaving us with the assurance that our customers will obtain the best possible service delivery.”

About Axiomatics
Axiomatics, located in Stockholm, Sweden, is the leading provider of fine-grained and attribute-based authorization (ABAC) solutions. The company has a global customer base within healthcare, finance, manufacturing and the public sector, among others. The Axiomatics Policy Server (APS) protects systems against unauthorized use while enabling proper sharing of information within and across enterprise borders. Axiomatics actively contributes to the development of the XACML standard and has editorial responsibilities within the OASIS Technical Committee.

About IDMWorks
IDMWorks, established in 2004, recognized the need for IAM full lifecycle Implementation and Advisory services and developed a dedicated practice. IDMWorks specializes in a ‘Business Transformation’- focused approach to the implementation of Service Oriented Architecture and Identity Management based solutions. They are experts in helping organizations build real-world business solutions in Identity and Access Management. Visit http://www.idmworks.com and http://www.idmworks.com/blog to learn more.

Tags: , , , , , , , , ,
Posted in Attribute Based Access Control (ABAC), Axiomatics, IDMWorks | 1 Comment »

Things that make us Smile

Wednesday, July 27th, 2011

From our friend and a true IdMRockstar, Adam Callen:

What works? IDMWorks!

Feel free to reach out to us any time at IDMWorks!

Tags: , , , , , ,
Posted in IDMWorks, Oracle | No Comments »

RSA hacking fallout!

Wednesday, July 13th, 2011

The RSA hack that occurred on May 24th is having resounding fallout in the form of hacking using cloned devices.  When we first blogged about the hack the question was what did the hackers actually make off with and was it enough to cause serious damage.  The answer, as it turns out, is a resounding, “YES”.   Subsequent hacks against Lockheed Martin, L-3 Communications and Northrop Grumman have forced RSA to start replacing those fun little two-factor authentication SecurID tokens.

Per RSA:

  • RSA will replace the SecurID tokens for customers that need to protect their intellectual property and corporate networks, which in essence could apply to all of the company’s customers.
  • RSA is offering to set up specific “risk-based authentication strategies” for customers with a large number of users who typically conduct online financial transations.
Yikes!

Thoughts?  Sound off below or feel free to reach out to us at IDMWorks.

Tags: , , , , , , ,
Posted in RSA SecurID, Security & Risk | No Comments »

Cyberthreat: Sony gets Hit (yet again) and User Data gets Posted (yet again)

Friday, June 3rd, 2011

Someone seems to be really, really, really angry with Sony.  This time the hack grabbed and published @ 1 million customer names, passwords, email addresses, phone numbers, home addresses and even birthdays.  Youch!

There was the big PlayStation Network hit that took over 77 million accounts and shut down the PSN network that is still struggling to come back to full capacity.  A second attack occurred on it’s Sony Online Entertainment network that took down 25 million more accounts.  Sony Music Greece was next with 8300 users’ info grabbed and posted e-mails, phone numbers, and passwords.  Then came Sony Music Entertainment Japan with another 8000 posted e-mails, phone numbers, and passwords.

Why Sony came into the cross hairs of  the black hat hacking community is anyone’s guess but for whatever reason they did.  Hopefully Sony is opening up the wallet to ensure this does not happen in the future (which in the short term is an inevitability, but perhaps in the long term it can be averted).

At a minimum PBS, Google and a host of other firms that were recently hacked are probably happy that the ongoing Sony salvos are taking the media heat somewhat off of their shoulders.

As for the message in all of this, one can only sit and wonder, in this age of of the growing federations between us, the consumer, and the multitude of services we subscribe to, including, but not limited to, online banking, online bill payment, online shopping, online entertainment, and online social networking, how long it will take before all of our information becomes public knowledge.  And in this I don’t mean our names and addresses but our credit cards and financial data, passwords and complete online history.  As of now, it pretty much is happening already but we really haven’t seen anything yet as the information being acquired has only scratched the surface in the damage it can really cause all of us.

