Embed Size (px)
Citation preview
Understanding & Managing Discretionary Access The TAO of Entitlement Management
Darran Rolls CTO, SailPoint Technologies
Chief Technology Officer
Chief Information Security Officer
Today’s Agenda • Discretionary Access
- Definition - Application
• The Spectrum of Authorization - Static Models - Dynamic Models - Blended Models
• Striking the Right Balance - What Fits Best Where? - Some General Best Practices…
Discretionary Access ?
“Passing or Embedding Control for an access control decision”
The Spectrum of Discretionary Access
Discretionary Access Scale
Approval Based - Static Model Based - Dynamic
Access Control Decisions Discretionary Access Scale
Discretionary Access Scale
Approval Based - Static Model Based - Dynamic
Access Control Decisions Fully Resolvable Policy Based
Discretionary Access Scale
Approval Based - Static Model Based - Dynamic
Access Control Decisions Partial of Full Human Interaction
Discretionary Access Scale
Approval Based - Static Model Based - Dynamic
Access Control Decisions Balance of Both
Static
“Pertaining to or characterized by a fixed or stationary
condition”
www.dictionary.com
“An application access security mechanism, controlled by local
configuration”
www.darranrolls.com
Distributed…
Heterogeneous…
Static & Isolated…
Who has access to what ?
Centralized Control !
Identity Governance & Administration
Identity Governance & Administration
Approvals
Dynamic
“Pertaining to or characterized by energy or effective
action”
www.dictionary.com
“An application access security mechanism, controlled by an external late binding decision
making process”
www.darranrolls.com
Dynamic Models ABAC - Entitlements & Context
PIP Attribute Provider
VDS
PDP System
System
Target
Target
PEP
PEP
Environment Attributes +
Rules…
Dynamic Models ABAC - Entitlements & Context
PIP Attribute Provider
VDS
PDP System
System
Target
Target
PEP
PEP
Entitlement Giving
Attributes…
Environment Attributes +
Rules…
Entitlement Giving Attributes Creating High Fidelity Attributes…
High Fidelity Attributes provide assurance that controls and
governance are in place to appropriately manage Entitlement Giving Attributes…
Dynamic Models ABAC - Entitlements & Context
PIP Attribute Provider
VDS
PDP System
System
Target
Target
PEP
PEP
Environment Attributes +
Policies…
Policy Review &
Attestation…
Policy Review & Attestation Maintaining Integrity…
Policy Controls provide assurance that once developed and deployed,
access policy rules can be considered articles of access attestation with lifecycle controls & audit
Dynamic Models ABAC - Entitlements & Context
PIP Attribute Provider
VDS
PDP System
System
Target
Target
PEP
PEP
Attributes…
Policies…
Governance Visibility… Review…
Change Control… Audit…
Governance for the Process… Managing Attributes & Policies
Visibility • Collection
• Categorization • Analytics
Review • Approvals
• Certification • Policy checks…
Change • Delegated Admin
• Change Detection
• Change Approval
Audit • Reporting
• Activity • Review
Attribute Integrity Reliability Index
Blended
“To have mixed smoothly and inseparably together.”
www.dictionary.com
“An application access security mechanism that mixes static & dynamic
methods in the end-to-end process.”
www.darranrolls.com
Just-in-Time Token Authorization with Governance-based Provisioning
Attribute Integrity Reliability Index
Real-time Approval Dynamic Manual
Attribute Integrity Reliability Index
Striking a Balance
Blended Access Control Models Example
