A Manager’s Guide to Identity & Access Control Stephen T. Whitlock Chief Strategist Information Security The Boeing Company BOEING is a trademark of Boeing Management Company. Copyright © 2008 Boeing. All rights reserved. Privilege Management in Eight Words Boeing Technology | Information Technology Identification Who are you? Information Security Privilege Management in Eight Words Boeing Technology | Information Technology Identification Information Security Authentication Who are you? Prove it! Privilege Management in Eight Words Boeing Technology | Information Technology Identification Information Security Authentication Who are you? Prove it! Authorization Here’s your stuff... Privilege Management in Eight Words Boeing Technology | Information Technology Identification Information Security Authentication Who are you? • Identification: The presentation of an identifier so that the system can recognize and distinguish the presenter from other principals Prove it! Authorization Here’s your stuff... Privilege Management in Eight Words Boeing Technology | Information Technology Identification Information Security Authentication Who are you? • Identification: The presentation of an identifier so that the system can recognize and distinguish the presenter from other principals Prove it! • Authentication: The exchange of information in order to verify the claimed identity of a principal Authorization Here’s your stuff... Privilege Management in Eight Words Boeing Technology | Information Technology Identification Information Security Authentication Who are you? • Identification: The presentation of an identifier so that the system can recognize and distinguish the presenter from other principals Prove it! • Authentication: The exchange of information in order to verify the claimed identity of a principal Authorization Here’s your stuff... • Authorization: The granting of rights, including access, to a principal, by the proper authority Privilege Management in Eight Words Boeing Technology | Information Technology Identification Information Security Authentication Who are you? • Identification: The presentation of an identifier so that the system can recognize and distinguish the presenter from other principals Prove it! • Authentication: The exchange of information in order to verify the claimed identity of a principal Authorization Here’s your stuff... • Authorization: The granting of rights, including access, to a principal, by the proper authority Principal: An entity (people, devices, applications, etc.) whose identity can be authenticated Privilege Management in Eight Words Boeing Technology | Information Technology Identification Information Security Authentication Who are you? • Identification: The presentation of an identifier so that the system can recognize and distinguish the presenter from other principals Prove it! • Authentication: The exchange of information in order to verify the claimed identity of a principal Authorization Here’s your stuff... • Authorization: The granting of rights, including access, to a principal, by the proper authority Principal: An entity (people, devices, applications, etc.) whose identity can be authenticated Reference: Open Group XDSF (X/Open Distributed Security Framework), ISO 10181-3 ISO Authorization Model Boeing Technology | Information Technology Principal Information Security ISO Authorization Model Boeing Technology | Information Technology Principal Information Security Resource ISO Authorization Model Boeing Technology | Information Technology Principal Access Control Enforcement Function Information Security Resource ISO Authorization Model Boeing Technology | Information Technology Principal Information Security Access Control Enforcement Function Decision Cache Access Control Decision Function Resource ISO Authorization Model Boeing Technology | Information Technology Information Security Access Control Enforcement Function Principal Identity, Access Request Resource Access Additional Attributes Decision Cache Request, Identity, Attributes Audit Logs Decision Access Control Decision Function Decision Support Information Environmental, Resource, & Principal Attributes; Identifiers Policy Rules Admin ISO Authorization Model Boeing Technology | Information Technology Information Security Access Control Enforcement Function Principal Identity, Access Request Resource Access Additional Attributes Decision Cache Request, Identity, Attributes Relatively Dynamic Audit Logs Resource Labels Decision Access Control Decision Function Decision Support Information Environmental, Resource, & Principal Attributes; Identifiers Policy Rules Admin Relatively Static You Are All Wrong Right Boeing Technology | Information Technology Information Security • All decisions should be made by Policy (Rules Based Access Control) • Access decisions must be able to consume: • Static decisions (Account & Resource Provisioning, etc) – Attributes pulled from LDAP, Database, etc. • Dynamic decisions – SAML attributes (arrive during Authentication process) – X.509 attributes (also arrive during Authentication) – XACML attributes (arrive with Authorization request) • Identifier + Attributes = Identity (Attribute Based Access Control) • A Role is an attribute used to collect Principal identities for scalability (RBAC) • A Capability is an attribute used to collect Resources for scalability (but it didn’t get an acronym ) • Identity based access control supports Discretionary Access Control (DAC) policies • Mandatory Access Control systems require Resource Metadata • Labels attached to the data • Labels stored in a directory and linked to the data Access Control Matrix: The Authorization Ur-Text Boeing Technology | Information Technology Information Security Resources Principals Alice Bob’s Capability List A collection of principals with the same rights forms a Group A Role is a Group with a meaningful name A B C D READ WRITE READ READ READ Bob READ WRITE Eve Alpha 1 Bob carries around Identity AZN System checks Principal identity Capability Based System READ WRITE READ READ READ READ WRITE Alpha n READ READ READ READ WRITE Alpha Group READ READ READ READ WRITE Backup READ READ READ READ … Access Control List for B Access Control System Bob carries around Capability List AZN System checks Resource identity Terminology Guide or Why Am I Confused? Boeing Technology | Information Technology Accountable person who desires access Information Security User or process acting for person Potential actions that may be applied Resource subject to access control Subject Subject Rights Object User Identifier User Identifier Access Control List Data Identifier Computer Communications Security, 1994, Warwick Ford User Initiator Access Permissions Target X/Open Distributed Security Framework, 1994, The Open Group User Initiator Initiator ACL Target ACL Target Principal, Subject Initiator, Client, Principal Access policy rights, Privilege attributes, Control attributes Target, Target Object User Principal Action Resource Secure Computing: Threats and Safeguards, 1997, Rita C. Summers Computer Security, 1996, John Carroll CORBA Security Services Specification 1.0, 1996, Object Management Group Me