2023 Identiverse - Enforcing consent conformance in your authorization logic with a fine-grained permissions model -final - 20230531.pdf
JeanFranoisLOMBARDO
12 views
35 slides
May 15, 2024
Slide 1 of 35
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
About This Presentation
This presentation done at Identiverse 2023 presents how to enforce consent acquired from data subject as access control polices that can be used for fine grained authorization strategy
Slide Content
Enforcing consent conformance
in your authorization logic with a
fine-grained permissions model
in your authorization logic with a
fine-grained permissions model
Let’s talk about authorization and consent!
{
"alg": "HS256",
"typ": "JWT"
}.
{
“sub”: “Jeff Lombardo”,
“role”: “Sr Identity Specialist”,
“issuer”: “AWS”
}.
3ccdQeTNN7AfPj74JJq-RhJd
LwQ_fhR1yXVqzDNJo-Y
{
"alg": "HS256",
"typ": "JWT"
}.
{
“sub”: “Jeremy Ware”,
“role”: “Identity Specialist”,
“issuer”: “AWS”
}.
zTM34eETYMovwhQuB2LwC
7a7TfdYskYaFJzsS1dg3v8
"alg": "HS256",
"typ": "JWT"
}.
{
“sub”: “Jeff Lombardo”,
“role”: “Sr Identity Specialist”,
“issuer”: “AWS”
}.
3ccdQeTNN7AfPj74JJq-RhJd
LwQ_fhR1yXVqzDNJo-Y
{
"alg": "HS256",
"typ": "JWT"
}.
{
“sub”: “Jeremy Ware”,
“role”: “Identity Specialist”,
“issuer”: “AWS”
}.
zTM34eETYMovwhQuB2LwC
7a7TfdYskYaFJzsS1dg3v8
State of
authorization
authorization
Identity reminder…
Principal(s)
Account(s)
Assigned attribute(s)
Credential(s) Entitlement(s)
Authentication
=
using
Identification
=
defining
Authorization
=
checking
Been assigned authenticator(s) Been assigned permission(s)
Principal(s)
Account(s)
Assigned attribute(s)
Credential(s) Entitlement(s)
Authentication
=
using
Identification
=
defining
Authorization
=
checking
Been assigned authenticator(s) Been assigned permission(s)
Standards of Digital Identity
Strong Cryptography
TLS
Identity
Standards AWS
SigV4A
mTLS
Predicate
Standards
HTTP
Strong Cryptography
TLS
Identity
Standards AWS
SigV4A
mTLS
Predicate
Standards
HTTP
Roles
are
static so
we
need
more…
RBAC –Role Based Access Control
Role
Blue
Role
Orange
Role
Yellow
Role
Pink
Role
Red
Authenticates and accesses to the application
Role
Blue
Role
Orange
Role
Yellow
Role
Pink
Role
Red
Resource 1
Resource N
…
Resource 2
Resource 3
P
P P
PPP
PP P
P
Role
#ff4b3e
Role
#ff3633
Role
#ff1c07
Role
#ff2934
Role
#ff47da
Role
#ff0dcf
Role
#ff5efc
Role
#d621ff
Role
#f4ff27
Role
#f4ff75
Role
#ffed94
Role
#fff12a
Role
#ffaa48
Role
#ffbd83
Role
#ff8b10
Role
#ffdd34
Role
#55daff
Role
#1cf4ff
Role
#36b5ff
All applications need to be
role aware via updates
How can our applications
handle this kind of explosion?
Role
#ff4b3e
Role
#ff3633
Role
#ff1c07
Role
#ff2934
Role
#ff47da
Role
#ff0dcf
Role
#ff5efc
Role
#d621ff
Role
#f4ff27
Role
#f4ff75
Role
#ffed94
Role
#fff12a
Role
#ffaa48
Role
#ffbd83
Role
#ff8b10
Role
#ffdd34
Role
#55daff
Role
#1cf4ff
Role
#36b5ff
are
static so
we
need
more…
RBAC –Role Based Access Control
Role
Blue
Role
Orange
Role
Yellow
Role
Pink
Role
Red
Authenticates and accesses to the application
Role
Blue
Role
Orange
Role
Yellow
Role
Pink
Role
Red
Resource 1
Resource N
…
Resource 2
Resource 3
P
P P
PPP
PP P
P
Role
#ff4b3e
Role
#ff3633
Role
#ff1c07
Role
#ff2934
Role
#ff47da
Role
#ff0dcf
Role
#ff5efc
Role
#d621ff
Role
#f4ff27
Role
#f4ff75
Role
#ffed94
Role
#fff12a
Role
#ffaa48
Role
#ffbd83
Role
#ff8b10
Role
#ffdd34
Role
#55daff
Role
#1cf4ff
Role
#36b5ff
All applications need to be
role aware via updates
How can our applications
handle this kind of explosion?
