Embed Size (px)
Citation preview
© 2015 Axiomatics AB 1
Webinar: April 21, 2015
Export Control withBell Helicopter and Axiomatics:How to implement data access control that eases regulatory pressure
© 2015 Axiomatics AB 2
Agenda The Challenges of Export Control
What is Attribute-Based Access Control
How ABAC works with PLM systems
Bell Helicopter Case Study
Q&A
Export Control – The Challenge
Governments impose strict export limitations on certain technologies and goods
Typically applies to military-based capabilities, but covers some non-military areas
Regulations categorize all goods they deem to be sensitive
Companies are obliged to categorize their own products accordingly
Further, companies are required to ensure controls are in place such that information is never shared with restricted parties
© 2015 Axiomatics AB 3
© 2015 Axiomatics AB 4
And the fines are steep…
Export Control Reform - 2013
The US government revised rules and classification schemes in 2013 to implement greater controls on more sensitive global products (and potentially dangerous if not controlled).
From the October 2013 press release:
“The controls effective today are no longer overly broad generic controls that capture everything, but instead are detailed, enumerated lists that impose controls based on the sensitivity of the item and the destination. For example, our most sensitive items –such as bombers, fighters, unmanned aerial vehicles, and their key subsystems, parts, and components – remain on the USML, while less sensitive items, mostly parts and components like cockpit gauges, steel brake wear pads and fuel filters, are now subject to the more flexible authorities of the CCL.”
….Does this sound complex?
© 2015 Axiomatics AB 5
Complexity of reform
Complexity can be handled by Attribute Based Access Control
Dynamic nature of these regulations makes ABAC a necessity
Varied attributes such as location, nationality, export license validity, organization and jurisdiction
Scalable and adaptable to changing environment
Centrally managed solution can bring a multitude of applications and databases under a singleset of policies
Standards-based language means policies can be easily altered, implemented, re-used as needed
© 2015 Axiomatics AB 6
The Good News…
Core Interest
Protect global IP
Ensure trade secrets (such as chemical formulas, recipes, CAD drawings) are secure
Share information and data securely to foster collaboration
The Complexity of EC
Fines for NOT meeting export control regulations are steep
Authorization needs are a complex set of attributes (such as location, nationality, export license validity, organization and jurisdiction) necessary for every request in a global PLM/ERP system
Common language is often not in place across departments and systems
Departments that touch global users directly are often not those responsible for access control
Global political climate is in constant flux
© 2015 Axiomatics AB 7
ABAC can be integrated with PLM Systems
What is Attribute Based Access Control (ABAC)?
It uses centrally managed authorization policies/rules
(vs. current models based on code embedded differently in each application)
Policies use attributes to exactly define WHO should gain access to WHAT, WHERE, WHY, WHEN and HOW
(vs. current coarse-grained models based on roles to group users with similar needs)
It externalizes authorization from applications
(vs. current models based on authorization being built into each and every application)
It is standards-based – eXtensible Access Control Markup Language (XACML)
(vs. current models based on the skills and methods of software developers who implement business rules in C++, Java, C# etc.)
© 2015 Axiomatics AB 8
FROM RBAC
FROM COARSE-GRAINED
Many users in one role
TO ABAC
TO FINE-GRAINED
Many attributes per user/resource…
© 2015 Axiomatics AB 9
The ABAC shift
Export Control Requires Fine-grained Authorization
Role A
© 2015 Axiomatics AB 10
How Axiomatics Policy Server works
© 2015 Axiomatics AB 11
Bell Helicopter Story
• About Bell Helicopter
• Choice to make the shift to ABAC
• Key Learnings from Implementation
• Business Benefits
About Bell Helicopter
Founded in 1935; Headquartered in Fort Worth, Texas, Bell Helicopter has additional plants in Amarillo, Texas and Mirabel, Canada.
As the world’s premier provider of vertical lift aircraft, Bell Helicopter continues to provide every customer with products, service and support second to none.
On a Mission. To change the way the world flies with superior vertical lift that saves lives, preserves freedom and provides customers with exceptional value.
© 2015 Axiomatics AB 12
RBAC was not enough…
Custom-coding an RBAC system to meet RBAC was not meeting complexity necessary to meet export control regulations
Over 10,000 lines of code and audit requirements
Inflexible and not scalable
Complexity was not manageable
Needed dynamic authorization for real-time permit/deny for a very high-traffic system that intersected across PLM, ERP, manufacturing floor environments
Identified XACML as a standards-based approach to solve this
© 2015 Axiomatics AB 13
Why shift to ABAC?
Requirements
Bell needed 24/7 dynamic authorization for product life cycle management to meet export control regulations
Attributes used for policy creation:
User’s nationality in relation to classification of individual data items or assemblies
Context of the access request
From where it is being made
What time it is made
Context as compared to metadata about the information assets
Solution: Axiomatics Policy Server
© 2015 Axiomatics AB 14
Needs for ABAC Implementation
People, process and language
Involve people for the long-term
Creation of Policy Working Group was key to the success of the ABAC rollout
Right membership and regular meetings paramount; must evolve as organization evolves
Building the policies for the first time requires research and not just regurgitation
Policy life cycle discussion
Created a document to guide the process
Who it affects
What data if affects
From what systems
For what product
© 2015 Axiomatics AB 15
Key Learnings
People, process and language
Create a common data vocabulary
Challenging across third-party applications and legacy systems
Requires rethinking of all data inputs
Map policies to work across departments
Reduce “Us vs. Them” mentality
XACML-based policies facilitate this process
© 2015 Axiomatics AB 16
Key Learnings
Value of working with Axiomatics (1/2)
Stability of systems:
Overcame hesitation, skepticism, about putting this software in the critical path and the performance, would it be reliable enough?
Other departments are anxious to go and ready to use APS to fix their access control problems – project created awareness and an internal tipping point.
Improved speed to market
Real cost savings is within the speed you can grant access to authorized users and NOT having the constantly rebuild your applications.
© 2015 Axiomatics AB 17
Business Benefits
Value of working with Axiomatics (2/2)
Elimination of data exposure
Sensitive data is no longer stored anywhere that it can be exposed
Teams stay focused on core roles
Increased trust among application development teams
© 2015 Axiomatics AB 18
Business Benefits
Axiomatics can help you make the shift to ABAC.
With policies and attributes, Axiomatics’ ABAC solutions address your most sophisticated Export Control requirements
Protect data and resources at the database, in the application or file server for consistent enforcement
Policy editing and life cycle management tools simplify ongoing maintenance
Reduce or eliminate audit findings
© 2015 Axiomatics AB 19
Question & Answer Session
© 2015 Axiomatics AB 20
Resources
Link to Export Control Profiles for XACML
http://docs.oasis-open.org/xacml/3.0/ec-us/v1.0/cos01/xacml-3.0-ec-us-v1.0-cos01.html
Fact sheet on Export Control Reform (ECR) from the Whitehouse
https://www.whitehouse.gov/the-press-office/2013/10/15/fact-sheet-announcing-revised-us-export-control-system
Link to federal government site on Export Control
www.export.gov
Commerce Control List from the Bureau of Industry and Security
https://www.bis.doc.gov/index.php/regulations/commerce-control-list-ccl
© 2015 Axiomatics AB 21
