XACML: Alive and Well

Posted May 8, 2013 by ggebel
Categories: Authorization, Standards, XACML

The latest hyperbolic headline from our friends in the analyst community is brought to you by Andras Cser of Forrester, who proclaims that XACML is dead. Naturally, we at Axiomatics disagree since we have invested many years of effort at OASIS to develop and support the standard. The timing of this post is also interesting in that XACML version 3.0 was just formally ratified earlier this year and the Technical Committee is actively working on new profiles to support a REST interface as well as JSON encoding of the request/response formats – two features that will significantly expand the appeal to a wider developer audience. Let’s walk through this and address some of the statements that Andras makes:

Conversations with vendors and IT end users at Forrester’s Security lead us to predict that XACML (the lingua franca for centralized entitlement management and authorization policy evaluation and enforcement) is largely dead or will be transformed into access control

I am not sure what you mean here Andras as XACML already does access control.

Here are the reasons why we predict XACML is dead:

Lack of broad adoption. The standard is still not widely adopted with large enterprises who have written their authorization engines.

While XACML has not hit the mass market, we continue to see increased adoption across many industries. Organizations that have written their own authorization engines are investigating commercial alternatives, due to the cost of maintaining home grown systems and keeping up with growing requirements.

Inability to serve the federated, extended enterprise. XACML was designed to meet the authorization needs of the monolithic enterprise where all users are managed centrally in AD. This is clearly not the case today: companies increasingly have to deal with users whose identities they do not manage.

This is not correct on multiple levels. First, XACML was designed to meet the needs of service oriented architectures – which are, by definition, not monolithic in architecture or deployment patterns.

Second, the XACML standard never mandated that all users be managed centrally in AD or any other repository. Some products may have this limitation, but it is a vendor choice to do so. In fact, the policy information point is specifically defined to retrieve attributes or meta data from heterogeneous, distributed sources.

Finally, the XACML architecture naturally supports federated environments because access decision making and policy enforcement can be deployed centrally or in a distributed approach to cater for performance and other operational preferences. In fact, one of the simplest ways to achieve a hybrid IAM strategy for the cloud is to leave AD in the corporate enterprise and use authorization to communicate access control decisions.

PDP does a lot of complex things that it does not inform the PEP about. If you get a ‘no, you can’t do that’ decision in the application from the PEP, you’d want to know why. Our customers tell us that this can prove to be very difficult. The PEP may not be able to find out from the complex PDP evaluation process why an authorization was denied.

Actually, you can optionally communicate context about the decision using Advice or Obligation statements – part of the XACML standard. In version 3, these statements can contain variables and are very useful for communicating additional information to the PEP. Some examples are to redirect the user to a stronger authentication page, tell the user they have an insufficient approval limit, or tell the user they are not assigned to the patient so they can’t see the health record.

Keep in mind, many situations specifically require that the PEP not know why the access failed, because it could leak information for an attacker. Firewalls and network access control solutions are examples of this.

Not suitable for cloud and distributed deployment. While some PEPs can bundle the PDP for faster performance, using a PEPs in a cloud environment where you only have a WAN link between a PDP and a PEP is not an option.

The modular architecture of XACML is absolutely suitable for cloud and other kinds of distributed deployment scenarios. The fact that major components such as the PEP, PDP and policy authoring are decoupled means you can deploy them in many configurations. Embedding the PDP with the PEP and application is one option, but you can also co-locate the PDP with the app for better performance. As with on-premise deployments, implementers have to consider the latency between PEP to PDP and attribute retrieval. Cloud scenarios may present some challenges in reference data synchronization or retrieval, but many options are available to address them. 

Commercial support is non-existent. There is no software library with PEP support. Major ISVs have not implemented externalized authorization or plugin frameworks for externalized authorization. Replacing native SharePoint authorization with an Entitlement Management PEP is a nightmare requiring a one-off, non-standard, non-repeatable development and operations process.

I acknowledge that, as an industry, we have not adequately addressed the ISV industry with sufficient tooling to externalize authorization. As a result, we continue to see the creation of ‘new legacy’ applications that are difficult to manage and operate from an IAM perspective. Axiomatics has recently joined and contributed to the OpenAz project in an effort to meet these requirements.

Regarding SharePoint, we agree that a PEP-to-PDP model is difficult to implement for this platform, which is why we have taken a different approach.

Refactoring and rebuilding existing in-house applications is not an option. Entitlement Management deployment requires a refactoring of the application to use the PEP hooks for centralized, externalized authorization. This is not a reality at most companies. They cannot just refactor applications because of a different authorization model (sometimes, especially with mainframe applications the authorization model is not even understood well enough to do this…)

Another point of agreement: Most existing applications will not be rewritten to implement an externalized authorization approach. However, there are ways to integrate with existing applications without changing the application’s code by using filters or proxies, for example.

