Tuesday, February 22, 2011


Part One: Insurance Authorization Scenarios with Gerry Gebel

In my past role of Chief Security Architect for The Hartford, I used to have deep, extensive conversations with Gerry Gebel, former Gartner Analyst and now head of Axiomatics. Recently, we had a dialog on applying XACML in an industry vertical context. For readers new to XACML, you can find some additional information elsewhere on this blog as well as at www.axiomatics.com. Below is a transcript of our conversation…

JM: Let’s dive into three different scenarios using examples from insurance where making proper authorization decisions are vital and understand how XAMCL can provide value.

GG: That sounds great James, thanks for bringing up these industry specific examples so we can have a discussion of XACML based systems in that context.

Let’s jump into the first scenario. An independent insurance agent will do business with an insurance carrier through a variety of channels. One method is to visit the carrier’s web-site that is dedicated to independent insurance agents. The carrier may use web access management (WAM) products for providing security to the website. Another method may be to conduct transactions from their agency management system that either is installed in their data center (large agencies) or hosted in a SAAS manner (small agencies). The agency management system may create XML-based transactions that are sent to the carrier’s XML gateway for processing. Another method still would be for the agent to conduct a transaction via telephone using interactive voice response (IVR) systems.

In all three scenarios, the independent insurance agent may execute transactions such as requesting a quote where it is vital not only that any one individual channel remain secure, but that all the channels through the lens of business security have the same security semantics.

GG: First, I will not address the authentication challenge across these multiple channels and will focus on authorization only. With an XACML-based system, you can indeed implement and enforce the same policies across multiple channels. In the example you cite above, here is where the policy enforcement points (PEPs) would be inserted:
  1. Web access management tier: At this level, let the WAM system do what it does best – manage authentication and the user session. For authorization, WAM integration with an XACML PDP can be implemented in multiple ways. For example, the WAM policy server can call out to the PDP (act like a PEP) or an XACML specific PEP can be installed at the application (website) to handle authorizations.

  2. Agency management system: If the on premises AMS and SaaS AMS are both accessed via an XML gateway, then the gateway acts as the PEP and enforces policies that are evaluated by the PDP. XML gateways are a great way to secure web services because most (all?) of them support the SAML profile for XACML or can integrate with an XACML vendor’s API.

  3. IVR system: This one could be a bit trickier, but the idea is that a PEP can be built for most any environment. If the IVR vendor permits it, then a Java or .NET PEP can be developed pretty quickly to connect with an XACML PDP.

There are many deployment options for where PDPs are installed or policies are managed, but the bottom line is that resources accessed through multiple channels can be protected by a common set of policies and authorization infrastructure.

JM: The IVR scenario is just one example of authorization issues that occur in a telephony environment. In the investment community, the notion of a “Chinese Wall” where an investment firm for regulatory reasons may need to prevent phone conversations between two different individuals in different departments such as an employee working on mergers and acquisitions from sharing non-public information with those in the trading department.

GG: Integrating XACML across a variety of channels are also used at banks – employee accounts are marked as such to enforce access policies, provide employee discounts, etc. Integrating XACML isn’t just valuable for web sites, web services and IVRs but can work with instant messaging applications, Turrets and email to support the concept of Chinese Walls or other regulatory considerations.

JM: Let’s look at another scenario. A large insurance broker may employ hundreds of insurance agents that interact with multiple insurance carriers on a daily basis. From a financial perspective, the broker would like for the insurance carriers to provide up to the minute details on commissions from selling insurance products. The challenge is that the insurance carrier may need to understand the organizational structure of the insurance broker so as to not provide information to the wrong person. For example, one insurance broker may organize by regions (e.g. north, south, east, west) while another may organize around size of customer (e.g. large, medium, small) while another still may organize around the types of products sold (e.g. personal, commercial, wealth management, etc). In this scenario, the broker may only want the managers of each region to see only their information, but not that of their peers in other regions.

The requirement of an insurance broker to at runtime dynamically describe the authorization model to a foreign system becomes vital to conducting business.

