Welcome!

Cloud Security Authors: Elizabeth White, Rishi Bhargava, Matthew McKenna, Dan Potter, Pat Romanski

Related Topics: Java IoT, Microservices Expo, Microsoft Cloud, Cloud Security

Java IoT: Article

Externalizing Fine-Grained Authorization from Applications

An Entitlements Server allows enterprises to externalize fine-grained authorization from an application’s logic

The recent spike in insider threats, coupled with a rise in compliance considerations, has forced organizations to ensure only authorized users access sensitive application functionality and data. Historically, user entitlements or authorization logic has been embedded inside an application. For example, if the user of an application meets specific conditions, such as a specific role, access to that application function will be granted at runtime. But if the definition of specific authorization conditions changes over time, then the application developer needs to modify the application's source code, test, and re-deploy the application.

Suppose a homegrown portal application must present a sensitive piece of customer information such as a Social Security Number (SSN) when a service representative views a customer's profile. It is determined that in order to ensure compliance with various privacy regulations, only directors and senior managers may be able to view a customer's SSN. A decision has to be dynamically made whenever the application must show an SSN as to whether the current user may view the actual data or some default value (e.g., "XXX-XX-XXXX"). The decision must take into account the user's job title. A dozen parts of the application that can display a customer's SSN mean a dozen places for this business logic to be applied.

Now assume that the policy needs to be changed after the application has been in production for some time. The business has determined that senior managers in California may not view an SSN. This is an exceptional situation that requires another piece of information to be considered as part of the entitlement decision. But what if we take the example even further? Suppose that only directors above a certain salary grade can view SSNs. Now the entitlement logic has been split into multiple decisions based on runtime attributes. So the business logic must be adapted.

You can see that authorization or entitlement policies evolve very differently from application requirements. Having the entitlement logic "hard wired" into the business logic means changing code each time there is a policy change. A lot of organizations also outsource their application development, which means often times they don't own the code that handles the business logic directly. This can lead to further inefficiencies and delays in deploying changes in policies. If we keep the entitlement policies outside of the application, they can be changed without modifying the application.

In this article, we explore a new approach designed to externalize user entitlements from applications through the use of a dedicated access control solution for the application tier. Externalized entitlements mean separating fine-grained authorization logic from business logic. One benefit of this is transparency; the entitlements are now understandable and measurable beyond the context of the application. This is important so that a company may review their entitlement policies for completeness and accuracy against corporate standards.

Roles and Entitlements
Authentication is about validating a user's identity through the use of credentials such as a password, a security card, or a digital certificate. Authorization (or "access control") is the ability to provide an authenticated user access to specific operations of an application.

Authorization is based on the concept of a "role." A role defines what a user is entitled to do. For example, a user in a "broker" role is entitled to transact goods on behalf of others. A role can have qualifying attributes (e.g., seniority, ranking) and can support constraints (e.g., a broker may only start transactions under specific circumstances). Based on his/her role, a user is granted access to specific resources necessary to fill that role.

There are two main kinds of roles: Applications Roles and External Roles. An Applications Role is a collection of users, groups, and other Application Roles; it can be assigned to an enterprise user, group, or External Role in an identity store, or another Application Role in the policy store (see Figure 1). An External Role is the same as an Enterprise Role or Enterprise Group; it's typically implemented as an LDAP group in the identity store.

Application Roles can be many-to-many mapped to External Roles. For example, the external group "employee" (stored in an LDAP-based identity store) can be mapped to the Application Role "customer_support_member" defined in one application and to the Application Role "IT_member" defined in another application.

An Entitlement groups related resources, possibly of different types, needed to perform a business function. In effect, an Entitlement is a reusable collection of access rights that can be granted to multiple principals (users or applications such as web services).

Role-Based and Attribute-Based Access Control
Role-Based Access Control or RBAC, originally defined by NIST [1], formalizes a reference model for controlling access to resources where permissions are not directly associated to users but are defined in roles. The RBAC standard specifies a core set (administrative and system functions) and additional functionality including role hierarchies, constraints, and separation of duty (i.e., "defining a role" and "assigning a role" are separated).

Enterprise RBAC extends RBAC principles to enterprise roles. In addition, Attribute-Based Access Control (ABAC), a natural evolution of RBAC, uses attributes (e.g., social security number or IP address) to define access control rules and access requests (XACML [2] is an example of an ABAC framework). An ABAC policy specifies one or more claims that need to be satisfied before a user is granted access, for example, the user must be a certain age.