Additionally, many organizations are exposing existing applications by building API or web services layers – this is the perfect integration point for incorporating externalized access control.

OAuth supports the mobile application endpoint in a lightweight manner. XACML today largely supports web based applications. While OAuth’s current profiles are not a full-blown replacement for XACML functionality, we see that OAuth’s simplicity made it the de-facto choice for mobile and also non-mobile applications.

OAuth and XACML are not mutually exclusive, but certainly have their respective strengths/weaknesses. Again, I will point to the REST and JSON profiles for XACML that are currently under development at OASIS – these profiles will make XACML-based systems more easily integrated with mobile and other light weight platforms.

Comments: 9 Comments

Part Two: Software Development Lifecycle (Development)

Posted May 31, 2012 by ggebel
Categories: Architecture, Authorization, Development, XACML

This is a continuing conversation with James McGovern who is lead Enterprise Architect for HP Enterprise Services and whose focus is in providing bespoke enterprise applications to the insurance vertical. The conversation to date is about how entitlements should be conceptualized along the SDLC (part 1). The topic we will cover in this dialog is centered on concerns that happen after IT Architects have performed high-level architecture and need to provide hands off to development teams. My colleague, Felix Gaehtgens also provided valuable input to the discussion.

JM: Generally speaking, the need for entitlements management tends to be on the radar of savvy information security professionals who realize that they need to invest more time in protecting enterprise applications and the data they hold over simply twiddling with firewalls, SSL and audit policies that look for whether a third party has a clean desk policy and whether there number two pencils are sharpened. When security people know nothing about software development and software development people don’t know anything about security, then bad things can happen. Today’s conversation will be a small attempt in connecting these two concerns. Are you game?

GG: Definitely. I also see a disproportionate amount of time and budget dedicated to security apparatus that does not address the specific security, business or compliance rules that an enterprise must enforce. To do that, you need to address security and access control concerns within the business application directly.

JM: A developer has received the mockups for a user interface from the graphics team and now has to turn it into code using JSPs and Servlets. In this particular tier, how should they incorporate entitlements into the pages as well as do it en-masse if they have hundreds of pages to develop?

FG: That’s an excellent question. Access control can and should happen on multiple layers. As you mention a user interface, that is a good point to control access to individual user interface components. For example: a button might start a particular transaction. Is this user authorized to carry out that transaction? If not, then the button should perhaps not be displayed. We can even think of fine-grained access control here. Suppose you are displaying a list of customer accounts to a user. What details should be visible? Should you perhaps hide some columns?

When we do access control in a holistic manner, we can obviously not stop at the presentation layer. You mentioned servlets here. A servlet operation is another type of action that can be authorized. May this function be executed on this servlet by this user in this particular context? This again is a good question. Let’s assume the user is authorized. What happens then? The servlet probably does some things, perhaps retrieving some data, perhaps kicking off a call to some back-end service. As the servlet does its thing, there other steps that would need to be authorized within the execution code of the running servlet. None of this is actually new. If we look at existing code, we see a lot of “If thens” that check whether something is allowed to happen. What architects should be vigilant about, is the fact that having all these “if thens” causes problems down the line. What if the business policies change? What if new regulations come into force? How can you actually audit what is happening? Because of this, it is important to consider moving access control to a separate layer and externalize authorization.

JM: Developers will also develop reusable web services whenever possible that can be leveraged not only by their enterprise application but others as well. How should they think about incorporating entitlements into a service-oriented architecture?

FG: Hooking entitlements into a service-oriented architecture is actually quite painless. The easiest way – without modifying code – would be to use interceptors that check whether a particular transaction is authorized. This also makes the services simpler because authorization is moved into its own layer.

JM: There are a variety of ways to develop web-based applications ranging from Spring, Struts, Django, etc and each of them come with some sort of security hook functionality. How do I configure this to work with entitlements?

FG: These frameworks support authorization, to a certain degree. Unfortunately though, Authorization is typically quite coarse-grained. In Spring for example, you can authorize access to a class. But if this class implements a lot of logic by itself, Spring doesn’t help you doing these “micro-authorizations” or fine-grained authorization. So it’s likely going to be a lot of “If thens” within those classes. The best approach would be to externalize both the coarse-grained as well as the fine-grained authorizations. But if for any reason that is not practical, then the coarse-grained authorization can already be done through the framework by talking to an externalized authorization layer, such as a XACML policy decision point (PDP).

JM: Being an Enterprise Architect who codes and knows security, I have observed throughout my career that many enterprise applications from a code perspective tend to centralize authentication but spread authorization in almost every module. What guidance do you have for both new and old applications in this regard?

