David Brossard

Axiomatics

Twitter: @axiomatics

Flexible and dynamic security for the data-centric enterpriseBridging the gap between the C-Level and systems administrators

The data universe is expanding

The data universe is expanding

More users

More devices

Moreregulations

More data (a lot more)

…and with it comes…

More data about everything

Interaction data

More users

Medical data More user expectations

More regulations

More jurisdictions

Financial data

IoT dataSocial network data

Banks

Government recordsCustomer preferences

ManufacturersPrivacy SoX

HIPAA

US regulations

EU legislation

NAFTA EmployeesPartnersCustomers

PatientsAccess anytime

Access anywhere

Access from any deviceInsurers

More devices

Smart phone

Tablet

Desktop

Laptop

Hong Kong Monetary Authority

FamilySmart watch

PCI-DSS

Patient consent

Singapore

The modern data headache

• Coarse-grained (all or nothing)

• Role-centric (sysdba)

• Linked to the database (rather than the data)

Traditional database security

From the CDO down to the sysadmin

Huh, ok, hmmm let’s implement

some custom logic here

A one-way monologue

Let’s pepper in stored

procedures…

Implement the latest Singapore Finance regulation… Now! Add more

regulations…

What about governance & compliance?

• What are the access permissions?

• Who has access to a record?

• Who accessed a given record?

Need for a comprehensive approach

• Access Reviews, Compliance & Audits

• Requirements gathering

• Design & Implementation

How to implement the following…

Source: Monetary Authority of Singapore

Employees of the bank can view customers’ bank accounts

Employees outside Singapore cannot view the balance of a

Singapore-based customer

All access to data should be blocked outside office hours

Static data masking – Copying data to another location

Hard-coding logic inside the db e.g. stored procedures

Hard-coding inside the application layer

… using today’s techniques?

Challenges

• Too static

• Difficult to audit

• Time to market

• Expensive

• Technology-specific

• Security silos

A way capable of tackling the many dimensions of data in the modern world

There is a better way (comprehensive, holistic)

Security capable of leveraging

those attributes to make decisions

Security that looks at the data,

the user and their attributes

We need true data-centric security

Attribute-Based Access Control

• A standard defined by NIST

• Access control is expressed via policies

• Policies use attributes to describe cases when access

should be denied / allowed

When?What? How?Where?Who? Why?

Attribute-Based Access Control

Attribute-Based Access Control

• Access control is externalized from the business logic

• Access control policies are maintained centrally

• The access control is flexible so that it can be applied to APIs,

databases, and more

• Access control decisions are made dynamically at runtime

Define the access control requirement

Only employees in Singapore

can view

the balance of a Singapore-based customer bank account

• Role: employee• User location: Singapore• Action: view (SELECT)

• Resource: balance• Resource type: bank account • Resource location: Singapore

Extract the attributes

Only employees in Singapore

can view

the balance of a Singapore-based customer bank account

A user with the role == employeecan do the action == SELECTon the column == BALANCE of table == ACCOUNTSif account.location == user.location

Implement the policy

Only employees in Singapore

can view

the balance of a Singapore-based customer bank account

• Centrally managed access policies

• Data filtering on the fly

• Dynamic Data masking on the fly

What ABAC can let you achieve

Axiomatics Data Access Filter MD

• One solution for multiple databases

• Policy-driven data-centric security

– The same standards-based policies you use for other apps / APIs

• Dynamic on-the-fly data filtering

– Only retrieve entitled data & avoid leaks

• Dynamic on-the-fly data masking

– Mask values e.g. credit card numbers

INDUSTRY USE CASESApplying Attribute-based access control to achieve data-centric security

Fortune 50 Bank

• Location: NY, USA

• Use case: developer access to production data

• Challenges

– Make sure developers get relevant access only

– Ensure PII are not disclosed

Fortune 50 Bank

• Location: NY, USA

• Use case: business intelligence & big data

• Challenges

– Run reports on bank data

– Protect PII

Fortune 500 Pharmaceutical

• Location: USA

• Use case: clinical trial data

• Challenges

– Guarantee patient privacy

– Protect company sensitive IP

– Speed up time to market through secure collaboration

Fortune 500 Global Bank

• Location: Europe

• Use case: implement banking regulations

– Singapore

– Hong Kong

• Challenges

– In order to operate in certain markets, banks must comply with an increasing number of complex regulations around data sharing

Policy-driven data-centric security

From the CDO’s requirements…

…to the sysdba’s access policy

Summary: bridging the gap