No content

José Carlos Chávez Sept 25, 2023 Fine-Grained Policies RBAC with NGAC @jcchavezs | #IstioCon

Fine-Grained Policies are back with NGAC @jcchavezs | #IstioCon José Carlos Chávez Sept 25, 2023

José Carlos Chávez SOFTWARE ENGINEER @ TETRATE • Open source enthusiast • OWASP Coraza Co-leader • Zipkin core member • Loving father About me @jcchavezs | #IstioCon

Access control is an essential element of security that determines who is allowed to access certain data, apps, and resources—and in what circumstances. What is access control? - Security 101, Microsoft Access Control @jcchavezs | #IstioCon

• Make access decision func check(p Principal, op Operation, r Resource) bool • Manage access policies • Type of access policy • Policy API • Policy Language BONUS: • Explain access decisions func explain(p Principal, op Operation, r Resource) []Reason func whatAccess(p Principal) []ResourceAndOperations func whoAccess(r Resource) []PrincipalAndOperations Access Control: use cases @jcchavezs | #IstioCon

• Discretionary access control (DAC): every object has an owner, and owners grant access to users at their discretion. It provides case-by-case control over resources hence not scalable. • Mandatory access control (MAC): users are granted access in the form of a clearance. A central authority regulates access rights and organizes them into tiers, which uniformly expand in scope. Very common in government and military contexts where structures are static and rigid. • Role-based access control (RBAC): access rights are granted based on defined business functions (role), rather than individuals’ identity. Easy to understand and author policies rightly, hard to scale (e.g. role explosion). • Attribute-based access control (ABAC): access is granted flexibly based on a combination of attributes and environmental conditions, such as time and location. It is hard to understand and author policies rightly (permissions overlap) but easy to scale and model. Access Control: models @jcchavezs | #IstioCon

NGAC to the rescue @jcchavezs | #IstioCon Yay

Next Generation Access Control (NGAC) users user attributes objects object attributes policy classes Created by NIST. NGAC takes the approach of modeling access decision data as a directed acyclic graph. - Users/Subjects - Objects - User/subject attributes - Object attributes - Policy classes operations Source: https://thenewstack.io/why-you-should-choose-ngac-as-your-access-control-model @jcchavezs | #IstioCon

e.g. ext_authz, wasmplugin, etc NGAC architecture PEP Object RAP Subject PDP PAP PIP • PEP for enforcement • PDP for decision • PAP for administration • PIP for information • RAP is for resource access • EPP is for event processing EPP operation @jcchavezs | #IstioCon

Object DAG Subject DAG How fine-grained? @jcchavezs | #IstioCon RBAC Backend Instance 1 Instance 2 SRE Piotr Lance US Location EU US EU {r} {r,w} {*} Frontend Instance 3 Instance 4 Topology

Can Lance access Instance 1? @jcchavezs | #IstioCon RBAC Backend Instance 1 Instance 2 SRE Piotr Lance Frontend Instance 3 Instance 4 Topology US Location EU US EU {r} {r,w} Location Yes {r} RBAC Yes {r,w} Conclusion Yes {r} {*} Object DAG Subject DAG

Can Instance 4 reach Instance 1? @jcchavezs | #IstioCon {r} {r,w} {*} RBAC Backend Instance 1 Instance 2 SRE Piotr Lance Frontend Instance 3 Instance 4 Topology US Location EU US EU Topology Yes {*} Location No Conclusion No Object DAG Subject DAG

• Overlay access policies on top of an existing representation of the world, provided by the user. • Scales linearly: roughly, O(|user attributes| + |object attributes| + |associations|) or, the size of the subgraph for the user and object in question • It can be configured to allow or disallow access based not only on object attributes, but also on other conditions - time, location, etc. • It can evaluate and combine multiple policies in a single access decision, while keeping its linear time complexity. • Audit to see what objects are affected by a policy. • Explain why a particular access was allowed. Next Generation Access Control (NGAC) @jcchavezs | #IstioCon

NGAC comparison Pros Cons ABAC Flexibility Performance and auditability can be problematic due to the number of attributes and its combinations RBAC Simplicity ● Role explosion ● Fixed access rights ● Challenges meeting regulatory requirements due to granularity and auditability. NGAC ● High level of granularity ● Auditability ● Flexibility ● Combined access policies On early stages it needs more high level APIs to help users maintain the graph. @jcchavezs | #IstioCon

• ABAC is a natural fit for the class of cloud-native applications whose design is based on microservices due to its flexibility and also because it empowers owners to create their own policies. • Being able to understand an access decision in a human readable way is crucial to understand access leaks, unsecure points and forensic research. • Performance is a key in access decisions as making decisions in the critical path could have huge impact in latency. Conclusions @jcchavezs | #IstioCon

• NIST 800-204B: Attribute-based Access Control for Microservices-based Applications Using a Service Mesh - Chandramouli, Butcher, Chetal • Imposing Fine-grain Next Generation Access Control over Database Queries - Ferraiolo, Gavrila, Katwala & Roberts • Why you should use choose NGAC as your Access Control model • Linear Time Algorithms to Restrict Insider Access using Multi- Policy Access Control Systems - Mell, Shook, Harang & Gavrila References @jcchavezs | #IstioCon

Fine-Grained Policies are back with NGAC José Carlos Chávez Sept 25, 2023 @jcchavezs | #IstioCon