Fine-Grained Authorization Model
In a typical XACML-based authorization model, the administrator first defines policies at the Policy Administration Point (PAP), essentially a console allowing policy definition, selection, and attachment. Then attempted access to a protected resource (for example a web service request) is intercepted by a Policy Enforcement Point (PEP), which parses the request and leverages a Policy Decision Point (PDP) to determine whether the request should be granted or denied. The PEP / PDP combination relies on a Policy Information Point (PIP), generally a user directory, to fetch information relevant to the requester for the policy evaluation and policy decision process.

All the access control information required to make the application secure is separate from the application logic and is persisted as modifiable metadata (mostly XML files) packaged with the application.

Fine-Grained Authorization Solutions
A centralized access control solution offers the reuse of authentication and authorization services as well as easier reporting for compliance and regulatory requirements, allowing administrators to control multiple applications through a higher level of granularity.

Java Enterprise Edition (Java EE) application servers provide container security including authorization based on roles. Developers can isolate security code from their business logic and delegate security to the application server infrastructure. However, application server authorization doesn't scale well to the fine-grained access control needs of multiple enterprise applications. A dedicated fine-grained authorization engine is required to complement the functionality provided by the application server.

Introducing Entitlements Server Technology
As previously noted, entitlements are a corollary of roles: being in a specific role entitles you to specific resources. Entitlements are tied to the application as they drive runtime permissions.

Entitlements management enables organizations to define granular access controls for their users based on the attributes of the user, the resource, and the context of the request.

An Entitlements Server is a standalone fine-grained authorization application that allows an organization to protect its resources by defining and managing policies that control access to, and usage of, these resources. Access privileges are defined in a policy by specifying who can do what to which resource, when it can be done, and how. The policy can enforce controls on all types of resources including software components (e.g., URLs, servlets, JavaServer Pages [JSPs], or EJBs used to construct an application), and business objects (e.g., representations of user accounts, personal profiles and contracts such as bank accounts in a banking application, patient records in a health care application, or anything used to define a business relationship).

An Entitlements Server supports the creation of role policies and access control policies. Role policies are used to define constraints regarding which users are assigned roles. Access control policies define access to the software components and business objects mentioned earlier.

An Entitlements Server typically performs the following functionality:

  • Separates security decision making from application logic.
  • Distributes policies from the PAP to the PDPs.
  • Caches policies and authorization decisions for performance.
  • Updates security policies at runtime.
  • Offers a flexible architecture that supports both embedded and remote PDPs (for centralized or distributed policy decisions).
  • Audits all access decisions and management operations.
  • Supports the XACML request / response protocol for authorization inquiries by a client application.
  • Integrates with existing security and identity management systems by leveraging enterprise data in relational databases and LDAP directories.

An Entitlements Server comprises centralized policy management with centralized or distributed policy decision-making. The architecture of an Entitlements Server is based on the interaction model of entities presented in the XACML specifications.

Entitlements Server Components
A typical Entitlements Server implements the XACML-based authorization model described earlier, including a PAP, which makes rules and policies available to the PDP in order for that entity to reach a grant or deny decision for a request to access the protected resource. The PAP generally includes an administration console, management application programming interfaces (APIs) dealing with resource and role catalogs, authorization and role- mapping policies, as well as management command-line utilities.

When the Entitlements Server is deployed, a PDP receives a request for authorization, evaluates the request based on applicable policies, reaches a decision and returns the decision to the PEP, the entity thatfirst made the authorization call. The PDP can also retrieve additional subject, resource, action, and environment attributes from a Policy Information Point to add contextual information to the request.

The PEP is a software component that intercepts the request to the protected application, passes it to the PDP and enforces the security decision returned from the PDP (the PDP may also return information with the decision [referred to as an "obligation"] that allows that decision to be enforced within a particular context). The PEP component can be the protected application itself or a "security module."

The Entitlements Server may offer two types of security modules. One type acts purely as a PDP by receiving requests and reaching decisions. The other type combines the PDP and PEP functionality. Security modules can accommodate various operating environments such as Java and Microsoft .NET applications.

The Attribute Authorities component illustrated in Figure 1 is in effect the PIP. Attribute retrievers are available for LDAP and relational database data sources.

Advanced Entitlements Servers implement the PEP Decision API, a part of the OpenAZ framework [3]. The OpenAZ package provides access from a PEP to a remote or embedded PDP.

Entitlements Server Policies
An Entitlements Server may support the creation of authorization policies and mapping policies. An Authorization Policy is created to return a decision ("grant" or "deny") as a result of a request for access to a protected target resource. The decision is based on the profile of the requesting principal (e.g., a user). An Authorization Policy is applicable to a request for access if the parameters in the request match those specified in the policy.