Role
#ff4b3e
Role
#ff3633
Role
#ff1c07
Role
#ff2934
Role
#ff47da
Role
#ff0dcf
Role
#ff5efc
Role
#d621ff
Role
#f4ff27
Role
#f4ff75
Role
#ffed94
Role
#fff12a
Role
#ffaa48
Role
#ffbd83
Role
#ff8b10
Role
#ffdd34
Role
#55daff
Role
#1cf4ff
Role
#36b5ff
ABAC -Attribute Based Access Control
Authenticates and accesses to the application
Tag
Blue
Tag
Orange
Tag
Yellow
Tag
Pink
Tag
Red
Resource 1
Resource N
…
Resource 2
Resource 3
Rules
grow
based on
context
growth…
All applications need to be
rule aware via updates
Tag
Blue
Tag
Blue
Tag
Blue
Tag
Orange
Tag
Orange
Tag
Yellow
Tag
Yellow
Tag
Pink
Tag
Red
Tag
Red
Team
Blue
Location is
Orange
Project
Yellow
Project
Pink
Department
Red
If user tag color ==
resource tag color,
then P
How can our applications
handle this kind of explosion?
Up to date
Enrolled by
enterprise
Used two factor
AuthN
Used two factor
AuthN
Location is
Montreal, QC
No previous
AuthN failure
And must be
2FA
Authenticated
And must be
from a known
location
And must
encompass
past behavior
Authenticates and accesses to the application
Tag
Blue
Tag
Orange
Tag
Yellow
Tag
Pink
Tag
Red
Resource 1
Resource N
…
Resource 2
Resource 3
Rules
grow
based on
context
growth…
All applications need to be
rule aware via updates
Tag
Blue
Tag
Blue
Tag
Blue
Tag
Orange
Tag
Orange
Tag
Yellow
Tag
Yellow
Tag
Pink
Tag
Red
Tag
Red
Team
Blue
Location is
Orange
Project
Yellow
Project
Pink
Department
Red
If user tag color ==
resource tag color,
then P
How can our applications
handle this kind of explosion?
Up to date
Enrolled by
enterprise
Used two factor
AuthN
Used two factor
AuthN
Location is
Montreal, QC
No previous
AuthN failure
And must be
2FA
Authenticated
And must be
from a known
location
And must
encompass
past behavior
Good but not good enough
We also need:
•One language of expression
to rule them all
•One source of truth
to homogenize them all
RBAC
ABAC
Pre packaged
groups of entitlements
Dynamic Access Control
based on
contextual information
We also need:
•One language of expression
to rule them all
•One source of truth
to homogenize them all
RBAC
ABAC
Pre packaged
groups of entitlements
Dynamic Access Control
based on
contextual information
PBAC -Policy-based access control
Fine-grained
Access defined down to the
level of individual resources
and users
Scalable
Easier to understand and
maintain
Dynamically manageable from
runtime
Does not require application
code changes
Fine-grained
Access defined down to the
level of individual resources
and users
Scalable
Easier to understand and
maintain
Dynamically manageable from
runtime
Does not require application
code changes
3.1.1 ZTA Using Enhanced Identity Governance
Individual resources or […] components protecting the resource
MUSThave a way to forward requests to a policy engine […] and
approve the request before granting access.
PBAC -Core of a Zero Trust strategy
NIST SP800-207
(2020)
Never Trust, Always Verify Explicitly.