FG: For new code, you have the option of externalizing authorization from the start. There are several ways to do this. Aspect-oriented programming can help automate some of this. You can also implement your own permissions checker interface and then hook that into either a local implementation or an externalized XACML authorization service at run-time, so that it gives you all of the flexibility. There is no perfect answer for all cases, as it really depends on how you are writing your code. Wherever in your code you would otherwise do the hard-coded “If thens” to check whether something should be authorized or not, you should be calling an authorization function. If you can create certain “control points”, then you make your life easier. If you have some other points where you need to authorize, use simple APIs to make a call-out to an authorization service.

For old applications, you will need to check where you can “hook in” the authorization. Perhaps there are some control points where you can install interceptors, inject dependencies, or wrap existing classes. If this is not possible, you might be able to intercept data flows coming in or out of a module, and do your authorization there.

JM: Within my enterprise application, I may have built up a “profile” of the user that contains information I would have retrieved post authentication from a directory service. What is the best practice in using this information to make authorization decisions?

GG: The design issue you are raising is whether the PEP should do attribute lookups or if we should rely on the PDP to perform this function. Generally speaking, it is more efficient for the PDP to look up attributes. Mostly this is because the PDP determines what policies will be evaluated and is able to fetch only the additional attributes it needs for policy evaluation. The PEP is not aware of what policies are going to be evaluated, and therefore may waste processing cycles retrieving attributes that will not be used. That extra processing time could be substantial when considering network time for the retrieval, parsing the response, and converting data to XACML attributes.

However, in your case it appears that the application is collecting attribute data for the profile in its normal course of operation. Seems like these attributes can be forwarded to the PDP in the access request without compromising response time performance. There may be other cases where the attributes are in close proximity to the application and it is better for the PEP to do the lookup.

Each scenario and use case should be analyzed, but our starting position would be to have the PEP include attributes it has already collected and to let the PDP look up the rest through its PIP interface. Attribute retrieval is really an externality for the application and should be left to the authorization service. It is also important to consider what happens when policies change. If too much attribute handling is done by the application, it may require additional code changes to accommodate policy changes. If the developer relies on the authorization service to deal with attribute management, then he/she gets the additional benefit of fewer (if any) code changes when the access policies must be adjusted.

JM: Another form of reuse within that many enterprise applications should consider but are not currently implementing is the notion of supporting multiple tenants. Today, an enterprise may take an application and deploy it redundantly instead of keeping a single instance and allowing multiple tenants to live within it. If I wanted to show development leadership in this regard, how can entitlements help?

GG: Applications have multiple layers or integration points where you must consider authorization for a multi tenant configuration – this also applies to single tenant applications. As you described earlier, access policies need to be applied at the presentation and web services or API layers. Beyond this, you have the data layer, typically a database, to consider. It is likely that enterprises deploy multiple instances of an application and its database because they cannot adequately filter data per tenant with current technologies or approaches. With an XACML entitlements system, you can enforce row, column and field level access controls – providing a consistent enforcement of entitlements from presentation to web service to the database. Axiomatics builds specific database integrations (such as Oracle, Microsoft and others), but customers can also use the API to integrate with their preferred SQL coding mechanisms. We think this is a less costly AND more secure solution than what can be purchased from Oracle, for example.

With the approach just described, enterprises can get some economies of scale by deploying fewer application instances – I know there are reports out there about idle CPU time in data centers. Hopefully this also reduces the operational burden by managing fewer instances, but the operations center has to know more detail about which user communities or customer groups each application is supporting.

JM: Our corporation has been breached on more than a few occasions by Wiley hackers. Every time this happens, the security forensic jamboree blows their trumpets really loud asking for assistance in determining what happened. They attempt to reactively walk through log files. To me, this feels like a ceremonial failure. Can entitlements management make those information security people disappear so that I can focus on developing code that provides business value without listening to their forensic whining?

GG: Audit logs of what HAS happened will always be important when attempting to analyze a breach, incident or even for extreme troubleshooting. I think it can be helpful to investigators if there are fewer access logs to examine – here a central authorization service can provide a lot of benefit. A central authorization system that serves multiple applications gives you a single audit stream and single audit file format. It also relieves developers from at least some of the burdens of security logging – although there may be requirements to log additional context that the authorization system is not aware of.

There is also a proactive side of this coin: what CAN users access in an application. It seems that, as an industry, we’ve been trying to definitively answer auditor questions such as, “Who can update accounting data in the general ledger system?” or “Who can approve internal equity trades when the firm’s accumulated risk position reaches a certain threshold?” First, there is a fundamental failure in application design when business owners, auditors and security officers alike cannot easily answer these questions. Why is it still acceptable to build and buy applications that actually increase the operational risk for an organization? Second, many identity management technologies have only served to mask the problem and, ultimately, enable the problem to continue. For example, user provisioning systems were initially thought to be capable of managing access and entitlements for business applications. It turns out that they are relatively good at creating user accounts, but have limited visibility into application entitlements – those are managed by local admin teams. Access governance tools have a better view of entitlements, but it remains difficult to get a complete view when authorization logic is embedded in the application code.

