As a Sales Engineer, it’s not uncommon to meet with a customer - or a prospective customer - who, along with securing APIs, microservices and a web portal, would also like to secure some commercial off-the-shelf application (“COTS application” from here on). And why not? They see themselves shifting from the limitations of RBAC to the possibilities of ABAC, so the question makes sense. The challenge, of course, is that the said COTS application isn’t built by your team, nor can you change its already compiled code. So what can be done about it?Read more
Big data is one of the “big” industry trends that is challenging enterprises these days, especially from a data security perspective. Thanks to the explosion of Big Data, the Internet of Things (IoT), and global mobilization, the way companies use, collect, store and process data has changed forever. If we look back to 2011, IT analysts IDC published the “Extracting Value from Chaos” report, in which they announced, “While 75% of the information in the digital universe is generated by individuals, enterprises have some liability for 80% of information in the digital universe at some point in its digital life.”Read more
The Abbreviated Language For Authorization (Wikipedia) or ALFA is a domain specific language used to express XACML authorization policies. It is by far much easier to work with than writing the raw XML. Depending on who you ask it is easier to understand and work with than UI tools.
Currently there is only one way to write an ALFA policy and that is to use the ALFA plug-in for Eclipse. This is not going to be a post about ALFA in general but more specifically about how to define and use Policy and PolicySet references and what the end result ends up being.Read more
The XACML standard provides a means of returning the reason for an access request denial through the use of the Obligations and Advice expressions, which were added in the 3.0 standard. A comprehensive explanation of Obligations and Advice can be found in our blog entry titledYou are not obliged to follow my advice: Obligations and Advice in XACML part 1. More specifically, an in-depth explanation of how denial reasons can be returned in an Advice message can be found in Obligations and Advice in XACML part 2.Read more
This week's question gets into a very specific XACML implementation detail but it is one that I encounter often so I thought this might be a good place to raise awareness. You are probably already aware that one of the key features of an Attribute Based Access Control system (ABAC) is the ability to use many attributes to make fine-grained authorization decisions. The XACML reference architecture makes getting these attributes easier by defining Policy Information Points (PIP’s) but what happens when the underlying datasource requires a secure LDAP connection?Read more
The Benefits of Fine-Grained Dynamic Authorization: An introduction to Attribute Based Access Control
One of the great benefits of Attribute Based Access Control (ABAC) is that it can be as coarse or fine-grained as you need it to be. You start with two attributes: role and data, and you have Role Based Access Control (RBAC). But from there, it gets much more interesting, as you can add as few or as many attributes as necessary to your authorization policy in order to control who can access what. Attributes such as time of day, location of user, device being used, etc. The context of each attribute is then taken into consideration at the time of request before access is granted or denied.Read more
There are different approaches to expressing authorization logic. What’s the best way? It’s not as simple as the right or wrong way in this case unfortunately. Let’s take a look at the pro’s and con’s of the more typical approaches we see here at Axiomatics when we work with our customers.Read more
Scale the heights of enterprise access control:
IT and security leaders in large organizations often find themselves standing at the foot of a daunting mountain. That mountain is a mandate from their leadership to “improve security,” “do a better job in protecting data,” and “improve visibility on who can see what data and when it is accessed.” And,do this for the entire enterprise.Read more
Writing access control policies is an iterative process; You write rules, test for expected results, restructure, amend with additional rules and scope, and retest. One app, two apps or many more and the effort grows. Whether you are alone owning the policy authoring process, or if scope has been delegated or shared across application and/or data owners. Using effective comments can help make sense of work in progress, simplify understanding of finished work and provide more of a snapshot view of policy content.Read more
X may mark the spot if you’re looking for treasure, but if you’re looking to protect something dear to you, such as your sensitive assets, X can also form part of your security program. That’s because X is the first letter in XACML, the OASIS standard language that authorization solutions from Axiomatics are based on. eXtensible Access Control Markup Language (XACML) offers a standardized way to achieve externalized and dynamic authorization. This means that authorization decisions are made by an authorization service at run-time, based on policies which determine what actions a user or service can perform on a given information asset and in a specific context.Read more
Good news everybody! Health records are now electronic. And have been for some time. This means better communication, better treatment, faster care, potentially cheaper care.
However, this means that information is more easily available to all including the wrong individuals. This is where HIPAA and HL7 kick in. They provide a policy framework for privacy protection. And XACML is a great way to implement them.