Treat every user, device, and application as untrusted and
unauthenticated. Authenticate and explicitly authorize to the least
privilege using dynamic security policies
DOD Zero Trust
Strategy and Roadmap
(2022)
Using centrally managed systems to provide enterprise identity
and access management services […] allowing agencies to more
uniformly enforce security policies that limit access.
M-22-09
(2022)
Individual resources or […] components protecting the resource
MUSThave a way to forward requests to a policy engine […] and
approve the request before granting access.
PBAC -Core of a Zero Trust strategy
NIST SP800-207
(2020)
Never Trust, Always Verify Explicitly.
Treat every user, device, and application as untrusted and
unauthenticated. Authenticate and explicitly authorize to the least
privilege using dynamic security policies
DOD Zero Trust
Strategy and Roadmap
(2022)
Using centrally managed systems to provide enterprise identity
and access management services […] allowing agencies to more
uniformly enforce security policies that limit access.
M-22-09
(2022)
PBAC –OK but in which mode?
Centralized
Decentralized Distributed
Main objective is Governance
Main gain is Accuracy
Main objective is Enforcement
Main gain is Latency
Main objective is Definition
Main gain is Dynamism
Centralized
Decentralized Distributed
Main objective is Governance
Main gain is Accuracy
Main objective is Enforcement
Main gain is Latency
Main objective is Definition
Main gain is Dynamism
XACML
Cedar
Rego
Mandatory Access Control
Policy Based Access Control
Role Based Access ControlAttribute Based Access Control
Predicate
Standards
Identity
standard
attempts
PBAC –OK but which one?
Zanzibar NGAC
Cedar
Rego
Mandatory Access Control
Policy Based Access Control
Role Based Access ControlAttribute Based Access Control
Predicate
Standards
Identity
standard
attempts
PBAC –OK but which one?
Zanzibar NGAC
Problem
with consent
management
with consent
management
Data Privacy regulations are the new normal
•GDPR
•CCPA
•ePrivacy
•LGPD
•QC-L25 / C-27
•and many more…
•GDPR
•CCPA
•ePrivacy
•LGPD
•QC-L25 / C-27
•and many more…
Data Privacy principle in one line
“Ensurethat only the principals that shall have justified
access to Personal Information
effectively have access to it.”
16
“Ensurethat only the principals that shall have justified
access to Personal Information
effectively have access to it.”
16
And consent management guidance is mostly …
Data Processing Impact Assessment
Visible surface level
Consent collection
Data Processing Impact Assessment
Visible surface level
Consent collection
But consent management is more than that
Much more under
the surface
Who has access to what?
Who did access what?
Do we keep this data or not?
Who did consent to what?
Can you prove who consented?
Much more under
the surface
Who has access to what?
Who did access what?
Do we keep this data or not?
Who did consent to what?
Can you prove who consented?
How much does Consent differ from Policy?
•Consent and policy evaluation to allow areboth required to access to data
•Consent is scoped, and so is an authorization policy
•Consent is time-bound, whereas for policies… it is more complicated
•Consent has a granterand a grantee, policy has mostly a grantee
•Consent and policy evaluation to allow areboth required to access to data
•Consent is scoped, and so is an authorization policy
•Consent is time-bound, whereas for policies… it is more complicated
•Consent has a granterand a grantee, policy has mostly a grantee
Promoting Consent
as a first class
Authorization Policy
as a first class
Authorization Policy
Policy
We need to expand a policy to be Consent aware
Grantee Granter
Scope
Time
boundaries
We need to expand a policy to be Consent aware
Grantee Granter
Scope
Time
boundaries
We can bound object to consent
Granter
Grantee
Scope
Time
boundaries
Integrity
assurance
Granter
Grantee
Scope
Time
boundaries
Integrity
assurance
Let’s apply that to Authorization policies
Granter
Integrity
assurance
Grantee
Scope
Time
boundaries
Granter
Integrity
assurance
Grantee
Scope
Time
boundaries
Integrating consent
based Authorization
in user
experience
based Authorization
in user
experience
Let’s share things!