With XACML policies implemented, auditors can test specific access scenarios to confirm enterprise objectives are being met. A policy language is an infinitely richer model for expressing access control policies, than can be done with ACLs, group lists, or roles. Finally, you can specifically answer those auditor questions of who can access or update applications, transactions, or data.

Comments: Be the first to comment

XACML and Dynamic Access Control in Windows Server 2012

Posted May 25, 2012 by ggebel
Categories: Authorization, Conferences, Uncategorized, Windows Server 2012, XACML

Microsoft has introduced a significant feature enhancement to Windows Server 2012, Dynamic Access Control (DAC). This is big upgrade from the access control lists (ACLs) used in previous generations of Windows Server, giving enterprises a richer and more flexible authorization model at their disposal. The new functionality gives enterprises tools to more effectively control access to the vast amounts of data in Windows file shares, while complying with business, security and compliance policies. You can find an excellent introduction to Dynamic Access Control here and I expect Microsoft to publish much more information, as we get closer to the GA date for Windows Server 2012.

At Axiomatics, we have added a new feature to our core XACML engine – Axiomatics Policy Server – so that XACML authorization policies can be converted into a format recognized by the DAC function in Windows Server 2012. To implement DAC, Microsoft uses Security Descriptor Definition Language, or SDDL. The Axiomatics feature automatically translates XACML policies into SDDL format and loads the policies into your Windows Server 2012 Active Directory.

There are several benefits to the Axiomatics integration that will enhance Windows Server 2012 deployments, including:

  • Leverage a central authoritative source of access policies: XACML access policies that are implemented across other applications in the enterprise can now be applied to Windows Server environments.
  • Manage and control access to file server resources more easily: Policy languages provide, such as XACML, provide a more direct and flexible model for managing access to vast amounts of data spread across hundreds or thousands of servers.
  • Meet audit and compliance requirements more easily: An externalized and authoritative source for access policies means you have fewer places to audit and certify the access controls for critical applications and data
  • Report on who has access: Axiomatics provides advanced reporting tools to fully explore and validate your access control policies
  • Consistently enforce access across applications and platforms: Enable your Windows Server 2012 to participate in a broader, central authorization service. In this mode, enterprises can ensure a consistent level of policy enforcement across the environment – based on the single, authoritative source of access policies.
  • Best runtime performance: Windows Server 2012 performance is not impacted, since its normal internal access control mechanism is being utilized – there is no callout to an external authorization engine. This gives enterprises the best performance possible, but also provides the assurance that access control is being implemented according to centrally managed policies.
  • Increase value of your XACML investment: Integration with platforms such as Windows Server 2012 or Microsoft SharePoint 2010 extends the reach of your XACML authorization system.

If you are planning to visit Microsoft TechEd 2012, please stop by our booth in the partner pavilion for a demonstration.

Comments: 2 Comments

Part One: Software Development Lifecycle (Architecture and Design)

Posted April 5, 2012 by ggebel
Categories: Architecture, Authorization, Development, Standards, XACML

Last year, James McGovern who previously was in the role of Chief Security Architect for The Hartford and now is the lead Enterprise Architect for HP focused on insurance and I held several discussions (Part 1, Part 2, Part 3) on using entitlements management within the insurance vertical. Now that we are in a new year, we have decided to revisit entitlements management from the perspective of the software development lifecycle.

JM: Historically speaking, a majority of enterprise applications were built without regard to modern approaches to either identity or entitlements management. At the same time, there is no published guidance by either the information security community or industry analysts in terms of how not to repeat past sins. So, let’s dive into some of the challenges a security architecture team should consider when providing guidance to developers on building applications securely. Are you game?

GG: Definitely! I think it remains an issue that applications are still being built without a modern approach to identity or entitlements – we see many cases where developers make their own determinations on how to best handle these tasks. Security architects and enterprise architects have long professed the desire to externalize security and identity from applications, but this guidance has an uneven track record of success.

JM: The average enterprise is not short of places to store identity. One common place where identity is stored is within Active Directory. However, infrastructure teams generally don’t allow for extending Active Directory for application purposes. So, should architects champion having a separate identity store for enterprise applications or somehow find a way to at least centralize application identity?

