Attribute Based Access Control Framework for IoT - Jayson DeLancey, GE Digital

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

my name is Jason Delancey I am a developer evangelist with GE digital it's a small Silicon Valley startup and so going from Thomas Edison to Jeffrey Immelt I don't know if you guys are familiar with him but he is the CEO and chairman of General Electric and last year he was quoted as saying that we hire between four and five thousand college grads every year and whether they join in finance or IT or marketing they're going to code and I think this quote speaks to me for a couple of reasons one technically speaking I'm in marketing my background in software development but now as a developer evangelist I am and in more of a marketing type of role but also as an undergrad at college I went to a school where everybody had to take intro to programming English majors took intro to programming and I think this is very relevant for where ge is and where she is going because not everyone comes from a traditional software engineering background I'm interacting a lot of times with a material science engineer an electrical engineer a mechanical engineer someone who's an IT or a data scientist who maybe hasn't been developing web applications for the last 20 years so they don't have a good grounding in you know now that they're writing code they haven't had to deal with security flaws or other exploits and things like that and so knowing that people who are getting involved with this sort of background can be kind of important and so today I'm going to kind of walk through a particular project that we've been working on at GE digital first gonna try to answer so this is the rhetorical questions for spent part of the presentation so vision why was ACS created so ACS is what we call our access control service I don't know if anyone else is still paying student loans but it's a very different thing ACS but also I'm going to try a little a bit more about the vision and why it's important or how it's being used at GE then I'm going to go into sort of the history of okay now that we understand what the problem is what is UA of an acronym what is a off what does AK mole and what do they have to do with what I'm talking about so I'll kind of go into some of that history as well and then from an understanding of the project some introductory concepts what are the subjects what are resources what is a policy when you're dealing with access control and so I'll dive into some of those and then try to get a little bit more into the usage of the tool it's a service so how do you create that service for yourself how do you create policies how do you control access to an application so we really are looking at the application layer restful services how to control access especially in IOT space and then I'll kind of start looking a little bit more at the source and try to explain how it all fits together how it was built and where you can find the code if you're interested or find out more about the project some things that I won't be talking about I'm not going to dive too deeply into authentication or encryption it's not necessarily my background so SSL TOS SSO I may mention some of these things but I'm not gonna talk about it too much identity Federation mr. robot is not part of my talk but if you want to start talking about season two maybe intrusion detection multi-tenancy important concepts blockchain and how that's being used security for devices and industrial control systems I'm not going to go too deep into those things although those are all part of the bigger picture so making sure that we're sort of level set on some of the terms authentication authorization of course we probably heard these many times again but authentication are you who you say you are I am a GE employee or I'm an attendee of this conference I have a badge I can prove who I am to a certain extent and are you allowed to do that that's the authorization concern that I'm going to be focusing a little bit more which is I am a GE employee we've already established my identity now allow me to enter building and so I think when we look at a lot of applications you might see very simple logic if users employee show the employee entrance else show them to the visitor lobby right if you are have a web application if you're an administrator allow you to go in and modify devices and configure their properties if you're not an administrator you just get a regular dashboard and so that would be a very simplistic access model but in an industrial Internet of Things cases it gets a little bit more complex so there's a commercial with oh and what does GE do we're involved with a lot of different businesses so wind turbines that when we're talking about Internet of Things the thing that we're talking about is not necessarily a thermostat but a big piece of heavy equipment a jet engine manufacturing plants and how to automate the production of individual things MRI machines so healthcare there's lots of healthcare use cases transportation a locomotive is a rolling data center with a lot of sensors and information about how its operating smart cities entire cities and every street light in that city can be equipped with sensors gathering data and there's been pilot projects about this so those are the things that we're talking about power generation hydroelectric plants nuclear power coal power there are GE businesses that focus on those areas and develop software to help manage those applications and light bulbs so another again level-set complicated versus complex a complicated might be a system with a high level of difficulty you know store the user credentials and a token using base64 encoding scheme transferred over TLS connection and with this being embedded Linux conference there's a lot of very complicated and interesting technology to explore and understand but on the other side there's complex a system that has many components and how you manage that complexity so allow GE field engineers or a subcontractor who has electrical engineers read access to the data coming out of that wind turbine using this piece of software that was developed by an integration service provider at a particular customers location during weekdays except for their one location in Springfield where that contractor is doing a pilot program so therefore he has write access but only for the next six months that's a little bit more complex everything there individually is pretty simple but taking Oh together you have a lot of complexity to