Extensible authorization is the common name for Axiomatics products and technologies. Combined, they deliver a new, standards-based approach to access control that enables organizations to secure new business opportunities more rapidly.
The value proposition
The eXtensible authorization solutions bring together the benefits from combining standardization, through eXtensible Access Control Markup Language (XACML), with the proven results of externalized authorization. The result is robust, intelligent, and future-proof access control that can be tailored to virtually any need.
Standards-based authorization offers benefits beyond its immediate scope and purpose, namely access control. Unlike many existing access control models that are inflexible and coarse-grained to the extent that they hindered efficient information sharing, eXtensible authorization enables secure data exchange. The added value offered from such solutions can be categorized according to four main areas:
A top-down approach to IT governance and regulatory compliance
Extensible authorization uses centrally maintained policies for access control. These policies are written in a language as expressive as a natural language. It declares under which circumstances and in what ways information assets are to be made available to which type of users. The mandates of these policies translate business rules and legal or regulatory requirements into directives which are consistently enforced within controlled IT systems.
Today, governance widely depends on detective controls and endless manual configurations of individual IT systems. With eXtensible authorization, by contrast, policies declare automated preventive controls which are enforced across an entire application stack.
Risk-intelligence through context-aware and automated application controls
Risks, by definition, are context-related. Information security risks such as unauthorized disclosure, inappropriate use or modification of information are not absolute entities. They are proportionate to actual threats, the values at stake, and the vulnerabilities that can be exploited. Variables change over time. Existing access controls models, however, are by nature static and pre-declared. Permissions assigned to users or roles are "on" or "off". Entitlements are made in advance, before permissions are used, at a time when actual risk factors are unknown. As a result, loss of availability is a common risk caused by overzealous preventive actions when over restrictive "on/off"-entitlements are used with old-fashioned and static access control systems.
Extensible authorization, by contrast, is dynamic and context-aware. Access control policies can include conditional risk indicators which are evaluated at run-time when the real access requests are made. For more details, see the related article on Risk intelligence.
Cost savings in IT operations and development
Applications which support core business processes by necessity have non-trivial access control requirements. Segregation of duties, corporate attestation rules, privacy concerns, legal constraints, protection of intellectual property - endless non-functional requirements must be catered for.
As a result, some 20% - 30% of software development and maintenance costs have traditionally been related to access control. In every single application and service, the wheel of authorization has been re-invented and implemented in the programming language currently used. Only the software programmers really knew what was going on under the hood; and under every hood you found a unique and re-invented authorization engine.
With eXtensible authorization, by contrast, access control decisions are externalized to a central point. Business managers, rather than software developers, control why access is granted or denied. Developers concentrate on the functional requirements and user-friendliness of their applications. Authorization policies are maintained at a central point, outside their code base.
As a result, access control logic is efficiently standardized and reused across applications and platforms. A large portion of the 20%- 30% previously spent can be saved or used for better purposes. The same is true in production; rather than having unique configurations in every single business application demanding unique technical expertise, all applications are controlled from a centrally managed Policy Decision Point.
Furthermore, the access management bureaucracy that over time has been established for the administration of access permissions can now greatly be simplified since management of permissions can be automated as an integral part of existing business processes.
Rarely have investments in information security offered such an amazing ROI potential. For more details, see the article on Cost reductions.
New opportunities enabled through secure information sharing
If you keep paper records safely locked into cabinets, unauthorized access may not be a major concern. But the potential value of information gathered is rarely leveraged unless it easily can be made available for legitimate use. Yet, the greater the value, the greater the risk and the more urgently you will depend on reliable access controls.
With fine-grained and context-aware access control you acquire the ability to publish and make use of information which previously was kept locked away since too much was at stake with older techniques. Fine-grained and context-aware authorization is therefore an important foundation whenever you want to take advantage of new business models and opportunities that involve publishing sensitive information.
For more details, see the article on New opportunities.
An X for eXtensible and standards-based
Axiomatics solutions fully conform with the new standard for access control, the eXtensible Access Control Markup Language (XACML). Extensibility is achieved in many different ways:
- The policy language can be extended with special-purpose profiles and functions for instance to support a specific legal or regulatory domain / jurisdiction.
- Integration interfaces can be used to include new applications or services in the policy controlled domain.
- Policies can be adapted and applied to any kind of use case, business process or work-flow.
For a more detailed description of the XACML standard, see the article on 100% XACML.
An X for Axiomatics, the origins of XACML 3.0
Axiomatics is the world's leading provider of XACML-based technology solutions. The company is an active member of the XACML Technical Committee within OASIS and the main contributor and thought leader for many of the important features that have been added to the standard in version 3.0. The largest XACML deployments worldwide are based on robust policy engines delivered by Axiomatics. Where the XACML standard brings business value, Axiomatics is the obvious choice.
|Depending on focus, concepts and technologies introduced by Axiomatics are sometimes called other things – Externalized authorization, Fine-Grained Authorization, Attribute Based Access Control (ABAC) or Policy Based Access Control (PBAC). Regardless of the name, you can expect essential business values which extend way beyond the immediate scope of access control.|