Don't Ask for Forgiveness, Ask for Permission
DavidBrossard
42 views
28 slides
Jul 15, 2024
Slide 1 of 28
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
About This Presentation
All companies can relate to the amount of time and resources it takes to situate employees into new roles, onboard new hires, and especially go through the process of recertification. What tends to come out of recertification is the unfortunate entitlement or access creep that enables that extra acc...
Slide Content
Don’t Ask for Forgiveness, Ask for Permission! David Brossard, CTO, Axiomatics
IAM and OWASP in the Cybersecurity Landscape CTO, Axiomatics David Brossard OpenID AuthZEN Co-Chair
They’re everywhere…
They’re out to get you
They look innocent
They’ll drain your bank account
They’ll gobble every cookie…
And they won’t (always) even ask for permission
Dad, can I eat all the 🍦?
Authorization Models
Runtime ABAC, Graph, MAC Attributes, Policies, P*P AuthZEN, ALFA, OPA Admin-time ACLs, RBAC, DAC Roles, Groups, Entitlements NIST RBAC Event-time Event-driven framework Shared Signals, Listeners… CAEP, Shared Signals
Assign users the roles and entitlements they need Requires a mature joiner-mover-leaver process to keep configuration up-to-date Requires Identity & Access Governance (IAG) to run regular audits and verify that no one has rights they shouldn’t have OWASP A01:2021 – Broken Access Control Violation of the principle of least privilege or deny by default, where access should only be granted for particular capabilities, roles, or users, but is available to anyone. Admin-time Auth orization
If you give a mouse a cookie OAuth Token
Access Creep & Token Bloat
New times require new techniques Zero Trust P rinciple of Least Privilege Continuous Access Requirements from the Government DevSecOps Continuous Authorization Implementation Guide Department of Defense (DoD) Cybersecurity Reference Architecture Department of Defense (DoD) Zero Trust Reference Architecture CISA's Zero Trust Maturity Model Version 2.0 NIST SP 800-207 - Zero Trust Architecture
Runtime Authorization Check for access at runtime ABAC, PBAC, Graph all enable runtime access OpenID AuthZEN standard for PEP-PDP ALFA for policies
Different authorization implementations (graph, ABAC…) do not all use the same interface Most are 90% the same Within the OpenID AuthZEN Working Group, we decided to standardize across all solutions Step 1 Simple Permit/Deny request/response protocol Step 2 Multiple decision approach: bundle multiple requests into a single one and receive multiple decisions back Other WIP Design patterns (integration with OAuth-style approaches) Support obligations in responses ‘Search’ API Do you want to take part? OpenID AuthZEN Grab a DeLorean and join us at the Identiverse AuthZEN Interop on 5/28 in Vegas. Try the Axiomatics AuthZEN PDP at https://pdp.alfa.guide and using the Postman Collection OpenID AuthZEN: Providing Interoperability between approaches
A Policy-Driven Approach to Authorization Managers can view their customers’ bank accounts A customer can view their own bank account A customer can close their bank account A customer can view the account for a dependent (minor, senior citizen) API App Code GET /accounts/ 123
A Policy-Driven Approach: ALFA policyset accounts{ target clause attributes.objectType == "account" apply firstApplicable policyset viewAccounts{ target clause Attributes.actionId == "view" apply firstApplicable managers customers } policy closeAccounts{ target clause user.role== "customer" and Attributes.actionId == "close" apply firstApplicable // A customer can close their bank account viewAccounts.customers.ownAccount } }
ABAC Policies Examples default allow := false allow if user_is_owner allow if { user_is_employee action_is_read } allow if { user_is_employee user_is_senior action_is_update } allow if { user_is_customer action_is_read not pet_is_adopted } policyset records{ target clause objectType== "record" apply firstApplicable policy viewRecords{ target clause actionId== "view" apply firstApplicable rule managers{ target clause user.role == "manager" permit } rule owner{ permit condition record.owner==user.employeeId } }} permit ( principal == PhotoApp::User::"alice", action == PhotoApp::Action::"viewPhoto", resource == PhotoApp::Photo::"vacationPhoto.jpg" ); permit ( principal == PhotoApp::User::"stacey", action == PhotoApp::Action::"viewPhoto", resource ) when { resource in PhotoApp::Account::"stacey" }; Rego (OPA) ALFA AWS Cedar
ALFA Policies can be visualized as Graphs Attorney View Court Reporter Transcript DO ▼ - - - - Permit if the attorney is assigned to the case. Permit if the attorney is in good standing. Permit if the attorney is licensed. Permit if the attorney checks are all good. - - - - - - - - The attorney must be assigned to the case. The attorney must be in good standing. The attorney must be licensed to practice in court. The attorney must be cleared. ✔ ✔ ✔ ✔ DuP ▼ DuP ▼ DuP ▼ DuP ▼
Putting a 🩹 on existing applications Acknowledge sessions and tokens are pervasive Adapt apps so that tokens can be augmented/reduced The goal of the SSF Working Group is to enable the sharing of security events, state changes, and other signals between related and/or dependent systems Event-time Authorization
Authorization Lifecycle Define the use case Gather AuthZ Reqs Identify attributes Author policies Test the policies Deploy architecture Deploy the policies Run Access Reviews
The Ten Commandments of Authorization Declarative (policy-based) Dynamic (runtime decision) ABAC (attributes) Decoupled (from the app) ReBAC (relationships) Feature-driven (business rules) Transparent (audit & review) Scalable (protect 1…∞) Agnostic (APIs, data…) Future-proof (APIs, data…)
Can we all adapt to a P*P architecture? IIW37_S7I_PDP & PEP vs. AS/RS Smackdown (How to map them properly?)
Authorization Pyramid Runtime 02 Event-time 03 01 Admin Time
Further Reading Authorization Models Role Based Access Control RBAC (NIST) Attribute Based Access Control ABAC (NIST) A Taxonomy of Modern Authorization Models - IDPro ReBAC: Access Control Requirements for Web 2.0 Security and Privacy ( Carrie Gates ) Standards Work OpenID AuthZEN WG OpenID Shared Signals WG ALFA - the Abbreviated Language for Authorization https://alfa.guide and https://authzen.guide Podcasts, newsletters, and more Authorize Clipping Service Dynamically Speaking: The Axiomatics Podcast - YouTube
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 42
- Slides 28
- Age 505 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
46 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
46 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
21
Know for Certain
DaveSinNM
21 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views