GG: Attribute management and governance is a key element to an ABAC (attribute based access control) approach. You might expect that one source of identity data is ideal, but that is not the reality of most deployments. Identity and other attribute data is distributed between AD, enterprise directories, HR, databases, CRM systems, supply chain systems, etc. The important thing is to have a process for policy modeling that is aware of and accommodates the source of attributes that are used in decision making.

For example, some attributes are derived from the session and application context, captured by the policy enforcement point (PEP) code and sent to the policy decision point (PDP) with the access request. The PDP can look up additional attributes through a policy information point (PIP) interface. The PIP is configured to connect with authoritative sources of information, which could be additional information about the user, resource or environment.

JM: While I haven’t ran across an enterprise that has gotten a handle on identity, I can also say that many security architecture professionals haven’t figured out ways to stitch together identity on the fly either. If we are going to leave identity distributed, what should we consider?

GG: I am a proponent of a distributed model as the starting point for this issue. That is, identity data should be stored and managed in close proximity to its authoritative source. In a distributed approach such as this, data accuracy should be better than if it is synchronized into a central source. Others will argue for data synchronization, and it is important when performance requirements call for a local copy of data. Therefore, performance, latency and data volatility are all issues to consider.

JM: What if an enterprise application currently assumes that authentication occurs by taking a user-provided token and compares it to something stored within the applications database. Many shops deploy web access management (WAM) technologies such as Yale CAS, CA Siteminder, etc where they centralize authentication and pass around session cookies but may not to know from an identity perspective why this may not be a complete solution?

GG: A few things come to mind here. First, a WAM session token is proprietary and therefore has a number of limitations in the areas of interoperability, support in multiple platforms, etc.

Second, there is the issue of separation of concerns. From an architectural perspective, I strongly believe in having an approach that treats authentication separate from authorization concerns. One of the main benefits is the ability to adjust your authentication scheme to meet the rapidly changing threats that we see emerging on a daily or weekly basis. If authentication is tightly coupled with another identity component, then an organization is severely limiting its ability to cope with security threats.

Finally, authentication should be performed at the identity domain that is most familiar with the user. Said another way, each application does not and should not store a credential for users. Federation standards permit the user to authenticate at their home domain and present a standardized token to applications they may subsequently access.

JM: Have you ever been to a website where they ask you to enter your credentials and they don’t provide you with any queues as to what form the credential comes in? For example is it a User ID or email address. A person may have multiple unique identifiers. Is it possible to use entitlements management as a centralized authenticator for an enterprise application in this scenario?

GG: My initial thought is “no” based on my comments regarding separating authN and authZ above. There are also security reasons for not giving the user a hint about the credential – to reduce the attack surface for someone trying to compromise the site.

However, there may be cases where a web site wishes to permit the use of multiple unique identifiers for authentication. Once you get to the authorization step, will you still have all the necessary user attributes available? Do you need to map all the identifiers to the attribute stores? You can end up making the authorization more complex than it needs to be

JM: If you have ever witnessed how enterprise applications are developed, they usually start out with the notion of two roles where the first role is a user and the second is the administrator. The user can do a few things and the administrator can do anything. Surely, we need to have something more finer-grained than this if we want to improve the security of enterprise applications. What guidance could you provide in terms of modeling roles?

GG: There are different levels of roles that should be defined for any given application:

  • Security Administrator: Their only purpose is to manage and potentially assign entitlements.
  • System Administrator: They just manage the application or platform but don’t deal with entitlements
  • User Role: Here are the regular users that will interact with the system

I definitely would start with the security administrator role – this role deal with managing entitlements, access policies and assigning these to users – they should not have access to the data, transactions or resources within the application. The system administrator role functionality should be constrained to managing the application, such as configuring the system, starting/stopping the application, defining additional access roles (see below) or other operational functions that are not associated with the business application.  This is a vast departure from the super user model where there is a root account with complete access to everything on a system, which ends up being a security and audit nightmare.

Third, you can define a user role that permits an individual to login to the application but with very limited capabilities. Here is where ABAC/XACML comes in to give you the granularity required. Access rules can define what functions a user role can perform as well as what data they can perform functions on. With this kind of dynamic capability, you can enforce rules such as, Managers can view payroll data for employees in their department.

JM: I had the opportunity in my career to be the lead architect for many once popular and now defunct Internet startups during the dot-com era. At no time, do I remember anyone ever inquiring about a standard around what a resource naming convention should look like. Even today, many enterprise applications have no discernable standards as to what a URL should look like. Now that we have portals and web services, this challenge is even more elusive. I know that web access management technologies use introspection techniques and therefore are suboptimal in this regard. Does Entitlements Management provide a potential solution and if so, what constructs should we consider in designing new enterprise applications?

