Upload
iver-band
View
216
Download
0
Embed Size (px)
Citation preview
8/3/2019 ModelingRBACFinal
1/27
2010 Standard Insurance Company
Modeling RBAC with SABSA, TOGAF and ArchiMateCreating a Foundation for Understanding and Action
Iver Band, CISSP - Open Group Conference, Austin, Texas
July 19, 2011
8/3/2019 ModelingRBACFinal
2/27
2010 Standard Insurance Company
About The Standard
The RBAC standard
Modeling motivations and objectives
Framework analysis and comparison
Modeling approach
Diagrams that justify and explain RBAC
Conclusion
References
Agenda
May 1, 20122
Thanks to Kevin Graham, CISSP and enterprise securityarchitect at The Standard, for his partnership in this work
8/3/2019 ModelingRBACFinal
3/27
2010 Standard Insurance Company
Financial services company
Founded in 1906 Our purpose:
To help people achieve financial
security so they can confidently
pursue their dreams
Expertise: Group Life & Disability Insurance
Individual Disability Insurance
Retirement Plans
Individual Annuities
Commercial Mortgages
Headquarters in Portland, OR
3,100 Employees
3
The Standard
May 1, 2012
8/3/2019 ModelingRBACFinal
4/27
2010 Standard Insurance Company4
IT at The Standard
May 1, 2012
People Several hundred
Facilities Portland: Primary data center and nearly all staffNew Jersey: Disaster recovery site
Hardware IBM System Z (mainframe), RISC, industry standard (x86)
Virtualization VMWare, System Z LPARS, SAN, NAS, Citrix
Network Nationwide, redundant, multi-carrier, connects all offices andkey partners
Applications 650 spanning CICS, batch, JEE, .NET architectures
Data Stores Flat file, VSAM, Oracle and SQL Server
End UserComputing
Microsoft Office (including SharePoint), SAS, etc.
8/3/2019 ModelingRBACFinal
5/27
2010 Standard Insurance Company
5
Typical Access Control Challenges
May 1, 2012
Active
Directory
SharePoint
Oracle
UNIX
SQL
Server
Portal
LAN
Share
Fragmented identities, systems and processes Insufficient understanding of identity and access management best practices Inadequate visibility of access control mechanisms, changes and outcomes
8/3/2019 ModelingRBACFinal
6/27
2010 Standard Insurance Company
A widely implemented mechanism for protecting system resourcesstandardized by ANSI INCITS 359-2004
Relies on user authentication, which in turn relies on identity management
Defines and applies relationships between
Usersoften human, but can also be systems
Roles
job functions defined for an organization Permissionsorganizational consent to perform specific operations
Ensures that each user can execute only those operations authorizedthrough roles that are both assignedto that user and activatedfor that userssession
Common alternatives include
Mandatory Access Control (MAC) administrators manage permissions based on
the classification and category of each object and user
Discretionary Access Control (DAC) users manage permissions for the objectsthey own
6
What is Role-Based Access Control (RBAC)?