Hopefully the IT Security World can keep up, for as of now, it is falling behind.

Comments or Concerns? Feel free to post below or as always to reach out to us at IDMWorks.

Tags: , , , , ,
Posted in Security & Risk | No Comments »

Apple iCloud is on it’s Way

Tuesday, May 31st, 2011

With Apple venturing into the Cloud space with iCloud the market is about to get very interesting indeed.  The expectation is that Apple will utilize their Cloud functionality much in the way Amazon intended as both a music and data storage center.  With Apple involved the Cloud computing platform will no doubt get increased notoriety.  Just look at Apple’s foray into the MP3, Smart Phone and Tablet market.  In all three cases Apple was, if anything, a late-comer to a market that was already seemingly saturated while under-performing.  In all three cases Apple dominated the respective field shortly after introducing their wares.  One can reasonably surmise that iCloud will be no different.  This can be a good thing for all involved as the Apple circus will bring to bear an increase in technological pressure on the other players to keep up which only makes us, the consumer, the beneficiaries.

So where does that leave security?  One of the biggest issues with the Cloud vendors thus far is security, or lack there-of. The Apple model will be interesting to follow.  In this age of what seems like daily, large scale hacks, the consumer, both corporate and individual, have to be concerned about the ability to keep their private…well…private.

So where does this leave us?  In a very interesting moment in time I’d say.  With Apple’s foray into the Cloud the security space will need to adjust and grow up very quickly.  For this I give Apple mad props.

Questions? Feel free to reach out to us at IDMWorks.

Tags: , , , , , , ,
Posted in Apple, Cloud Computing, Security & Risk | No Comments »

A Basic ABAC (Attribute Based Access Control) Primer

Thursday, May 26th, 2011

What is ABAC?

Attribute Based Access Control is an effort to shift the paradigm of granting resource access to a specific user to granting access based on the value of a user’s attributes.  While user authentication is still required the access is no longer granted via a specific ACL.  Instead at the point of authentication a decision is made based on the value of specific attributes whether or not access should be granted.

This approach significantly decreases the administration required to maintain data security.  It also ensures that data is available real time to those who need it and are authorized to view/use it.  No longer are provisioning request required in order to gain access to the data since access is evaluated and granted real time.

ABAC provides particular advantages when it is deployed in a Federated environment.  Access is determined by the agreement between the two entities (business, organizations, governments, etc…) and then is enforced by the Policy Enforcement Point (PEP) at the time of access.  Each entity maintains autonomous control of their identities.

For the public and private sector, the policies, the attributes, and metadata need to be defined to ensure seamless operation and protect information assets.  This allows the enterprise to leverage attributes, metadata, and digital policies to secure access to resources in a flexible and robust decision and enforcement mechanism.  ABAC enables the transition away from access control based solely on identity through evaluating and enforcing policies by leveraging enterprise sources of access control policies, attributes, and data in support of dynamic operating environments.

Why ABAC Matters

ABAC can facilitate secure information sharing by providing a greater emphasis on leveraging policies, attributes, and metadata to allow access to information in a controlled manner.  Think RBAC (role Based Access Control) down to a fine-grained level through access control decisions and enforcement with interfaces for certificate validation, policy retrieval, and attribute retrieval.

Using ABAC, digital policies are defined and managed by policy administrators to protect specific resources.  By doing so the decision and enforcement rules can be removed from the systems administrator layer of the enterprise and into the control and governance branch of enterprise.

The policies can then be derived from compliance and information assurance regulations defined by HIPAA, Sarbanes-Oxley, FERC, HSPDs, etc.  ABAC thus enables a flexible means of securely sharing and protecting information through the enforcement of policies applicable to specific resources.

Access to information will then be governed by policies that can be rapidly created, modified, and consumed by IT systems.  The policies will define the rules and conditions under which someone is authorized for access by using user characteristics, or attributes, and resource characteristics, or metadata, as opposed to membership to a resource ACL.