manage and then last week was Valentine's Day but relationships are complex so again this is sort of this notion that you have a partner application a customer facility at that customer facility you have another company's product you have a GE product that other company's product is actually using a different GE businesses part whereas the GE product has a GE part and another manufacturer has produce parts that go into that there was an interesting article that came out over the weekend I think it was Business Insider about airplanes manufactured by Boeing and it was sort of a responsive Boeing it's made in America and in the shows of where all of the different parts and components so if you flew here from somewhere other than in Portland you probably flew on a plane and when you think about that airline and all the different companies that are involved with the manufacturer with the servicing the operations all the software the regulations that go into it there's a lot of people that have hands in this access control problem okay so so now if that is the problem we're trying to solve how did we come up with this project well first we started looking at Cloud Foundry as the basis for our platform and just to get a temperature reading how many of you are familiar with Cloud Foundry you can give me an applause or you can raise your hand whenever you prefer okay so a few people maybe heard about Cloud Foundry one component of that architecture is you a a is the user account in authentic patience service so what that service provides is authentication identity management for platform-as-a-service this is a layer on top of your infrastructure managing lots of data centers whether it's on-premise whether it's equipment whether it's AWS your Google Cloud and so on in addition it is a Roth to authorization server it's an implementation of the oauth2 standard supports sam'l SSO authentication skin based Identity Management and it is open source and that is very important for GE in particular it is a basis of one of our key platforms where I'm involved called predicts but it allows us to also look at and inspect what's going on now there were a couple of problems like while we use UA a and we like a loss in particular there are a few issues that we ran into when we deal with those complex relationships that I was talking about before for one the scope based privileges are very coarse-grained so if we go back to that pseudocode example and if we're just making one very simple were you would in men or not men and men that's not so hard that's very coarse-grained ooofff can support that but when we have all these neces or data striping I'm very specific you have access to this asset but not that asset within one service it starts getting a little bit more complicated the other thing with OAuth is that the scope is tightly coupled to that access token so you know here's my ticket for TriMet that got me here but if I drop it and someone else picks it up they're able to make use of that access token so this works ok with OAuth because it's over a TOS we understand things but we're talking about devices with very different communication protocols it can get a little bit more complicated the other issue with that is that that access token during a lifetime until it expires whatever privileges have been granted to the token are there so if we have time based or our based or changes being made to access policy in real time this access token you have to force the user to log out log back in in order for the some of those changes to take effect cannot efficiently make access control decisions per request the other issue is when you think about Identity Management at scale in the cloud there are a lot of different companies that have federated identity so if you had to reach out to that identity server at one location it may not be fortunate enough to be co-located with whatever applications you're running that need access to that data and there are additionally constraints on the token size so if you have a very complex relationship like I was discussing lots of different attributes that might identify what a person is what resources what a device is you exceed that token size and so that again makes it not necessarily something that was a solution for our problem so what about Zack mole so this is another standard its extensible access control markup language so on a surface it sounds like exactly what we were looking for but there are a few things with it one the policy specifications are done in XML and we're working with a lot of restful services and JSON many different programming languages so there are some complications with that can be difficult to understand and the implementations that were out there and I don't know if this is still true it's different vendors provide access to it but they could be expensive to license and make use of the code for conditions when you're defining your policy you're writing a source code within XML and again from developer experience standpoint it was a little bit complicated a little difficult to understand wasn't quite what we were looking for and so that kind of brings us to the concept what is the concept of ACS what is this all about what problem are we trying to solve so we start with a few high-level system requirements one being a consistent and reusable solution that's decoupled from the application so if we go back to my if you're an administrator example or if you're an employee example if you have many many different services many many different applications many many different facilities having that implementation even if it's just that simple if-else statement everywhere if you need to make that change to that you kind of want to decouple that logic from that application having a consistent way to define those policies so that you can go to an authority that says this is the access control policy for this set of devices or this is the access control policy for this set of applications for this set of users can be very beneficial having a shareable and distributed privileged or it's pretty much the same point so one reason this also becomes important is trend toward micro services small standalone services that serve a single function so it's sort of your pendulum swinging from the other side of having the big monolithic applications having a lot of services to solve one particular problem so let's decouple that access control problem from them which also gives us a certain amount of language independence so all those brand new developers people who don't