GG: The XACML policy language includes a namespace and naming convention for attributes, policies, etc. This helps to organize the system and also to avoid conflicts in the use of metadata. It is also possible to incorporate semantic web approaches or ontologies to manage large and complex environments – we are seeing some customers interested in exploring these capabilities.

JM: I have heard Gunnar Peterson use an analogy in a testing context that makes me smile. He once stated, testing through the UI is like attempting to inspect the plumbing in your basement by peering through your showerhead. This seems to hint that many applications think of security only through the user interface. Does entitlements management provide the ability to define a security model that is cohesive and deals with all layers of an enterprise application?

GG: Absolutely, this is one of the strengths of the XACML architecture. You can define all the access rules that an XACML policy server will enforce – and install policy enforcement points (PEP) at the necessary layers of an application. These are typically installed at the presentation, application and data tiers or layers. Such an approach is important because you have a different session context at each layer and may have different security concerns to address, but the organization needs to ensure that a set of access rules are consistently enforced throughout the layers of the application. Further, individual services or APIs can be secured as they are used on their own or in mash-up scenarios.

You get the additional benefit of a consolidated access log for all layers of the application. All access successes and failures are available for reporting, investigations or forensic purposes.

JM: Some enterprises are moving away from thinking in terms of objects towards thinking in terms of business processes. How should a security architect think about applying an entitlements-based approach to BPM?

GG: I recall writing some years ago that BPM tools could facilitate the creation of application roles – it’s very interesting that you now ask me about BPM and entitlements! But it’s a logical question. BPM tools help you map out and visualize the application, have the notion of a namespace, resources, and so on. At least a couple of places where entitlements and authorization rules can be derived are within BPM activities as well as when you have an interaction with an activity in another swim lane.

JM: Enterprises are also developing mobile applications that allow their consumers to access services, pay bills and conduct business transactions. It goes without saying that a mobile application should have the same security model or at least adhere to the same security principles as an internally hosted web application. What are some of the entitlements considerations an architect should think about?

GG: There are several considerations that come to mind, but let’s address just a few of them here.

  • Do you need to limit functionality or data download for mobile devices? This can be enforced in your access policies.
  • Do you need to control what functions/buttons/content is displayed on the screen? This is commonly done for access via non-mobile browsers.
  • Do you need to support offline mode or deal with low bandwidth connections (insert your least favorite carrier here). In this case, you may need to support long-lived entitlements or access decisions as opposed to the normal transactional model for XACML systems.
  • Where is the data? How much data is stored on the mobile device? Is the data stored in the cloud? The answers to these questions help to determine how the authorization solution is architected.

Comments: 2 Comments

Calling all Dutch speakers with an interest in XACML!

Posted August 22, 2011 by Felix Gaehtgens
Categories: Uncategorized
Tags:

Hi, this is Felix Gaehtgens again, posting on Gerry’s blog. The Dutch government is thinking about adopting XACML as a standard, and until September 4, 2011 there is an open process to send in comments, which I encourage every Dutch speaker with an interest in XACML to do.

The Dutch cabinet has decided in 2007 to implement an action plan for the use of open standards and open software in government. A “Standardisation College” has been formed and tasked with looking at open standards and prescribing their use within the Dutch administration (“overheid”). This College maintains a list of standards on a “comply or explain” list. For future projects this means that tendering vendors and architects must either comply with the standards on the list, or give an explanation on why this cannot or should not be done.

Currently, it is being studied whether XACML should be put on the “comply or explain” list. The decision process is open and well defined, and works like this:

1. An expert group has met and compiled a document with their recommendation.

2. Following the publishing of this expert group recommendation document, there is now call to the public for comments and additional advice. This process closes on Sep 4, 2011.

3. The expert group recommendation and all of the public comments and reactions will be passed to the Standardisation College immediately after the Sep 4 deadline has passed.

4. The Standardisation College will then make a decision on whether to put XACML on the “comply or explain” list or not.

In short, the expert group met and looked at two standards: XACML and WS-Policy. Their recommendation was not to include WS-Policy in the “comply or explain” list. On XACML, the expert group recommended not to include XACML in the “comply or explain” list yet because the expert group thought that not enough experience existed with the standard, and they thought it was too early at this point. However, they stated that XACML is a very promising standard, and hence recommended to look at the issue again in one year.

I encourage every Dutch speaker with an interest in XACML to read the documents of the expert group, and to fill in the template for the public comments, and send it in before the deadline. I intend to do the same. In fact, there are several parts of the document which – albeit excellently written – may need some further clarification. Since the expert group admitted that they do not have much experience with XACML in the Netherlands yet – perhaps experience made in other locations and environments might flow into the process. I therefore encourage everybody who speaks Dutch and has some experience in externalising authorisation with XACML to send in their comments.