Consider this policy syntax:

GRANT the Support_Manager_East role MODIFY access to the Incidents servlet if the request is made from an IP address of 100.100.20.20

This Authorization Policy grants any user that is a member of the Support_Manager_East role access to the Incidents servlet for the purpose of modifying it. The policy is also constrained by a condition: the request must be made from IP address 100.100.20.20. Thus, if the parameters in the request match the parameters in the policy, and the request is made from IP address 100.100.20.20, the request is granted, otherwise the policy is ignored.

A Role Mapping Policy allows you to dynamically assign (grant) role membership to a user or dynamically deny (revoke) role membership from a user. A Role Mapping Policy defines which users or External Roles are mapped to an Authorization Policy. Role Mapping Policies are written to define which subjects (user and external roles) are assigned to the applicable role. They may also include conditions, i.e., constraints that must be evaluated to true for the policy to be included in the authorization decision.

Consider the following policy syntax:

GRANT the Employee group Application Role Support_Manager_East if the request is made from an IP address of 100.100.20.20

This policy grants the Application Role Support_Manager_East to any user that is a member of the group Employee. The policy is constrained by a condition: the request must be made from IP address 100.100.20.20. Thus, if the parameters in the request match the parameters in the Role Mapping Policy, and the request is made from IP address 100.100.20.20, the Application Role is granted otherwise the Role Mapping Policy is ignored.

Conclusion
An Entitlements Server allows enterprises to externalize fine-grained authorization from an application's logic, thus allowing developers to focus on business logic and leave fine-grained authorization decisions to security administrators.

References

  1. NIST: The National Institute of Standards and Technology (NIST) Computer Security Division (CSD) provides standards to protect information systems against threats to the confidentiality and integrity of corporate information.
  2. XACML: The Access Control Markup Language (XACML) describes a policy language (general access control requirements) and an access control decision request / response language. The RBAC Profile of XACML specification defines a profile for the use of XACML in expressing policies that use role-based access control (RBAC). In this case, RBAC "roles" are expressed as XACML Subject Attributes. For example, a specific XACML Permission PolicySet contains the permissions associated with the RBAC Manager role.
  3. OpenAZ: The Open Authorization API (OpenAZ) provides a standard interface between an application and a general authorization service. It also provides an effective way to enable authorization providers to plug in client-side authorization functionality.
  4. Oracle Entitlements Server: Oracle Entitlements Server (OES) is a fine-grained authorization management solution that externalizes and centralizes administration of enterprise entitlements, simplifies authorization policies, and enforces security decisions in distributed, heterogeneous applications.

