1 / 49

Federate Access Policy, Not Identity

Federate Access Policy, Not Identity. Alan H. Karp Hewlett-Packard Laboratories 04/21/09 | Session ID: ESS-106 Session Classification: Advanced. Get Ready to Turn Your Brain Inside Out. Alan H. Karp Hewlett-Packard Laboratories 04/21/09 | Session ID: ESS-106 Session Classification: Advanced.

lula
Download Presentation

Federate Access Policy, Not Identity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Federate Access Policy, Not Identity Alan H. KarpHewlett-Packard Laboratories04/21/09 | Session ID: ESS-106 Session Classification: Advanced

  2. Get Ready to Turn Your Brain Inside Out Alan H. KarpHewlett-Packard Laboratories04/21/09 | Session ID: ESS-106 Session Classification: Advanced

  3. An Actual Response HP Labs Security Expert November 2006: “I don’t get it.” January 2007: “I don’t get it.” February 2007: “I don’t get it.” March 2007: “Why would you do it any other way?” February 2008: “Why is this so hard for people to get?”

  4. US Joint Forces Command exercise 2009 Included as part of the experiment California HHS Privacy Board Part of proposed solution in December 2008 draft NY State e-government initiative Being evaluated Still working on HP Not the official strategy, Yet Adoption

  5. The Fundamental Idea

  6. Identification: Know who to hold responsible Authentication: What properties user proves Authorization: What rights come with a proof Access decision: Honor request or not Access Control Process Unix Identification: set up user account Authentication: lets a process use that account Authorization: add an entry in the ACL Access decision: Check the ACL

  7. Where and When You can choose when and where you authenticate and authorize

  8. Federating Identities Federation Use Case Federating Access Policy FAccM, not FIdM Agenda

  9. Web Service Principal Attribute Service Policy Decision Service Policy Mgmt Service Key Mgmt Service CA DoD SIPRNet Certs CANES Use Case Forecast Weather SAML / SOAP SAML / SOAP Mars Portal Web Service Security Handler (inbound) Security Handler (outbound) Security Handler (inbound) Security Handler (outbound) Portlets WS Client Security Handler End User CES SDK CES SDK API to Core Services CES SDK Identity Dir Server Security CES … • Roles • Credentials • Policy Authorization Dir Server Admin Console

  10. Service Composition HP Alice Carol Bob Backup Copy

  11. Create the service and identify manager Advertise service Specify Policy for Local Users Potential user finds service Exchange policy data with trusted partners Propagate policy data for indirect sharing Verify access rights of request Process updates to policy data Shut down the service Service Life Cycle

  12. Federating Identities

  13. Create the Service HP Service Manager Carol Bob Service Manager Service Manager Alice Copy Backup Services usually managed by organization.

  14. Advertise Service HP Service Manager Bob Carol Service Manager Service Manager Alice Copy Backup UDDI

  15. Specify Policy for Local Users HP Service Manager Carol Bob Service Manager Service Manager Alice ACL ACL Copy Backup Local users either known to need access or request access after discovering service.

  16. Potential User Finds Service HP Service Manager Bob Carol Service Manager Service Manager Alice Copy Backup UDDI

  17. Exchange Policy with Partners HP Service Manager MOU Policy Carol Bob Service Manager MOU Policy Service Manager Alice ACL ACL Copy Backup Organizations negotiate terms of contract and exchange usage policies.

  18. Exchange Policy with Partners HP Service Manager Alice Carol Bob Service Manager Service Manager Backup Alice ACL ACL Copy Backup

  19. Verify Access Rights on Request HP Service Manager Carol Bob Service Manager Service Manager Alice backup(foo) ACL ACL Copy Backup

  20. Propagate Policy for Indirect Sharing HP Service Manager Copy: read foo Carol ACL Bob Service Manager Service Manager Alice: read bar Alice ACL ACL Copy Backup How does HP decide if the request to add Copy is legitimate?

  21. Verify Access Rights on Request HP Service Manager Carol Bob Service Manager Service Manager Alice ACL ACL Copy Backup copy(foo,bar) In the general case, Carol might need Alice’s authentication.

  22. Verify Access Rights on Request HP Service Manager Carol ACL Bob Service Manager Service Manager read(foo) Alice ACL ACL Copy Backup

  23. Verify Access Rights on Request HP Service Manager Carol Bob Service Manager Service Manager Alice ACL ACL read(bar) Copy Backup

  24. Propagate Policy Changes HP Service Manager Revoke Alice Carol ACL Bob Service Manager Service Manager Revoke Alice Alice ACL ACL Copy Backup Alice just lost her access to the backup copy, and what about Carol’s permission to read foo?

  25. Shutdown the Service HP Service Manager Carol ACL Bob Service Manager Service Manager Alice ACL ACL What happens to access rules if the name of the service is reused?

  26. Need uniform authentication mechanism Alice authenticates to HP and Bob Alice’s identity in Carol’s ACL No trust relationship between Carol and Alice (or HP) Need some mechanism to specify policy Bob and Carol must act to revoke Alice Exposes HP’s internal organization Violate Least Privilege or lose functionality Summary of FIdM Approach

  27. Federating Access Policy

  28. Create the Service <saml:Authorization> Pu2: backup </saml:Authorization> Signed Pr1 <saml:Authorization> Pu4: copy </saml:Authorization> Signed Pr3 HP Service Manager Carol Bob Service Manager Service Manager Alice Copy Backup Authorization is issued to a public key and valid if signed by corresponding private key.