have a computer science background are now writing services implementing security procedures for devices or applications some of them are in Python some of them Arango some of them and Java so having some independence by having a restful service layer is beneficial and we can do that by having a service contract right so that there's an expectation of what access control should be able to do and being able to talk to those so the ACS feature set we're talking about attribute management and there are a number of features within that hierarchical attributes scoped attributes and attribute connectors where do you get those attributes from in the very first place as well as policy management how do you evaluate whether policy should allow someone access to a system or not as well as having multiple policy policy sets at the same time that some domain experts may understand some of the policies but not others and being able to to fold those together so some of the core components of ACS is this notion of a subject so that's your entity representing a user or a device potentially it has a configurable set of attributes and the things that you might think about there is an identity maybe that's a URI that's a reference to an OAuth identity again solving the author is authentication problem but not necessarily the authorization problem for some of these applications maybe I know what organization or department or role or any number of discoverable attributes for a particular subject or device then you have the resource which device can be on this side of the equation as well so in that we're talking about machine to machine but a resource represents that configurable set of attributes of interest for the thing that you're operating on we tend to call them assets but it could be a service a restful endpoint as well that's representing that asset are you allowed to operate on that resource and then if you are allowed to operate it what exactly are you able to do these actions match pretty cleanly to restful verbs get to read something to write something to create something to remove something but they're all also support for other operations patch subscribe messaging and again this is basically because this is an access control system for restful endpoints and where those restful services are being the common vocabulary and then the policies themselves so if you have a policy evaluation engine that's maintaining rules to compare these attributes of the subject and resources to determine whether the user is permitted so you have to define conditions and in the decision do I allow or deny access so to make this very concrete and and really you know users of an application right so the user in this case is the subject and we can say hey they have a role when they have a location those are attributes of a the subject right so this is like a requirement for an application that somebody might be developing the asset in this case is some physical thing maybe it's a win turbine maybe it's a commercial application or in a manufacturing plant and then that too has some attributes that's manufactured it has a location and maybe there's exceptions not Oregon or maybe it's just not any other state and that is all for the application policy in this case I just mentioned APM it is one of the gg software products for application performance monitoring so it's something that's used for monitoring lots of assets and so what this request response looks like over HTTP you have your app that says hey I have a user one two three he wants to get asset four five six so there's a subject there's an action there's a resource that comes in as a request so ACS will say okay can I discover what attributes I can about that subject and that resource and then evaluate it against a policy for that resource and then send back a response and so in this response we see that okay we've made a decision that subject has allowed permission to use that application and along the way we've found out a few things about that subject and we found a few things out about the resource so the application can make use of those attributes they are basically cached for its usage however the application didn't have to implicitly know much about how to find out about those things so one thing that does come up with this is again when you start getting into the some of those complex complex relationships so let's say a user Jason Delancey so that's me I'm an evangelist what you eat digital so I have a role and maybe that role has an attribute hey grant access to a report like for asset performance so that means when that set of attributes is returned for me as a subject it'll include report asset performance because I'm part of the group GE digital I'm also allowed to use this application also part of an organization and that grants me access to the applica and because I'm in that organization it's inheriting that attribute to pass it through I'm also part of a tenant giving me access to certain sets of services that all seems pretty straightforward so scoped inheritance taking sort of that same picture but then adding in some constraints but only if the site is California so when this is evaluated it's basically taking away access to that asset performance report when I'm in a different location okay so those are the basic concepts of the project so what does the usage look like or how would you use this thing for people who are trying to solve similar access control problems in applications so just for simplicity I run in a docker environment with Cloud Foundry so in the way ACS is currently set up it is partnered with UAA for that identity management piece it doesn't have Identity Management or authorization included in it so I just have a docker container I used to pull in some of those dependencies and because I didn't want to attempt demo gods I am just logging in to the predicts cloud to get access to this you can pull it down and run all of these things on because it is open source but getting clubbed boundary up and running getting you a a configured device can be a little bit of work there's some documentation about how to do that not necessarily through ACS itself but ACS is designed to run on that platform so I'm just using our cloud instance which allows me to create the service and get some details about it so in this case what I was interested in is what is the URL how do I get to ACS do I have permission to get to ACS and what is the the scope of that that running instance so here this is my example where I was running it up in the cloud