Fine-Grained Policies are back with NGAC

Transcript

1. None

2. José Carlos Chávez Sept 25, 2023 Fine-Grained Policies RBAC with

   NGAC @jcchavezs | #IstioCon

3. Fine-Grained Policies are back with NGAC @jcchavezs | #IstioCon José

   Carlos Chávez Sept 25, 2023

4. José Carlos Chávez SOFTWARE ENGINEER @ TETRATE • Open source

   enthusiast • OWASP Coraza Co-leader • Zipkin core member • Loving father About me @jcchavezs | #IstioCon

5. Access control is an essential element of security that determines

   who is allowed to access certain data, apps, and resources—and in what circumstances. What is access control? - Security 101, Microsoft Access Control @jcchavezs | #IstioCon

6. • Make access decision func check(p Principal, op Operation, r

   Resource) bool • Manage access policies • Type of access policy • Policy API • Policy Language BONUS: • Explain access decisions func explain(p Principal, op Operation, r Resource) []Reason func whatAccess(p Principal) []ResourceAndOperations func whoAccess(r Resource) []PrincipalAndOperations Access Control: use cases @jcchavezs | #IstioCon

7. • Discretionary access control (DAC): every object has an owner,

   and owners grant access to users at their discretion. It provides case-by-case control over resources hence not scalable. • Mandatory access control (MAC): users are granted access in the form of a clearance. A central authority regulates access rights and organizes them into tiers, which uniformly expand in scope. Very common in government and military contexts where structures are static and rigid. • Role-based access control (RBAC): access rights are granted based on defined business functions (role), rather than individuals’ identity. Easy to understand and author policies rightly, hard to scale (e.g. role explosion). • Attribute-based access control (ABAC): access is granted flexibly based on a combination of attributes and environmental conditions, such as time and location. It is hard to understand and author policies rightly (permissions overlap) but easy to scale and model. Access Control: models @jcchavezs | #IstioCon

8. NGAC to the rescue @jcchavezs | #IstioCon Yay

9. Next Generation Access Control (NGAC) users user attributes objects object

   attributes policy classes Created by NIST. NGAC takes the approach of modeling access decision data as a directed acyclic graph. - Users/Subjects - Objects - User/subject attributes - Object attributes - Policy classes operations Source: https://thenewstack.io/why-you-should-choose-ngac-as-your-access-control-model @jcchavezs | #IstioCon

10. e.g. ext_authz, wasmplugin, etc NGAC architecture PEP Object RAP Subject

    PDP PAP PIP • PEP for enforcement • PDP for decision • PAP for administration • PIP for information • RAP is for resource access • EPP is for event processing EPP operation @jcchavezs | #IstioCon

11. Object DAG Subject DAG How fine-grained? @jcchavezs | #IstioCon RBAC

    Backend Instance 1 Instance 2 SRE Piotr Lance US Location EU US EU {r} {r,w} {*} Frontend Instance 3 Instance 4 Topology

12. Can Lance access Instance 1? @jcchavezs | #IstioCon RBAC Backend

    Instance 1 Instance 2 SRE Piotr Lance Frontend Instance 3 Instance 4 Topology US Location EU US EU {r} {r,w} Location Yes {r} RBAC Yes {r,w} Conclusion Yes {r} {*} Object DAG Subject DAG

13. Can Instance 4 reach Instance 1? @jcchavezs | #IstioCon {r}

    {r,w} {*} RBAC Backend Instance 1 Instance 2 SRE Piotr Lance Frontend Instance 3 Instance 4 Topology US Location EU US EU Topology Yes {*} Location No Conclusion No Object DAG Subject DAG

14. • Overlay access policies on top of an existing representation

    of the world, provided by the user. • Scales linearly: roughly, O(|user attributes| + |object attributes| + |associations|) or, the size of the subgraph for the user and object in question • It can be configured to allow or disallow access based not only on object attributes, but also on other conditions - time, location, etc. • It can evaluate and combine multiple policies in a single access decision, while keeping its linear time complexity. • Audit to see what objects are affected by a policy. • Explain why a particular access was allowed. Next Generation Access Control (NGAC) @jcchavezs | #IstioCon

15. NGAC comparison Pros Cons ABAC Flexibility Performance and auditability can

    be problematic due to the number of attributes and its combinations RBAC Simplicity • Role explosion • Fixed access rights • Challenges meeting regulatory requirements due to granularity and auditability. NGAC • High level of granularity • Auditability • Flexibility • Combined access policies On early stages it needs more high level APIs to help users maintain the graph. @jcchavezs | #IstioCon

16. • ABAC is a natural fit for the class of

    cloud-native applications whose design is based on microservices due to its flexibility and also because it empowers owners to create their own policies. • Being able to understand an access decision in a human readable way is crucial to understand access leaks, unsecure points and forensic research. • Performance is a key in access decisions as making decisions in the critical path could have huge impact in latency. Conclusions @jcchavezs | #IstioCon

17. • NIST 800-204B: Attribute-based Access Control for Microservices-based Applications Using

    a Service Mesh - Chandramouli, Butcher, Chetal • Imposing Fine-grain Next Generation Access Control over Database Queries - Ferraiolo, Gavrila, Katwala & Roberts • Why you should use choose NGAC as your Access Control model • Linear Time Algorithms to Restrict Insider Access using Multi- Policy Access Control Systems - Mell, Shook, Harang & Gavrila References @jcchavezs | #IstioCon

18. Fine-Grained Policies are back with NGAC José Carlos Chávez Sept

    25, 2023 @jcchavezs | #IstioCon