  29. Create the Service <saml:Authorization> Bob: backup </saml:Authorization> Signed Backup <saml:Authorization> Carol: copy </saml:Authorization> Signed Copy HP Service Manager Carol Bob Service Manager Service Manager Alice Copy Backup For convenience, we’ll denote these keys with names, but these are self-signed certificates.

  30. Advertise Service HP Service Manager Bob Carol Service Manager Service Manager Alice Copy Backup UDDI

  31. Specify Policy for Local Users <saml:Authorization> localUser: copy </saml:Authorization> <Evidence>Carol: copy</> Signed Carol <saml:Authorization> localUser: backup </saml:Authorization> <Evidence>Bob: backup</> Signed Bob HP Service Manager Carol Alice Bob Service Manager Service Manager Copy Backup

  32. Find Service HP Service Manager Bob Carol Service Manager Service Manager Alice Copy Backup UDDI

  33. Exchange Policy with Partners <saml:Authorization> HP: backup </saml:Authorization> <Evidence>Bob: backup</> Signed Bob HP Service Manager MOU Policy Carol Alice Bob Service Manager MOU Policy Service Manager <saml:Authorization> Bob: copy </saml:Authorization> <Evidence>Carol: copy</> Signed Carol Copy Backup

  34. Exchange Policy with Partners <saml:Authorization> Alice: backup </saml:Authorization> <Evidence>HP: backup <Evidence> Bob:backup</> Signed HP HP Service Manager Bob Carol Service Manager Service Manager Alice <saml:Authorization> Backup: copy </saml:Authorization> <Evidence>Bob: copy <Evidence>Carol:copy</> Signed Bob Copy Backup Purely local with FAccM

  35. Verify Access HP <soap:header> Backup: read foo <Evidence>Alice: read foo</> <soap:body> <saml:Authorization> Alice: backup <Evidence>HP: backup</> </saml:Authorization> Signed Alice Service Manager Alice Bob Carol Service Manager Service Manager Root of trust is the private key of the backup service used in the initial authorization. Copy Backup

  36. Verify Access HP Service Manager Alice Bob <soap:header> Copy read foo <Evidence>Backup: read foo</> <soap:body> <saml:Authorization> Backup: copy <Evidence>Bob: copy</> </saml:Authorization> “bar” Signed Backup Carol Service Manager Service Manager Copy Backup

  37. Propagate Policy for Indirect Sharing HP Service Manager Carol Bob Service Manager Service Manager Alice Copy Backup Placeholder: Policy propagation is done by delegating rights during invocation.

  38. Verify Access HP <soap:body> <saml:Authorization> Copy: read foo <Evidence>Backup: read foo</> </saml:Authorization> Signed Copy Service Manager Alice Bob Carol Service Manager Service Manager Copy Backup

  39. Verify Access (Return Value) HP Service Manager <saml:Authorization> Alice: read bar <Evidence>Backup: read bar</> </saml:Authorization> Signed Backup Alice Bob Carol Service Manager Service Manager <saml:Authorization> Backup: read bar </saml:Authorization> Signed Copy Copy Backup

  40. Verify Access (Return Value) HP Service Manager <soap:body> <saml:Authorization> Alice: read bar <Evidence>Backup: read bar</> </saml:Authorization> Signed Alice Alice Bob Carol Service Manager Service Manager Copy Backup

  41. Propagate Policy Changes HP Service Manager Carol Bob Service Manager Service Manager Alice Revoke authz #A3FE8 Copy Backup Alice can revoke Bob’s right to foo after invocation returns, which revokes Copy’s access to foo.

  42. Shutdown the Service HP Carol Bob Service Manager Service Manager Alice Forgetting the service’s private key invalidates all authorizations to it.

  43. Don’t need to authenticate on use Request message contains authorizations Carol need not have heard of Alice or even HP Parameters become delegations Easier to enforce Least Privilege No trusted third party, e.g., CAs Service’s private key is root of trust Moves steps off the critical path Summary of FAccM Approach

  44. FAccMnotFIdM

  45. Asked at the time and place of the service Must distribute identities Single userid/password, SSO, true federation Must get identities in place ahead of time But still need to express access policy Indirection leads to complications Often leads to violations of Least Privilege FIdM: Who are you?

  46. If you don’t like the answer you’re getting, ask a better question.

  47. Federate access policy directly Only authenticate your own people Authorize in user domain before request Use IdM to decide what rights to grant Verify authorization at time/place of service Fewer global agreements Easier to enforce Least Privilege FAccM: Is this request authorized?

  48. Go home and ask “Why who?” Is it to make an access decision? Are you authenticating a partner’s employee? If so, ask instead “Is this request authorized?” Work with business partners Use contract as a means to swap authorizations Stop managing each other’s people Greater flexibility, better security, lower cost Pocket your savings  Apply What You Learned

  49. Questions? alan.karp@hp.com FAccM Si FIdM No

More Related