May 1, 2012
8/3/2019 ModelingRBACFinal
7/27 2010 Standard Insurance Company
Four standard and cumulative levels
(1) Core, (2) Hierarchical, (3) Constrained, (4) Symmetric
All levels support
Restriction of user permissions to those acquired through roles
Many-to-many user-role and role-permission assignment
Review of user-role assignments
Simultaneous user access to permissions of multiple roles
Level 2 adds variants with differing hierarchy support
a. Support for an arbitrary partial order (reflexive, transitive, anti-symmetric)
b. Any restriction on the structure of the role hierarchy, for example:
Tree or inverted tree, limited inheritance or activation, depth limits
Level 3 adds separation of duty (SOD) support
Level 4 adds permission-role review with performance comparableto user-role review
7
RBAC Concepts
May 1, 2012
8/3/2019 ModelingRBACFinal
8/27 2010 Standard Insurance Company
Business drivers
Increase the efficiency, agility and transparency of access control
Support strategic requirements for enterprise-wide and federated identityand access management
IT drivers
Increase RBAC understanding of both IT and key user personnel
Derive greater value from existing identity management investments andjustify further investment
Support identity and access management for enterprise initiatives such asCRM and Contact Center
Reduce administrative burden on IT by making access controlcomprehensible to the broader business community
Demonstrate relevance of TOGAF and ArchiMate to securityarchitecture
8
RBAC Modeling and Knowledge TransferMotivations
May 1, 2012
8/3/2019 ModelingRBACFinal
9/27 2010 Standard Insurance Company
Desired State
9
Well-Designed RBAC Is Easy to Understand
May 1, 2012
All-Too-Typical State
Local roles aligned with systemcontext Local roles aligned with businesscontext
8/3/2019 ModelingRBACFinal
10/27 2010 Standard Insurance Company
This effort is not fundamentally about technology
It is about getting people to think differentlyabout access control
Change behavior immediately and measurably
Systems and access administration requests and configurations
Lay the groundwork for successful investments in identity and accessmanagement solutions
It requires two types of communication to a range of business and ITstakeholders
Justification:Demonstrate the need for systematic access control
Explanation: Explain how RBAC works and how it satisfies the need
10
Modeling Objectives
May 1, 2012
8/3/2019 ModelingRBACFinal
11/27 2010 Standard Insurance Company
Sherwood AppliedBusiness Security
Architecture(SABSA)
The OpenGroup
ArchitectureFramework(TOGAF)
ArchiMate
ArchitectureDevelopmentMethod
Yes Yes No
ContentFramework
Yes Yes Yes
Explicit Entity-RelationshipMetamodel
No Yes Yes
ExplicitDefinitions forIndividualViewpoints
No: Somewhat Yes
Visual ModelingLanguage
No No Yes
11
How Can Our Chosen Frameworks Help?
May 1, 2012
8/3/2019 ModelingRBACFinal
12/27
2010 Standard Insurance Company12
TOGAF and SABSA Have ComparableMethods for our Purposes
May 1, 2012
TOGAF ADM
SABSA Lifecycle
8/3/2019 ModelingRBACFinal
13/27
2010 Standard Insurance Company13
Contextual and Conceptual Architecture areOrganized Differently in Each Paradigm
May 1, 2012
Application
Business
Technology
Implementationand Migration
Motivation
ArchiMate2.0 Draft
Core and Extensions
Conceptual
Contextual
Logical
Physical
ServiceMgmt
Component
SABSAModel for Security
Architecture
Business
Principles,Vision,
Requirements
InformationSystems
Technology
Realization
TOGAFVersion 9
Full Content Metamodel
Extensions Motivation Governance
Process Data Services Infrastructure
Consolidation
8/3/2019 ModelingRBACFinal
14/27