More Stories By Marc Chanliau

Marc Chanliau has been in the software industry for more than 20 years and is currently a director of product management at Oracle where he is responsible for Identity Management solutions and innovations. He is heavily involved in security and XML standards groups including serving as the first chair person of the OASIS Security Services Technical Committee (SSTC), which culminated in the adoption of SAML as an official OASIS standard, participating on the WS-Security Technical Committee, helping to define the Liberty Alliance 2.0 specifications, and participating in the Java Specification Request (JSR) committee.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
Machine Learning helps make complex systems more efficient. By applying advanced Machine Learning techniques such as Cognitive Fingerprinting, wind project operators can utilize these tools to learn from collected data, detect regular patterns, and optimize their own operations. In his session at 18th Cloud Expo, Stuart Gillen, Director of Business Development at SparkCognition, discussed how research has demonstrated the value of Machine Learning in delivering next generation analytics to imp...
The 19th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Digital Transformation, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportuni...
The Internet of Things will challenge the status quo of how IT and development organizations operate. Or will it? Certainly the fog layer of IoT requires special insights about data ontology, security and transactional integrity. But the developmental challenges are the same: People, Process and Platform. In his session at @ThingsExpo, Craig Sproule, CEO of Metavine, demonstrated how to move beyond today's coding paradigm and shared the must-have mindsets for removing complexity from the develo...
SYS-CON Events announced today that MangoApps will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. MangoApps provides modern company intranets and team collaboration software, allowing workers to stay connected and productive from anywhere in the world and from any device.
Large scale deployments present unique planning challenges, system commissioning hurdles between IT and OT and demand careful system hand-off orchestration. In his session at @ThingsExpo, Jeff Smith, Senior Director and a founding member of Incenergy, will discuss some of the key tactics to ensure delivery success based on his experience of the last two years deploying Industrial IoT systems across four continents.
Basho Technologies has announced the latest release of Basho Riak TS, version 1.3. Riak TS is an enterprise-grade NoSQL database optimized for Internet of Things (IoT). The open source version enables developers to download the software for free and use it in production as well as make contributions to the code and develop applications around Riak TS. Enhancements to Riak TS make it quick, easy and cost-effective to spin up an instance to test new ideas and build IoT applications. In addition to...
Identity is in everything and customers are looking to their providers to ensure the security of their identities, transactions and data. With the increased reliance on cloud-based services, service providers must build security and trust into their offerings, adding value to customers and improving the user experience. Making identity, security and privacy easy for customers provides a unique advantage over the competition.
"We've discovered that after shows 80% if leads that people get, 80% of the conversations end up on the show floor, meaning people forget about it, people forget who they talk to, people forget that there are actual business opportunities to be had here so we try to help out and keep the conversations going," explained Jeff Mesnik, Founder and President of ContentMX, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
"There's a growing demand from users for things to be faster. When you think about all the transactions or interactions users will have with your product and everything that is between those transactions and interactions - what drives us at Catchpoint Systems is the idea to measure that and to analyze it," explained Leo Vasiliou, Director of Web Performance Engineering at Catchpoint Systems, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York Ci...
Internet of @ThingsExpo, taking place November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with the 19th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world and ThingsExpo Silicon Valley Call for Papers is now open.
I wanted to gather all of my Internet of Things (IOT) blogs into a single blog (that I could later use with my University of San Francisco (USF) Big Data “MBA” course). However as I started to pull these blogs together, I realized that my IOT discussion lacked a vision; it lacked an end point towards which an organization could drive their IOT envisioning, proof of value, app dev, data engineering and data science efforts. And I think that the IOT end point is really quite simple…
"My role is working with customers, helping them go through this digital transformation. I spend a lot of time talking to banks, big industries, manufacturers working through how they are integrating and transforming their IT platforms and moving them forward," explained William Morrish, General Manager Product Sales at Interoute, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
You think you know what’s in your data. But do you? Most organizations are now aware of the business intelligence represented by their data. Data science stands to take this to a level you never thought of – literally. The techniques of data science, when used with the capabilities of Big Data technologies, can make connections you had not yet imagined, helping you discover new insights and ask new questions of your data. In his session at @ThingsExpo, Sarbjit Sarkaria, data science team lead ...
Extracting business value from Internet of Things (IoT) data doesn’t happen overnight. There are several requirements that must be satisfied, including IoT device enablement, data analysis, real-time detection of complex events and automated orchestration of actions. Unfortunately, too many companies fall short in achieving their business goals by implementing incomplete solutions or not focusing on tangible use cases. In his general session at @ThingsExpo, Dave McCarthy, Director of Products...
WebRTC is bringing significant change to the communications landscape that will bridge the worlds of web and telephony, making the Internet the new standard for communications. Cloud9 took the road less traveled and used WebRTC to create a downloadable enterprise-grade communications platform that is changing the communication dynamic in the financial sector. In his session at @ThingsExpo, Leo Papadopoulos, CTO of Cloud9, discussed the importance of WebRTC and how it enables companies to focus...
Verizon Communications Inc. (NYSE, Nasdaq: VZ) and Yahoo! Inc. (Nasdaq: YHOO) have entered into a definitive agreement under which Verizon will acquire Yahoo's operating business for approximately $4.83 billion in cash, subject to customary closing adjustments. Yahoo informs, connects and entertains a global audience of more than 1 billion monthly active users** -- including 600 million monthly active mobile users*** through its search, communications and digital content products. Yahoo also co...
A critical component of any IoT project is what to do with all the data being generated. This data needs to be captured, processed, structured, and stored in a way to facilitate different kinds of queries. Traditional data warehouse and analytical systems are mature technologies that can be used to handle certain kinds of queries, but they are not always well suited to many problems, particularly when there is a need for real-time insights.
Amazon has gradually rolled out parts of its IoT offerings in the last year, but these are just the tip of the iceberg. In addition to optimizing their back-end AWS offerings, Amazon is laying the ground work to be a major force in IoT – especially in the connected home and office. Amazon is extending its reach by building on its dominant Cloud IoT platform, its Dash Button strategy, recently announced Replenishment Services, the Echo/Alexa voice recognition control platform, the 6-7 strategic...
The best-practices for building IoT applications with Go Code that attendees can use to build their own IoT applications. In his session at @ThingsExpo, Indraneel Mitra, Senior Solutions Architect & Technology Evangelist at Cognizant, provided valuable information and resources for both novice and experienced developers on how to get started with IoT and Golang in a day. He also provided information on how to use Intel Arduino Kit, Go Robotics API and AWS IoT stack to build an application tha...
IoT generates lots of temporal data. But how do you unlock its value? You need to discover patterns that are repeatable in vast quantities of data, understand their meaning, and implement scalable monitoring across multiple data streams in order to monetize the discoveries and insights. Motif discovery and deep learning platforms are emerging to visualize sensor data, to search for patterns and to build application that can monitor real time streams efficiently. In his session at @ThingsExpo, ...