In this blog we'll look at break the glass scenarios.Read more
Access Control has been around ever since there has been the need to protect valuable assets. Sentries were posted and moats were built. Still, history is littered with access breaches, many of which, such as the Trojan horse, have gone down in folklore.Read more
When authoring an access control policy, you may be creating a logical structure that calls for a negative expression. For example, you might be protecting a resource where access approval requires that the requestor not be a part-time employee [e.g. not(employeeType==partTime)].Read more
Over the past 20 years the IT road map has changed beyond recognition. Cloud computing, smartphones and online services are part of our daily routines. Until now however, access control has been predominantly managed with a static, antiquated model, namely RBAC. The time has now come to look beyond this, and use a dynamic, intelligent model. It's time for ABAC.Read more
XACML, the eXtensible Access Control Markup Language, is an authorization language that implements AttributeBased Access Control (ABAC). XACML uses attributes inside policies to convey authorization statements. Policy authoring can be an art form and we won’t be getting into every aspect of policy authoring in this article. For a brief overview of what a policy is check this Axiomatics article out.Read more
Let me first give you a short introduction to Access Control Lists (ACL). In software, an ACL, is a list of permissions granted to subjects on an object, where the subject might be Bob or Alice and the object might be the vacation calendar. The ACL is (typically) attached to and administered on the object and (again: typically) each list entry contains a user or a group and a permitted action such as ‘read’. Simpler lists contain the user identity only which means all actions are possible.Read more
Yes, they do, they absolutely do. There are several data types defined in the XACML specification. The X in XACML is short for eXtensible, meaning that it is possible to extend the specification and with that it is actually possible to define custom data types and functions to use with those custom data types.Read more
Spring Security, a project in the wider Spring framework, aims to provide an authentication and authorization framework around the core Spring. Having started its life as Acegi Security in 2003 before getting absorbed into the Spring framework, we recently saw the release of version 4 of Spring Security.Read more
The Abbreviated Language for Authorization (ALFA)is a pseudocode language used in the formulation of access control policies. ALFA maps directly into the eXtensible Access Control Markup Language (XACML) and contains the same structural elements as XACML (i.e. PolicySet, Policy, and Rule).Read more
The Internet of Things (IoT) has revolutionized business intelligence within manufacturing. The availability of product data means companies no longer need to rely on customers to provide them with their usage behavior or product performance data. If a product is connected, a manufacturer “simply” has to monitor the data that comes in via the connected channels, and process the information received.Read more
One of the key benefits of an Attribute Based Access Control (ABAC) system is the ability to use many attributes to make fine-grained authorization decisions. The XACML reference makes getting these attributes easier by defining Policy Information Points (PIP).Read more
How ABAC Can Help Protect IP and Speed Time-To-Market.
Manufacturers face unique challenges when it comes to data protection. With digital transformation upon them, many manufacturers are literally awash with terabytes of data that needs storing, mining - and equally important - safeguarding.
Attribute Based Access Control presents an opportunity to help these enterprises manage how access to this data is authorized - and introduces control, visibility and compliance management as tangible benefits. Read about the “Data Protection Triangle” and how ABAC can help reduce the mystery of how to solve it.Read more
Policy Decision Points (PDP) are managed through Authorization Domains in the Axiomatics Services Manager (ASM). When a new policy is applied to a Domain, the PDPs in that Domain will get notified and call the ASM API to retrieve the new Domain Configuration (including the policy).Read more
In order to better support the configuration of an Axiomatics solution (APS, ARQ, ADAF MD...) the Axiomatics Professional Services team suggest the use of a database view. To someone who is setting up an ABAC (Attribute Based Access Control) solution and who is not necessarily a database expert, this may create doubts or uncertainty: What is it and is it a good practice to use SQL views for PIPs? In this week’s Q&A we are going to explain what a database view is, how it’s used by our products, and why it’s a good thing.Read more
The 2016 Cloud Identity Summit is fast approaching and we’re a sponsor of the show this year. As a long-term partner of Ping Identity, we’ve witnessed Identity and Access Management become a dominant area within information security. We’re happy to see this year’s event focuses on the R/evolution of Enterprise Security, not only because we are the “#1” provider of disruptive dynamic fine-grained authorization, but also because we published a paper on this topic some time ago.Read more
Policy Enforcement Points (PEP) are the piece in the XACML / ABAC architecture that are responsible for protecting the requested resources. PEPs stop business flows, analyze them, create authorization requests from them, send the requests to the Policy Decision Point (PDP) and enforce the decision they receive back from the PDP. To do so PEPs need to process and add attributes to a XACML request.Read more