2010 Standard Insurance Company
Select cells from SABSA Matrix for RBAC justificationand explanation
Strength: Comprehensive treatment of enterprise security architecture
Select best fitting TOGAF catalogs, matrices and diagram types
Strength: Comprehensive treatment of enterprise architecture (EA)
Select best fitting ArchiMate diagram types
Strength: General EA visual modeling language with broad coverage of TOGAF,particularly in the 2.0 draft specification
Adapt viewpoints as necessary to express SABSA objectives
Create catalogs and matrices
Straightforward based on TOGAF 9 guidance
This presentation will instead focus on diagrams
Create ArchiMate diagrams based on selected TOGAF and ArchiMateviewpoints
14
Our Modeling Approach Leverages Strengthsof Each Standard
May 1, 2012
8/3/2019 ModelingRBACFinal
15/27
2010 Standard Insurance Company15
The Top Two Rows of the SABSA Matrix HaveRelevant Content
May 1, 2012
Justify RBAC Explain RBAC
8/3/2019 ModelingRBACFinal
16/27
2010 Standard Insurance Company
SABSA Matrix Location Relevant Viewpoints
Layer /
Aspect
Title Selected Cell
Content
TOGAF
Catalogs, Matrices & Diagrams
ArchiMate Diagrams
Context/Assets
BusinessDecisions
Goals & Objectives C: Driver/Goal/Objective,Contract/Measure
M: Stakeholder Map
D: Goal/Objective/Service
Stakeholder Goal Refinement Goal Contribution Principles Motivation
Context/Motivation
BusinessRisk
Opportunities &Threats
Concept/
Motivation
Risk Mgmt
Objectives
Enablement & Control
Objectives
Context/People
BusinessGovernance
OrganizationalStructure & theExtended Enterprise
C: Organization/Actor,Bus.Service/Function
M: Bus. Interaction, Actor/Role
D: Value Chain, Organizational
Decomposition, Bus.Footprint
Organization Actor Co-operation Bus. Function Bus. Process Bus. Process
Co-operation
Concept/People
Roles &Responsi-
bilities
Owners, Custodians& Users; Service
Providers &Customers
Concept/Location
DomainFramework
Security DomainConcepts &Framework
C: Role, Location
D: Solution Concept
Introductory Layered Product Application
Behavior Landscape Map
Each Selected SABSA Matrix Cell Corresponds toMultiple TOGAF and ArchiMate Viewpoints
8/3/2019 ModelingRBACFinal
17/27
2010 Standard Insurance Company17
TOGAF Value Chain Diagram Explain RBACJustify RBAC
RBAC resulted in $6 billion in US economic benefits from 2002-2009,
according to 2010 economic analysis commissioned by US NIST,from which this diagram was adapted
8/3/2019 ModelingRBACFinal
18/27
2010 Standard Insurance Company18
ArchiMate Motivation Diagram
May 1, 2012
Justify RBAC
8/3/2019 ModelingRBACFinal
19/27
2010 Standard Insurance Company19
ArchiMate Actor Cooperation Diagram
May 1, 2012
Justify RBAC
J if RBAC
8/3/2019 ModelingRBACFinal
20/27
2010 Standard Insurance Company20
ArchiMate Landscape Map
May 1, 2012
Lines of Business
Business
Functions
Group
Insurance
Retirement
Plans
Individual
Insurance
Wealth
Management
Mortgage
Brokerage
BrokerCollaboration
NotApplicable
Sales CRM
Service CRM
Policy/Plan/AccountAdministration
Claims/Payment
/WithdrawalProcessing
DocumentProcessing
EnterpriseCRM Application
MortgageSolution
Document Mgmt System B
PolicyAdmin
AppPlan
Admin
App
HostedAdvisorWork-bench
Document MgmtSystem A
ClaimsApp A
HostedVerticalIndustry
Solution
Justify RBAC
E l i RBAC
8/3/2019 ModelingRBACFinal
21/27
2010 Standard Insurance Company21
TOGAF Solution Concept Diagram
May 1, 2012
Explain RBAC
J tif RBAC
8/3/2019 ModelingRBACFinal
22/27
2010 Standard Insurance Company22
ArchiMate Product Diagram
May 1, 2012
Explain RBAC
Justify RBAC
8/3/2019 ModelingRBACFinal
23/27
2010 Standard Insurance Company23
Review: RBAC Levels
May 1, 2012
LevelRoleStructure