GG: The flexibility of an attribute based access control (ABAC) model, such as the XACML policy language, is very useful in this scenario. From the insurance carrier perspective, it is quite easy to represent the various policies that need to be implemented for each broker. In XACML, attributes are defined in four categories (you can also define additional categories): subject, action, resource, and environment. For the broker organized by region, information such as north, south, etc are passed as subject attributes. Data such as <large customer> or <commercial> are passed as resource attributes to the PDP (either via the PEP or through the PIP interface). The carrier’s PDP will evaluate requests based on its defined policies to determine whether access is permitted or denied. Further, the PDP can also send an obligation back to the PEP with the decision – read access to commission report is granted, but redact sections 2, 5 and 8.

JM: The ability to make authorization decisions in the above scenario requires the ability to describe an organizational structure. This scenario not only applies to the carrier to agency relationship but could be equally applicable for internal applications such as procurement where you may have a rule that your two job grades above you must approve all expenses. Could you describe in more detail how XACML can support hierarchical constructs?

GG: To answer the question it’s important to use the right resource model (from the hierarchical resource profile). If the hierarchy is represented using “ancestor attributes” (§2.3), then there won’t be enough information to identify the manager two levels up. What is needed is a richer hierarchical model, e.g. using XML documents (§2.1), URIs (§2.2) or a slight modification of §2.3 to add an attribute that explicitly identifies a “grandparent” resource (or manager).

If the hierarchy is represented using an XML document, then the policy would use an AttributeSelector with an XPath expression that can easily pick a node two levels above any other. The same goes for an ‘n’ degree relation where ‘n’ is a constant known at policy-authoring time If the degree ‘n’ is dynamically provided in the form of some XACML attribute, then this might be harder to achieve and the individual case would have to be analyzed before coming up with a recommendation.

In practice, it may not suffice to simply use the base hierarchical resource profile. Other solutions may be needed – for example, using richer PIPs that massage the information into a format that facilitates policy authoring. [1]

JM: Let’s look at the scenario of an independent insurance agent and how they may access a given insurance carriers claims administration systems. The carrier may have an authorization rule that states any agent can access information for all policyholders in which they are the agent of record.

Taking this one step further, when an insurance agent purchases workers compensation insurance for their own business without the right authorization model, they may be able to have conflicting access rights if the agent is in the role of both agent and policyholder. When an otherwise authorized employee of the agency needs to file a worker’s compensation claim for themselves, other employees of the agency should not be able to view the claims of their coworker.

GG: This scenario can also be modeled in XACML policy provided that all the necessary attributes are available. To turn around your example 180 degrees, when an agency employee views the status of their own worker’s compensation claim, they should only be able to see their own records and not the records of fellow employees. Of course in performing normal work tasks, agency employees should also see any client records that they would otherwise have access to. Ideally, worker’s compensation claim records should be tagged with an additional attribute to indicate the claim is for an agency employee as opposed to a claim from a customer.

JM: A big challenge in getting this right is to make sure that you modeled identity correctly. Historically, many systems would have modeled an agent, an employee policyholder and a claimant as distinct entities. Today, we have to think about them more as personas or roles that are more dynamic in their usage. The party model would be a better modeling approach in this regard.

GG: Ideally, if your system has a proper identity model, then implementing sound authorization models becomes easy. On the chance, that your identity model is less normalized, you can use the PIP interface to accomplish the same goal of first detecting whether two distinct entities are the same. For example, a request may come into the PDP only containing the employee ID attribute but the PDP recognizes that it must look up additional attributes before evaluating the policy. The employee ID can be used as the index to lookup additional attributes on the user, possibly the SSN, department number, cost center, etc in a directory or HR database.

Stay tuned for part two…

[1] Thanks to my colleague Pablo Giambiagi for providing input to this question

| | View blog reactions

Thursday, February 03, 2011


The Hartford: Breakthough to Excellence

The phrase "breakthrough to excellence" was the mantra wax loquaciously throughout the corridors of The Hartford in 2010 and was a call for the employees in P&C IT to take personal accountability for making IT better. In reflecting on my experiences, I think there was one fatal mistake that has been time proven that employees of the Hartford should noodle...

Have you ever been to one of those leadership seminars conducted by a motivational speaker? Notice how after you leave, you feel energized and your head is on cloud nine where you feel you can conquer the world? Have you ever noticed that motivational speeches tend to only have a short lifespan and that after a few months thing return back to status quo?