TinyTodo
An example application to
learn Cedar, a new
language for expressing
Authorization rules
Find it at:
Basic bootstrapping of Authorization –Default deny
1
Allowing Groups to privileged actions -RBAC
2
Sharing with individuals -ABAC
3
Sharing with individuals (suite) –ABAC and consent
4
https://bit.ly/429kWI4
TinyTodo
An example application to
learn Cedar, a new
language for expressing
Authorization rules
Find it at:
Basic bootstrapping of Authorization –Default deny
1
Allowing Groups to privileged actions -RBAC
2
Sharing with individuals -ABAC
3
Sharing with individuals (suite) –ABAC and consent
4
https://bit.ly/429kWI4
Demo
A tale of two sharings
Sharing with individuals -ABAC
3
Sharing with individuals (suite) –ABAC
and consent
4
Sharing with individuals -ABAC
3
Sharing with individuals (suite) –ABAC
and consent
4
Key
elements for
your AuthZstrategy
elements for
your AuthZstrategy
More than1 Billion calls
Align with PARC mental model
Principal
Action
Condition
Resource
(1)
https://www.youtube.com/watch?v=6DX7p-OirGU
(2)
in 2021, for more: https://youtu.be/8_Xs8Ik0h1w?t=3053
PER SECONDS
(2)
Easierfor humans
to review
More efficient
for systems
to review
(1)
and enforce
12
Align with PARC mental model
Principal
Action
Condition
Resource
(1)
https://www.youtube.com/watch?v=6DX7p-OirGU
(2)
in 2021, for more: https://youtu.be/8_Xs8Ik0h1w?t=3053
PER SECONDS
(2)
Easierfor humans
to review
More efficient
for systems
to review
(1)
and enforce
12
Build policies over 3 layers
Application Owner policies
“Allow any Resource owner
read, write, update, delete,
share on Resource”
End-user policies
“As Resource owner
PrincipalA, allow PrincipalB
for read on Resource”
Security policies
“Forbid any User share
Resource outside of
Resource Tenant”
Defined at
integration
Defined at
runtime
Defined at
deployment
Application Owner policies
“Allow any Resource owner
read, write, update, delete,
share on Resource”
End-user policies
“As Resource owner
PrincipalA, allow PrincipalB
for read on Resource”
Security policies
“Forbid any User share
Resource outside of
Resource Tenant”
Defined at
integration
Defined at
runtime
Defined at
deployment
Bake scope and time-boundaries into policies
Access Token
{ sub }
HTTPS Request
{ Method }
{ Path }
{ timeEpoch }
Traditional OAuth2 token validation process
{ scp }
Access Token
{ sub }
HTTPS Request
{ Method }
{ Path }
{ timeEpoch }
Traditional OAuth2 token validation process
{ scp }
Unblock capabilities
Review entitlements through graph
Direct Acyclic representations can show
more that standard queries
Generate proof of consent
For auditors For data subjects
https://kantarainitiative.org/file-downloads/consent-receipt-specification-v1-1-0/
Consent Receipt Specification
Version:1.1.0
Editors:Mark Lizar, David Turner
Review entitlements through graph
Direct Acyclic representations can show
more that standard queries
Generate proof of consent
For auditors For data subjects
https://kantarainitiative.org/file-downloads/consent-receipt-specification-v1-1-0/
Consent Receipt Specification
Version:1.1.0
Editors:Mark Lizar, David Turner
Try Cedar, it is OpenSource
SDK
https://github.com/cedar-policy
Documentation
Examples
How we built Cedar
with automated
reasoning and
differential testing
SDK
https://github.com/cedar-policy
Documentation
Examples
How we built Cedar
with automated
reasoning and
differential testing
Your turn to play
Blog posts to learn more Amazon Verified Permissions
our own managed Cedar oriented Policy engine
AWS Community Builders
Join AWS Community Builders program to build relationships with AWS
product teams, AWS Heroes, and the AWS community
Using Open Source Cedar to write and enforce custom
AuthZpolicies
A blog post to implement you first application using Cedar
for authorization
Blog posts to learn more Amazon Verified Permissions
our own managed Cedar oriented Policy engine
AWS Community Builders
Join AWS Community Builders program to build relationships with AWS
product teams, AWS Heroes, and the AWS community
Using Open Source Cedar to write and enforce custom
AuthZpolicies
A blog post to implement you first application using Cedar
for authorization
THANK YOU!
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 12
- Slides 35
- Age 565 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views