In XACML, what is a bag?

Background

Attribute Based Access Control (ABAC) leverages attributes in combination with a set of policies to determine authorization decisions. A request is sent from an application, API gateway, or something else that acts as a Policy Enforcement Point (PEP). The Policy Decision Point (PDP) receives the request and applies it to the authorization policies that it has in place. While doing so, the PDP might leverage one or more Policy Information Points (PIP) in order retrieve additional attribute values.

Continue reading
90 Hits
0 Comments

How Big Data is Driving Evolution in Identity and Access Management

big Data Gartner2 blogpage

What is Big Data and Why You Should Care

In a previous post, I discussed some of the security challenges awaiting companies looking to leverage the explosion of Big Data. The term itself - “Big Data” - is sort of vague. What do we mean when we say Big Data? Is it the size of the data files? The number of files?

Continue reading
84 Hits
0 Comments

Why don’t I get Obligations or Advice back on Indeterminate or Not Applicable responses?

Background

When a policy is being evaluated in XACML 3.0 Policy Decision Points (PDP), Obligations and Advice elements will be ignored for “Indeterminate” and “Not Applicable” results. Only a "Permit " or "Deny" condition will result in an Obligation or Advice message being returned. This installment of our Question of the Week explores the reason for this behavior. 

Continue reading
194 Hits
0 Comments

Gartner's IAM Summit: A Beginner's Guide to Digital Transformation

Gartner's IAM Summit: A Beginner's Guide to Digital Transformation

transformation blog 

Axiomatics is heading to Gartner’s annual Identity and Access Management (IAM) Summit on November 29 at Caesar's Palace in Las Vegas. By the time the event concludes on December 1st, the 1600-plus attendees will have a better understanding of the most pressing security issues facing digital leaders today. We know governance, processes and controls, and the cloud will be top of mind for most attendees, however, a number of new topics are beginning to emerge organically in the security space. The most prevalent and impactful of these is Digital Transformation.

If you’re new to the concept of IAM, or just want to be able to hold your own at cocktail hours, we’ve written an overview of the Foundations of IAM.

Tags:
Continue reading
220 Hits
0 Comments

How can the permit-unless-deny combining algorithm be dangerous?

Background

We haven’t discussed combining algorithms much, but they are just one of the many powerful features of an XACML-based authorization system.  You can think of combining algorithms as a way to assign weight to many partial answers to the same question.  Let’s use a background check as an example.  A background check has many different questions/tests in it, but how do you determine if someone passes or fails?  The administrator of the background check combines all of the individual answers to produce a final, all-encompassing pass/fail result.  They know which tests carry more weight and combine the results accordingly.  If you prefer a technical mumbo jumbo explanation, you can check out this post which also includes a truth table which explains how results are combined in XACML.

Continue reading
142 Hits
0 Comments

Security, Dynamic Authorization and the Big Data Landscape

Security, Dynamic Authorization and the Big Data Landscape

The big data landscape is, not surprisingly, big. Matt Turck’s excellent blog (mattturck.com) has good coverage on the development in this area and captures how much the landscape has grown over the past few years. The figure below, created by Turck, captures the vendors in the Big Data landscape, divided by the functional aspects of their products.

Continue reading
271 Hits
0 Comments

We’re heading to London - see you at the Identity Management Event!

This Wednesday, November 9th, Axiomatics and other industry leaders from large enterprises and government agencies alike will attend IDM UK in London. This will be the 14th bi-annual identity management meeting held by Whitehall Media, and as we draw to a close on 2016, attendees of this summit will discuss new opportunities and trends to move forward in digital business with the incoming new year.

Continue reading
100 Hits
0 Comments

How do I use the map function in XACML?

In XACML, what are Map functions?

The short answer: a map function applies or maps another function to a set of values.

Background

XACML, the eXtensible Access Control Markup Language, is an authorization language that implements Attribute Based Access Control (ABAC). As the name indicates, XACML uses attributes with a policy language to convey authorization statements.

Continue reading
335 Hits
0 Comments

How do I write authorization policies for Big Data?

 

When it comes to securing access to services and data, we see many different use cases and, with that, the enforcement of authorization rules at different layers in the IT stack. This spans all the way from the Web/Presentation tier down to the data tier as illustrated in Figure 1.

Enforcing authorization directly at the data level is incredibly powerful as it could mean minimal or no changes to the applications that are accessing the data itself. The approach could be designed in such a way that, regardless of what application (web application, business analysis, etc.) is accessing the data, access is systematically controlled and consistently enforced. With this model, you can achieve tremendous leverage to cover many applications with a single ABAC integration at the data source.

Continue reading
329 Hits
0 Comments

How can commercial off-the-shelf (COTS) applications be supported with XACML?

As a Sales Engineer, it’s not uncommon to meet with a customer - or a prospective customer - who, along with securing APIs, microservices and a web portal, would also like to secure some commercial off-the-shelf application (“COTS application” from here on). And why not? They see themselves shifting from the limitations of RBAC to the possibilities of ABACso the question makes sense. The challenge, of course, is that the said COTS application isn’t built by your team, nor can you change its already compiled code. So what can be done about it?

Continue reading
323 Hits
0 Comments