In the document, it is written that Centric (the government organisation tasked with the standardisation) is looking to take identity management, authN and authZ out of the applications and have them provided by a central facility. XACML is the ideal standard to do this. I believe that the choice is actually quite straight-forward. When authN (authentication), specifically federated authentication was being adopted, there was initially a bit of a “war of standards” between SAML 1, Liberty Alliance ID-FF, and WS-Federation. SAML 2.0 merged features of SAML 1 and Liberty Alliance ID-FF together into SAML 2.0. However IBM and Microsoft were still pushing for WS-Federation and initially refused to support SAML 2.0. Finally, SAML 2.0 came out on top, and even Microsoft fully support the standard natively.

With XACML, it is much easier. The standard is straight-forward and addresses externalised authorisation in a flexible, versatile and pervasive manner. There really is no contender. This is why it seems natural to me that XACML should be on the “comply or explain” list if authZ is really to be externalised.

The expert group rightfully states that there are many things to be thought of when externalising authorisation. They say for example that authZ between organisations will be a very interesting trend. The expert group recommends that perhaps a specific profile for using XACML could be defined. This is a very good idea. However, the enemy of the good is always the better. If you want to externalise authorisation, then you really need to start doing it rather sooner than later – because it will be more work retro-fitting externalised authZ into applications later. Hence my recommendation would be to start as early as you can. XACML is very flexible, and once you have managed to bring at least your new applications into line you have something to work with that gives you a lot of flexibility.

The expert group also started with a recommendation for an architecture but states that more work needs to go into this, saying that it would be a good starting point for a discussion. It definitely is a good starting point – I believe it is important however to point out again that XACML deployments give a lot of flexibility when it comes to the integration of applications – from coarse-grained to fine-grained. Several architecture models could be given as a suggestion, and there are many “good practises” available from existing implementations already (such as from our customers). But is all of this already necessary before a decision can be made to include XACML on the “comply or explain” list? There is the danger of “putting the cart in front of the horse” by saying that everything must be defined before a recommendation can be given which standards to use for externalising authZ. Why not just say yes, we want to externalise authZ, hence we’ll use the standard for doing this. As applications are becoming prepared to support XACML, a whole universe of possibilities opens up for providing more advanced authorisation services within and between organisations. But why wait with preparing applications to support this infrastructure? Waiting will only mean that there are more hard-wired non-standardised applications that will make it more difficult in the long run.

Perhaps this is why the expert group – admitting that there is not much experience with the standard – think that the time for XACML to be put on the “comply or explain” list may not yet be ripe.

I am not a real “Dutch speaker” although I can understand (depending on who is talking) and read it quite well after being exposed to a lot of the language in Belgium. I can speak it somewhat but it sounds “grappig”, and writing for me is very “moehelijk”. But I’ll do my best and have my Dutch friends look over my comments.

So if you speak Dutch, and have opinions/experience about XACML, please send in your comments so that the Standardisation College has the complete picture available when making their decision.

Here is the link again to the expert document, and the template for sending in comments.

Comments: Be the first to comment

XACML – so much more than some people can see!

Posted June 29, 2011 by Felix Gaehtgens
Categories: Architecture, Standards, Uncategorized, XACML
Tags: ,

This is Felix Gaehtgens and I am one of the latest additions to the Axiomatics team. My colleagues Gerry Gebel and David Brossard were so nice to offer me a space on their blogs. As a former industry analyst, I’m going to start here, and post my future more technical musings on David’s blog.

Speaking about musings, I just stumbled upon an article on heise.de from my former colleague Martin Kuppinger. The article talks about access management with the XACML standard and is entitled “Only good if you can’t see any of it”. It is published in German, and if you can understand that, you can read it here. Martin is a distinguished and very smart analyst, and I am honoured to have worked alongside him for more than three years at Kuppinger Cole where I covered the authorization field and in particular the XACML technology. His past and current musings – apart from this one article – provide an excellent insight into the current state of technology within the Identity and Access management field.

In his article, Martin wrote that XACML is a complex language. He expects that companies implementing XACML will have to confront a large set of many complex rules, and therefore the management of these rules is complex. He makes the point that XACML has to be “hidden” by tools because it is just too complex to use.

To my experience, nothing is further from the truth. This merely reflects some common misconceptions about XACML, and it also reflects some FUD (fear, uncertainty and doubt) floating around by some people without sufficient understanding of the XACML technology. What is important here is that customers need to have fully-fledged XACML tools to solve their complex authorization problems. Cutting corners and then calling those limited features “simplification” to make it “more user-friendly” mean that you don’t get all of the powerful benefits, and shouldn’t be an option for you. You need the potential of this technology to tackle the hard authorization problems in the real world. You will need to use the concepts of XACML to create compact and adequate policies. No short-cuts are recommended here.