HierarchySupport
RoleConstraints
RoleSymmetry
1. Core Flat N/A None No
2. Hierarchical Hierarchy
General
None NoLimited
3. Constrained HierarchyGeneral Separation of
DutiesNo
Limited
4. Symmetric HierarchyGeneral Separation of
DutiesYes
Limited
E l i RBAC
8/3/2019 ModelingRBACFinal
24/27
2010 Standard Insurance Company24
ArchiMate Application Behavior View
May 1, 2012
Explain RBAC
8/3/2019 ModelingRBACFinal
25/27
2010 Standard Insurance Company
TOGAF, ArchiMate and SABSA each provide broad and deep value
for enterprise architects, regardless of their specialty Integrating these three paradigms today requires significant effort,
since they cover much but not all of the same ground, often withsimilar but not strictly equivalent concepts
Fortunately, there are Open Group efforts underway to integrate
TOGAF and SABSA
The TOGAF and ArchiMate content frameworks
Architects can use RBAC to improve the effectiveness, scalability,transparency and agility of access control
Architects can use SABSA, TOGAF and ArchiMate To model, portray and analyze planned or actual RBAC solutions
As a rigorous foundation for a wide range of stakeholdercommunications
25
Conclusion
May 1, 2012
8/3/2019 ModelingRBACFinal
26/27
2010 Standard Insurance Company
The NIST Model for Role-Based Access Control: Towards a Unified Standard
http://csrc.nist.gov/groups/SNS/rbac/documents/towards-std.pdf
ANSI INCITS 359-2004 Information Technology Role-Based Access Control
http://www.techstreet.com/standards/incits/359_2004?product_id=1151353
Sherwood Applied Business Security Architecture (SABSA)
http://www.sabsa.org/publications.aspx
Executive White Paper on Enterprise Security Architecture
Enterprise Security Architecture: A Business-Driven Approach
TOGAF 9 standard online
http://pubs.opengroup.org/architecture/togaf9-doc/arch
ArchiMate Version 1.0 standard online
http://www.opengroup.org/archimate/index.htm
Economic Benefits of Role-Based Access Control
http://csrc.nist.gov/groups/SNS/rbac/documents/20101219_RBAC2_Final_Report.pdf
Speaker contact: [email protected]
26
References
May 1, 2012
http://csrc.nist.gov/groups/SNS/rbac/documents/towards-std.pdfhttp://www.techstreet.com/standards/incits/359_2004?product_id=1151353http://www.sabsa.org/publications.aspxhttp://pubs.opengroup.org/architecture/togaf9-doc/archhttp://www.opengroup.org/archimate/index.htmhttp://csrc.nist.gov/groups/SNS/rbac/documents/20101219_RBAC2_Final_Report.pdfmailto:[email protected]:[email protected]://csrc.nist.gov/groups/SNS/rbac/documents/20101219_RBAC2_Final_Report.pdfhttp://csrc.nist.gov/groups/SNS/rbac/documents/20101219_RBAC2_Final_Report.pdfhttp://csrc.nist.gov/groups/SNS/rbac/documents/20101219_RBAC2_Final_Report.pdfhttp://www.opengroup.org/archimate/index.htmhttp://www.opengroup.org/archimate/index.htmhttp://pubs.opengroup.org/architecture/togaf9-doc/archhttp://pubs.opengroup.org/architecture/togaf9-doc/archhttp://pubs.opengroup.org/architecture/togaf9-doc/archhttp://www.sabsa.org/publications.aspxhttp://www.sabsa.org/publications.aspxhttp://www.sabsa.org/publications.aspxhttp://www.techstreet.com/standards/incits/359_2004?product_id=1151353http://www.techstreet.com/standards/incits/359_2004?product_id=1151353http://www.techstreet.com/standards/incits/359_2004?product_id=1151353http://csrc.nist.gov/groups/SNS/rbac/documents/towards-std.pdfhttp://csrc.nist.gov/groups/SNS/rbac/documents/towards-std.pdfhttp://csrc.nist.gov/groups/SNS/rbac/documents/towards-std.pdfhttp://csrc.nist.gov/groups/SNS/rbac/documents/towards-std.pdfhttp://csrc.nist.gov/groups/SNS/rbac/documents/towards-std.pdf8/3/2019 ModelingRBACFinal
27/27
2010 Standard Insurance Company