ABAC Components:

Component Description
Policy Enforcement Point (PEP) The PEP, similar to a Policy Agent or Webgate (for you SSO folks out there) intercepts user requests to resources and enforces access control decisions.  The PEP’s main function is to grant or deny user access to the resource and enforce workflow obligations or constraints on the interaction.  The PEP can also support user authentication, by checking the status of a user’s credentials and verifying authentication assertions.
Policy Decision Service (PDS)  

Or

Policy Decision Point (PDP)

 The primary function of the PDS is to render an access control decision based on a policy.  This is calculated through access control decisions based on the security context of the interaction between the user and the application or resource being protected.  The security context is comprised of access control parameters including policies, user attributes, resource metadata, and environment attributes.  The PDS can retrieve the access control parameters from sources at various levels of the enterprise to render a decision.
Policy Service (PS) The PS retrieves access control policies from a policy store.  Typically, the PDS will use the PS to request the applicable policies pertaining to the security context of a transaction.  Rules typically are utilized in a collection, known as Policies to be called up by the PS.  If you can build a basic IF, THEN, ELSE statement then you can build rules for your policies.
Attribute Service (AS) The AS retrieves user information from an attribute store.  The AS retrieves user information associated with a user from variety of authoritative identity stores including, but not limited to, LDAP and database stores.

ABAC Basic Flow (as in very basic, does not include Certificate Verification Services):

Basic ABAC Flow

Basic ABAC Flow

The only thing I left out is a PAP, a Policy Administration Point.  Essentially an interface to create and maintain Policies.  This can reside on a separate server or client machine depending on vendor.  In certain cases, the PAP is nothing more than an XML editor.

Questions, comments or concerns are always welcome.  Feel free to reach out to us at IDMWorks.

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in Attribute Based Access Control (ABAC), RBAC, XACML | No Comments »

Testing Your ABAC (Attribute Based Access Control) Solution

Thursday, May 26th, 2011

When testing your ABAC (Attribute Based Access Control) or PBAC (Policy Based Access Control) vendor solutions you have or will have a few items to consider.  The chief one being, will what we have bought or built suit our needs?

As was stated in an earlier blog, there are quite a few vendors to start looking at in the ABAC field including Axiomatics, Bitkoo, Oracle, CA, Jericho Systems,Vordel, Cisco, Siemens, Epok, Layer 7, Quest, Pericore, NextLabs and IBM.

But for today’s entry I wanted to throw out a few tools I have worked with to test the messaging between the PEP (Policy Enforcement Point), the PDP/PDS (Policy Decision Point/Service), the Attribute Stores and the Policy Services.

I realize a quick list only scratches the testing service as fully defined test cases building off of both operational and system requirements is a necessity but I wanted to highlight a few tools and their basic functionality for those about to go down this path.  Feel free to sound off below and add your own tools and test mechanisms.  I might just update to entry to reflect them.

Tool Description
Parasoft SOATest
  • Used to conduct functional, operational, and performance testing
  • Used to test message layer functionality by utilizing Web Service Description Language (WSDL) to generate client tools to automate testing for Web services
  • Used to record end-user Web application interactions for playback to examine system behavior and performance
Parasoft Load Test Verifies application performance and functionality under heavy load. Existing end-to-end functional tests are leveraged for load testing, removing the barrier to comprehensive and continuous performance monitoring.
TCPMon Used to monitor traffic on TCP connections
Wireshark Used as a network protocol analyzer for Unix and Windows
soapUI Used to conduct functional testing of Web Services including SOAP and REST
NMAP Used to capture IP packets to determine what services (application name and version) the vendor applications are utilizing
NCES CTK Used  for testing coverage for the service request and the service response within NCES

The long and short of it is that you want to have the ability to test SOAP, SAML and most importantly XACML messaging within your solution

As always, questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , , , , , , , , , , , , , , , , , , , ,
Posted in Attribute Based Access Control (ABAC), Best Practices, XACML | No Comments »

« Older Entries