Скачать презентацию A Manager s Guide to Identity Access Control Скачать презентацию A Manager s Guide to Identity Access Control

442d9d734e814724fe11a69f3441cce3.ppt

  • Количество слайдов: 18

A Manager’s Guide to Identity & Access Control Stephen T. Whitlock Chief Strategist Information A Manager’s Guide to Identity & Access Control Stephen T. Whitlock Chief Strategist Information Security The Boeing Company BOEING is a trademark of Boeing Management Company. Copyright © 2008 Boeing. All rights reserved.

Privilege Management in Eight Words Boeing Technology | Information Technology Identification Who are you? Privilege Management in Eight Words Boeing Technology | Information Technology Identification Who are you? Information Security

Privilege Management in Eight Words Boeing Technology | Information Technology Identification Information Security Authentication Privilege Management in Eight Words Boeing Technology | Information Technology Identification Information Security Authentication Who are you? Prove it!

Privilege Management in Eight Words Boeing Technology | Information Technology Identification Information Security Authentication Privilege Management in Eight Words Boeing Technology | Information Technology Identification Information Security Authentication Who are you? Prove it! Authorization Here’s your stuff. . .

Privilege Management in Eight Words Boeing Technology | Information Technology Identification Information Security Authentication Privilege Management in Eight Words Boeing Technology | Information Technology Identification Information Security Authentication Who are you? • Identification: The presentation of an identifier so that the system can recognize and distinguish the presenter from other principals Prove it! Authorization Here’s your stuff. . .

Privilege Management in Eight Words Boeing Technology | Information Technology Identification Information Security Authentication Privilege Management in Eight Words Boeing Technology | Information Technology Identification Information Security Authentication Who are you? • Identification: The presentation of an identifier so that the system can recognize and distinguish the presenter from other principals Prove it! • Authentication: The exchange of information in order to verify the claimed identity of a principal Authorization Here’s your stuff. . .

Privilege Management in Eight Words Boeing Technology | Information Technology Identification Information Security Authentication Privilege Management in Eight Words Boeing Technology | Information Technology Identification Information Security Authentication Who are you? • Identification: The presentation of an identifier so that the system can recognize and distinguish the presenter from other principals Prove it! • Authentication: The exchange of information in order to verify the claimed identity of a principal Authorization Here’s your stuff. . . • Authorization: The granting of rights, including access, to a principal, by the proper authority

Privilege Management in Eight Words Boeing Technology | Information Technology Identification Information Security Authentication Privilege Management in Eight Words Boeing Technology | Information Technology Identification Information Security Authentication Who are you? • Identification: The presentation of an identifier so that the system can recognize and distinguish the presenter from other principals Prove it! • Authentication: The exchange of information in order to verify the claimed identity of a principal Authorization Here’s your stuff. . . • Authorization: The granting of rights, including access, to a principal, by the proper authority Principal: An entity (people, devices, applications, etc. ) whose identity can be authenticated

Privilege Management in Eight Words Boeing Technology | Information Technology Identification Information Security Authentication Privilege Management in Eight Words Boeing Technology | Information Technology Identification Information Security Authentication Who are you? • Identification: The presentation of an identifier so that the system can recognize and distinguish the presenter from other principals Prove it! • Authentication: The exchange of information in order to verify the claimed identity of a principal Authorization Here’s your stuff. . . • Authorization: The granting of rights, including access, to a principal, by the proper authority Principal: An entity (people, devices, applications, etc. ) whose identity can be authenticated Reference: Open Group XDSF (X/Open Distributed Security Framework), ISO 10181 -3

ISO Authorization Model Boeing Technology | Information Technology Principal Information Security ISO Authorization Model Boeing Technology | Information Technology Principal Information Security

ISO Authorization Model Boeing Technology | Information Technology Principal Information Security Resource ISO Authorization Model Boeing Technology | Information Technology Principal Information Security Resource

ISO Authorization Model Boeing Technology | Information Technology Principal Access Control Enforcement Function Information ISO Authorization Model Boeing Technology | Information Technology Principal Access Control Enforcement Function Information Security Resource

ISO Authorization Model Boeing Technology | Information Technology Principal Information Security Access Control Enforcement ISO Authorization Model Boeing Technology | Information Technology Principal Information Security Access Control Enforcement Function Decision Cache Access Control Decision Function Resource

ISO Authorization Model Boeing Technology | Information Technology Information Security Access Control Enforcement Function ISO Authorization Model Boeing Technology | Information Technology Information Security Access Control Enforcement Function Principal Identity, Access Request Resource Access Additional Attributes Decision Cache Request, Identity, Attributes Audit Logs Decision Access Control Decision Function Decision Support Information Environmental, Resource, & Principal Attributes; Identifiers Policy Rules Admin

ISO Authorization Model Boeing Technology | Information Technology Information Security Access Control Enforcement Function ISO Authorization Model Boeing Technology | Information Technology Information Security Access Control Enforcement Function Principal Identity, Access Request Resource Access Additional Attributes Decision Cache Request, Identity, Attributes Relatively Dynamic Audit Logs Resource Labels Decision Access Control Decision Function Decision Support Information Environmental, Resource, & Principal Attributes; Identifiers Policy Rules Admin Relatively Static

You Are All Wrong Right Boeing Technology | Information Technology Information Security • All You Are All Wrong Right Boeing Technology | Information Technology Information Security • All decisions should be made by Policy (Rules Based Access Control) • Access decisions must be able to consume: • Static decisions (Account & Resource Provisioning, etc) – Attributes pulled from LDAP, Database, etc. • Dynamic decisions – SAML attributes (arrive during Authentication process) – X. 509 attributes (also arrive during Authentication) – XACML attributes (arrive with Authorization request) • Identifier + Attributes = Identity (Attribute Based Access Control) • A Role is an attribute used to collect Principal identities for scalability (RBAC) • A Capability is an attribute used to collect Resources for scalability (but it didn’t get an acronym ) • Identity based access control supports Discretionary Access Control (DAC) policies • Mandatory Access Control systems require Resource Metadata • Labels attached to the data • Labels stored in a directory and linked to the data

Access Control Matrix: The Authorization Ur-Text Boeing Technology | Information Technology Information Security Resources Access Control Matrix: The Authorization Ur-Text Boeing Technology | Information Technology Information Security Resources Principals Alice Bob’s Capability List A B C D READ WRITE READ Bob READ WRITE Eve READ READ WRITE Alpha Group A Role is a Group with a meaningful name Alpha 1 READ WRITE Backup READ … Access Control List for B Bob carries around Identity AZN System checks Principal identity Capability Based System READ WRITE Alpha n A collection of principals with the same rights forms a Group Access Control System Bob carries around Capability List AZN System checks Resource identity

Terminology Guide or Why Am I Confused? Boeing Technology | Information Technology Accountable person Terminology Guide or Why Am I Confused? Boeing Technology | Information Technology Accountable person who desires access Information Security User or process acting for person Potential actions that may be applied Resource subject to access control Secure Computing: Threats and Safeguards, 1997, Rita C. Summers Subject Rights Object Computer Security, 1996, John Carroll User Identifier Access Control List Data Identifier Computer Communications Security, 1994, Warwick Ford User Initiator Access Permissions Target X/Open Distributed Security Framework, 1994, The Open Group User Initiator ACL Target Principal, Subject Initiator, Client, Principal Access policy rights, Privilege attributes, Control attributes Target, Target Object User Principal Action Resource CORBA Security Services Specification 1. 0, 1996, Object Management Group Me