The Hartford didn't make this money wasting mistake and pursued Cruxpoint training whereby the goal was less of a float your boat and felt more like an intervention where people were broken down in an almost militaristic basic training model (emotionally speaking) in hopes that they would reset their perspectives.

Human nature typically can rationalize otherwise broken and dysfunctional behavior where organizations continue to operate in a suboptimal manner. Of course, the first step is in realizing your culture is broken, only then can real progress towards excellence become possible.

As a student of the human aspects of technology, I understand that no form of change can be successful without accounting for fundamental dynamics of human needs. Are you familiar with Maslow's hierarchy of needs? The single must be present ingredient within the human mind and in successful organizational chance is safety.

The majority of IT professionals define themselves - at least in part - by what they do professionally and therefore changing what they do gets deep into the matter of personal definition.

The human mind by nature is resistant to change and can stimulate thoughts of hiding, hostility, vituperative and otherwise destructive actions. One has to acknowledge that against all of this, managerial coercion is simply no match. You can't make change happen, but can only help it along.

Change always implies abandonment. What you're abandoning is an old way of doing things. Management needs to understand that you are asking for change that requires people to abandon their mastery of the familiar and to become novices once again.

We all have read Dilbert and can identify with the fact that the pointy-haired boss in many ways resembles our own. Yet, how many of us have came to the conclusion that maybe the problem isn't the boss but Dilbert himself? Ever notice how Dilbert never pushes back, never puts his job on the line in order for the right thing to happen or otherwise is passive/aggressive?

For some that do not have enough constitution to not care whether they get fired or not and/or choose to proactively stand for higher principles, the fear of safety will always be an impediment to meaningful change.

Even for those who have overcome this hurdle, there is an even more insidious kind of fear than just losing your job that interferes with change and this is the fear of mockery. If you want to make change initiatives flame out, then allowing the mockery of people as they struggle with the new unfamiliar methods you just forced upon them.

Sticks and stones will break my bones, but names will never hurt me. Nothing could be further from the truth. Managerial tantrums, exasperation and eye-rolling are the true enemies of meaningful personal change. To make an organization change receptive, savagely eliminate all forms of disrespect from the culture and replace them with a clearly felt sense that people at all levels are to be honored for the struggle they've been willing to take on.

During periods of great change, every failure and setback has to feel like a treasure (a gift) and that each and every person who fails is a hero and the spine/nervous system of the effort to improve.

In closing, I need for my peers at The Hartford to acknowledge and embrace that failure gains that person more respect, not less...

| | View blog reactions

Tuesday, February 01, 2011


Thoughts on Leadership and Followership in Corporate America

Over the last seven years of blogging, I have been careful to not use the words leadership and management interchangeably unlike many in large enterprises and have always stated that leadership requires followership and not just abstract authority. Today, I will revisit the notion of followership and how it can be both a best and worst practice...

At The Hartford, I would frequently executives wax loquacious on the importance of leadership. When I was less mature, I found these speeches highly motivating, but now understand that the real message they're conveying has more to do with followership than leadership.

Executives in corporate America are encouraged to instill an ethic of followership in the organizations they manage.The leader, as they see it, is an elite, and the great mass of (unwashed) workers is supposed to follow that elite. The challenge with an ethic of followership is that it makes leading the exclusive domain of the anointed elite.

For a moment, compare the companies that are growing in a down economy to those who are slicing jobs, have declining morale and otherwise are mediocre at best. What you may find as a difference is that the great companies have no ethic of followership at all. Think about your current organization and then compare its leadership approaches to that of Google or Apple and maybe you will see something that you didn't before.

I am not saying that the top organizations don't have followership, but I am saying that the top organizations do not have innate followers. In such companies, leadership is everybody's business and following someone who's got the inspiration of the moment is also everybody's business.

The best of corporations understand that leadership is a rotating function, not something for the anointed few. They also equally understand that followership should be harnessed and not turned into a worst practice.

Leadership is not restricted to acting only downward along the lines of organizational authority. The bread and butter acts of leadership that makes companies healthy involve people leading their bosses, leading their peers, leading those in peer organizations and so on all without being granted the official power to do what they're doing.

Enrolling someone who is distinctly outside the scope of your official power base is what constitutes real leadership...

| | View blog reactions

This page is powered by Blogger. Isn't yours?