if you're running it local is a spoiler spring food application so if you pull it a source code down from github you can just do a Gradle run and pull it bring up a local host instance but you do need that UA a piece so if you were to inspect either your local instance and UA a running under bosch light or something out in the cloud as your Identity Management you get a token a bearer token it has a set of scopes until when I was talking about access control before these are examples of those coarse-grained scopes does that particular user have access to read and write policies does a user or a client have access to read and write attributes and so this is really talking about whatever application or service is being written whether or not it's even allowed to talk to ACS at all because you don't want anyone to be able to go in and modify those access control policies the API there are some documentation online and the github project about it but basically it is just resource and subject when defining your attributes so I'm doing these with just some restful or some straight calls again not having a strong opinion on whether you're developing application and Python or NGO or Java so just to have a common language here but basically the headers include that access token from a auth saying yes I'm allowed to talk to ACS and I just want to put or create a new role evangelist so ACS is a framework for handling these policies and these attribute definitions it doesn't have a strong opinion about how you go about it while world based access control makes a lot of sense or or devices and assets and resources a lot of that becomes a decision point for someone how they want to manage their information and some of the connectors I'll talk about make it a little bit easier but so one of these requests might look like having a subject identifier evangelist and some attributes which is basically just a key value pair or an asset it's a list but in this case just defining a role as evangelist and that issuer is trusted Authority on where this data can come from so now that I have that role defined I can also set up an inheritance relationship I'm creating a user for myself and specifying some additional attributes like a location so now I know my location and I know what my role is for this particular subject on the other side you can do the same thing for resources so if I'm creating some location California it's just a key value pair and then we can start defining our assets and how you get to this again this is sort of the low-level how you scale this up as a separate problem but when you're looking at a particular asset let's say asset 12 it has a location and then maybe I create asset 13 where I have not specified a location and maybe that's Oregon maybe it's somewhere else so this is where we start then getting into the policy specifications so there are like I said a lot of similarities to Zack Milland in terms of the concepts but this is the JSON specification for how to define a particular policy set so I've given it a name just sort of the default that evangelists can access assets that just seems like a good thing to have and we can see that the action there is get it's whether or not I'm able to read so the resource you know so that's a name an asset and URI template so this is how scaling up the number of attributes and assets you have to define that there's basically just a pattern match on the URI template and then we look at the subject as well in this case I have a role and then the condition so what does the condition mean so there can be a number of conditions that all would be evaluated in this case we're talking about hey let's make sure that whoever is trying to access this is an evangelist and the condition is specified as basically a lambda function in and groovy so match a single instance of the attribute from this issue or look up that role for that subject and compare it to evangelists and if they match then this condition is met and they are granted access so have that effect of permitting access to the system so I I kind of hinted there that groovy is the thing powering those conditions so it's very domain-specific in that they're subject attributes resource attributes split equals size so effectively using abstract syntax tree only particular methods have been approved so that you can't necessarily go in and write a conditioner that's creating a brand-new class you can't import other libraries or write methods so so there are some limitations to what you can do there but for most conditionals and or not the type of things that we see in conditions for some of the industrial applications this is sufficient in terms of a feature set so what that then gets down to is now you're doing a post to say let's do an evaluation of this policy can the subject get this particular asset and then return permitted or denied as appropriate so if we track this to the source so how does this all work so I kind of mentioned it is a spring boot application the application is out on github it's github.com slash predicts slash acs if you want to look at the source code there are a lot of JSON template examples and everything there and a lot of my examples here I went down to the the rest called layer or what the actual protocol exchange is because I didn't talk about a particular client library but ACS does actually have a spring security extension as well so if you are working in Java and you want to use ACS you can download the github repository wire it up to Cloud Foundry and write any applications using those security extensions that just handle a lot of those requests to creating resources creating subjects and everything so so Java and groovy are a big part of this implementation because of that relationship that hierarchy as you might expect there is graph database so for the current implementation it is based off of Titan DB uses patchy cassandra for storage and tinker pop using gremlin as sort of the graph traversal language to figure out what the policy evaluation would actually be so if you were standing this up these are some of the components that can be pulled down and configured to run a CSM Department so so basically we are talking about a service that you can run on top of these databases and I so I think Titan would allow you to configure other data stores here you gotta go in that direction caching becomes very important so Redis is being used to cache a lot of these attributes so I kind of hinted at these connectors so it's again the idea that some of these attributes might