Download presentation
Presentation is loading. Please wait.
Published byBryan Dickerson Modified over 8 years ago
1
© 2014 The MITRE Corporation. All rights Reserved. Roger Westman Principal Information Security Engineer rwestman@mitre.org September 29, 2014 Authorization in Action Approved for Public Release; Distribution Unlimited 14-3233 The views, opinions and/or findings contained in this presentation are those of The MITRE Corporation and should not be construed as an official Government position, policy, or decision, unless designated by other documentation.
2
© 2014 The MITRE Corporation. All rights Reserved. Purpose and Constraints ■Purpose –Provide lessons learned from our experience ■Constraints –This presentation reflects our operational experience –Your environment may have different or additional needs 2
3
© 2014 The MITRE Corporation. All rights Reserved. Evolution of Identity and Access Management (Our Viewpoint) 3
4
© 2014 The MITRE Corporation. All rights Reserved. High Level Logical Architecture 4
5
© 2014 The MITRE Corporation. All rights Reserved. Need Improved Technical Capabilities and Cultural Evolution ■Content Aware, Context Aware, and Risk Aware Decisions are intertwined ■Risk Adaptive Access Control (RAdAC) is a good starting point See NIST for more details ■A Key Challenge: Formal but agile organization governance for lifecycle management for business based and IT implemented decision logic –It’s an organizational governance challenge, more complex than the IT governance challenge –Example policy: Allow user U to access (i.e., view but not download or modify) ■If it is Data Y (but not Y1) from device A (but not A1) when the user is operating from environment B1 over network C (but not CX) when conditions 1 … N are satisfied ■Deny any user access even if above is true when in business operational mode M1 ■Allow access for user U7 even if above is false when in business operational mode M0, M2, … MN 5
6
© 2014 The MITRE Corporation. All rights Reserved. Best Practices ■Partner with your internal stakeholders –It is a team sport ■Know your –Stakeholders’ expectations and organizational culture –Set of business access control policies –Set of attributes/entitlements –Business and Technical dependencies –Normal, level of degradation, and fail safes modes of operation ■Standardize and harmonize where practical –Understanding, adopting, and/or developing the right standards and specifications –Loose coupling, high internal cohesion are key principles ■One size does not fit all ■Enjoy the journey because it never ends! 6
7
© 2014 The MITRE Corporation. All rights Reserved. Contact Information and Questions ■Roger Westman –rwestman@mitre.org 7 ?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.