XACML is a language used for access control, and it is very powerful and flexible. When I compare it to simple rules used in traditional SSO and RBAC-like access management products, I like saying that RBAC is like a simple text editor and XACML is like a word processor. If your needs are really simple then perhaps a text editor is enough. But if you want to create real documents, I’d highly recommend using a word processor.

The reality in XACML implementations is that you create a small set of policies that quite accurately reflects the overall business requirements. In many cases, you can almost “translate” a business access control requirement into one policy. This makes things quite simple, because you can easily edit the few number of policies to make sure that they accurately reflect what the business is demanding.

I’ve seen this already “at work” with several of our customers. They are really enthusiastic about the fact that they can create a fairly simple policy model in XACML to link their business policies together with data that already exists in the enterprise and deploy truly powerful and dynamic access control for their applications. It’s very cool to see this in action. That’s why I really disagree about the “good practise” of “generating” XACML from “simple” rules. Sure, you can do that, and there may be some cases when this could be useful, but then you are really missing out on those benefits of XACML that can truly transform your deployment.

Consider the other, more “traditionalist” approach. You have primitive and “simplified” access control rules, often in the form of “if user X has role Y”. You then need to model your business requirements in these types of low-level rules. Not an easy task, and it also means that you will need to maintain a whole new data repository to support your simplistic policy model. That is complex. And that is much more difficult to maintain and audit.

So XACML is “expressive” and “complete” rather than “primitive” because it allows you to do many more things. It allows you to define your access policy in just a few well-defined rules that are not difficult to understand, rather than in a myriad patchwork of primitive access control statements that become difficult and expensive to maintain and audit. This in my opinion is one of the greatest benefits of XACML. Maintaining you access control system in XACML makes it much easier, rather than more complex.

When I started at Axiomatics, I already expected that our customers would find it easier modeling their access control requirements with XACML rather than using a traditional role-based approach. Once I started talking to them, I was somewhat surprised to find out that many of them found it even easier than I thought! Sure, you have to learn a little (not too much), but this usually saves you so much more time and money because if elegantly side-steps a lot of the mess that you would otherwise have to confront.

Where Martin does have has a point is that XACML is based on XML, and nobody (except maybe for some hard-core geeks) would like to maintain XACML policies by editing raw XML files. But that’s obvious. At Axiomatics, we ship a GUI (graphical user interface) that allows you to define and test your XACML policies. It offers the full power and features of XACML in an easy way, rather than a limited “simplified” subset of possibilities that don’t go far. The learning curve with XACML is not steep, because it is actually very natural in the way that it allows you to express your requirements; and as with any powerful tool you’d be advised to take a bit of time to learn about the features at your disposal and real-life good practises that we’ve learned from our customers’ experiences. I’d be happy to discuss them with you – just drop me an email.

Comments: 2 Comments

Spring and Summer conference schedule

Posted May 4, 2011 by ggebel
Categories: Conferences, Workshop

It seems that this time of year the conference circuit begins to intensify before taking a break for summer vacations. Unfortunately I am not able to join the identerati at IIW this week, but here is the schedule for the rest of spring and summer:

European Identity Conference: Located in beautiful Munich, this promises to be another excellent event. Of particular intrigue is the fact that Craig Burton will be joining KuppingerCole as an analyst – very exciting news! In addition to Axiomatics sharing an exhibit floor booth with Ping Identity, I will be participating in the following sessions

Glue Conference: This is one of Eric Norlin’s creations and promises to be an interesting and informative event – particularly for you developers out there. A new program was introduced this year where Alcatel-Lucent has funded “demo pods” in the exhibitor space for interesting startup vendors. So, a big thank you to Alcatel-Lucent and the selection committee for picking Axiomatics as a demo pod participant.

Cloud Identity Summit: 2011 is the second year for the Cloud Identity Summit, hosted by Ping Identity.  Just give a quick look at the agenda and speaker lineup and I expect you will be registering immediately. Plus, Andre has lined up 15 workshops on various cloud and identity topics… 15 workshops, are you kidding me? What conference gives you that kind of learning opportunity? I am pleased to be giving The Essential XACML Primer workshop again this year – please come out to Keystone, CO for this amazing event!

Gartner Catalyst Conference: Axiomatics will have a hospitality suite for the first time at Catalyst this year. For those of you familiar with the Catalyst format, hospitality suites are unlike exhibit spaces at any other conference. They are fun, themed based settings where you can enjoy yourself while mingling with other attendees – and learn a little about vendor offerings. Please join us at Catalyst and look for a very unusual and fun giveaway in the Axiomatics suite.

Comments: Be the first to comment

« Older Entries
Follow

Get every new post delivered to your Inbox.