come from your idea the management system they might come from a device manufacturer there could be other data stores that have a lot of these attributes that can be discovered and so a lot of efforts in the source code around what are some caching policies how do you decide when to fetch new attributes but without having too big of a hit on performance because if you're doing this access control with each request where appropriate there is some performance penalty in order to do that the platform itself as I kind of mentioned built on Cloud Foundry with UAA and Jenkins for build so if you go to the project you can find out a little bit more about some of those things and so that kind of leads to a little bit more of this what is this open source story so ACS is potentially interesting because it has been open sourced under an Apache 2 license so that's interesting for GE perspective that the source code is just made available Cloud Foundry is another area where we make a lot of contributions so as I said my background is not necessarily I'm not a cyber security professional but we do have those folks who are the breakers as another way to I really like this notion that I happen to be on the maker side of things but there's another personality type the breakers who are just really good at figuring out how to exploit a system or how it's not supposed to work so so we do have a lot of breakers that go in and look at UAA because it is open source they could kind of review the security behind how authorization and authentication work within UA a for some of those coarse-grained security policies and Identity Management and so there have been a number of times where we have discovered some of those vulnerabilities and provided patches back and it's just not necessarily the story that's been well told in terms of what some of these contributions are so within cloud foundry because it's a platform as-a-service was originally built around HTTP requests WebSocket requests didn't really fit I owe T as well as it could have and so we actually had developers who worked on a go router to make it work properly for other protocols and qtt and so on polymer is a very I don't know if anyone's familiar with polymer is a UI or web component it's another example of some of the open-source projects that some of the development engineers are working on as well as just involvement with a lot of the consortia industrial internet I hope and fog and so I do want to highlight some of the committers to ACS so again github.com predicts ACS you can kind of go through and see who some of the the committers have look at the code look at a lot of the JSON examples and everybody can give you a flavor for how this goes it really it comes around to not necessarily needing to reinvent a wheel we have a lot of GE businesses that are using ACS for managing their access instead of going off and implementing their own authorization frameworks they're able to adopt ACS if those businesses find things it's almost that inter sourcing model but by being open in the first place it's helped set some of the ideas around governments and commitments and so that is a CS if there are some questions I can take some questions or I will be around for a little while and can can give you a little bit more insight into ACS yes so that's usually done by the the UAA portion so that's the dependency so you a a talking to other federated identity management systems or other identity providers maybe that's not what you meant though yes so so in my example the issuer so that would probably be you a a so as you're putting data points the subjects into ACS you can link back to the UA a record for that person which in turn is may be speaking to some other identity provider yeah so in in many cases we have another service we call it the asset service so that is a typical pattern that we have at least for recording those entries so part of the ACS project is this notion of connectors and being able to talk to some of these other repositories of resources so I'm only familiar with the asset service because that's what we tend to use but I think that's one of the strengths potentially of it being open sources if there are other resource that should have a connector to be able to discover some of those attributes certainly that would be a welcome conversation all right yes yeah there has certainly been a lot of fans yeah yeah so are the predicts UI that we're using for a lot of applications is based on polymer and so I think that's it again it's another one of these that we haven't focused enough maybe on what that open-source sorry you know there's lots of other companies that put out their open-source report cards and really focus on what those contributions are but our IT organization lots of organizations across GE that I'm not even aware of on weekends are working on projects and doing lots of really good work so polymer is another example where we are actually for some of our applications building the UI on the framework and in trying to work back with the polymer team all right sorry I do tend to talk fast hopefully oh yeah this is a great question I would put it definitely on the early stages side of things so it is being used a lot within the GE applications a lot of our businesses are making use of it so that's why I say a little bit more on that inner sourcing side of things but because it's been released under an Apache 2 license I think there is a goal of getting it out there and evangelizing to ascend to say like if you does everyone need to reinvent the same wheel it's not that it's necessarily a super complicated problem but dealing with some of that complexity and learning from some of our use cases can help contribute to that project and make it something that other people can use and like I said there's a wearing a boundary shirt here there's a relationship with the Cloud Foundry platform as well where that does seem that a lot of people have these problems if you have that very simple case of you in admin or not you probably don't need it it might be a little bit overkill in that case but but if you do have much more complex relationships lots of assets lots of devices and trying to deal with all those things then absolutely okay no other questions

Info

Channel: The Linux Foundation

Views: 2,107

Rating: undefined out of 5

Keywords: embedded linux conference, linux foundation, openiot summit, internet of things, linux, embedded linux

Id: r52Dp3Pevww

Channel Id: undefined

Length: 38min 49sec (2329 seconds)

Published: Tue Feb 28 2017