How Using ABAC Can Improve API Security in 2017

During Gartner’s recent IAM conference, I noticed an emerging conversation around the issues of API usage at the enterprise level. Enterprise adoption of APIs is viewed as an inevitable consequence of the ongoing digital transformation many IT professionals are managing.

API stands for Application Programming Interface and they help developers create applications that communicate easily with other applications and services. APIs are the backbone of any application ecosystem, which are a huge part of the trend towards digital transformation. All of those applications talking to one another are generating a huge amount of user data that enterprise companies need to be prepared to manage and secure.

Continue reading
430 Hits
0 Comments

Top Five Trends to Transform Enterprise Security in 2017

Our experts at Axiomatics got together at the end of the year to take a look at the trends in store for 2017. Some of these may sound familiar, as the era of digital transformation continues to expand. But you'll find a common theme: Marty Leamy, our Americas President said it best, “This year’s trends examine the evolving ways organizations can realize better enterprise-wide security with the exploding amounts of data that enterprises need to protect. Business executives are demanding better enterprise-wide security for all of their data, not only for regulatory compliance but also to protect their most critical assets.”

Attribute Based Access Control can help you address these areas that will challenge access control across your enterprise. Read on for the Top Five! 

Continue reading
408 Hits
0 Comments

How can many complex permit rules for the same policy be managed?

Background

XACML, the eXtensible Access Control Markup Language, is an authorization language that implements Attribute Based Access Control (ABAC). As the name indicates, XACML uses attributes inside policies to convey authorization statements. Policy authoring can be an art form, and we won’t get into every aspect of policy authoring today. For a brief overview of what a policy is, click here.

Continue reading
459 Hits
0 Comments

Going on vacation, how can I implement delegation in XACML?

Delegating access: the proxy-delegate pattern

Sometimes, as users, we want to delegate access to our resources. For instance, an account manager may want to delegate access to their accounts to another account manager. This typically happens when the first account manager, Alice, is on vacation or unavailable, and she wants to make sure another manager, Bob, can handle her accounts.

Continue reading
379 Hits
0 Comments

What is the main difference between XACML 3.0 and XACML 2.0?

To Axiomatics prospects and customers, standardization, or standards compliance, is of great importance and often one of the deciding factors in choosing Axiomatics over “homegrown” or vendor proprietary products.

A standards-based product will, among other things, allow the customer to source software from multiple, standard-compliant vendors and to reduce the business risk or “vendor lock-in.” When it comes to Attribute Based Access Control (ABAC), the only applicable standard is eXtensible Access Control Markup Language (XACML). This is the standard to which an organization should require compliance when looking at solutions for Externalized Access Management (the term that Gartner now uses) / fine-grained access control / Attribute Based Access Control.

Continue reading
447 Hits
0 Comments

Externalized Dynamic Authorization in a [Micro]Services World

Externalized Dynamic Authorization in a [Micro]Services World

Part 1: OAuth and OpenID Connect Come Together with Externalized Dynamic Authorization

This is a multi-part series of articles describing why and how one can approach applying Externalized Dynamic Authorization to an API and/or microservices architecture that uses OAuth 2.0 flows and/or OpenID Connect (OIDC). Externalized Dynamic Authorization and OAuth 2.0 (and/or OIDC) are complementary technologies. Some of the naming can lead to confusion however, on what roles each can and should play. The series is divided into multiple parts: This Primer provides some background of the standards involved in this series, including OAuth 2.0 (referred to as just OAuth from here on out) and OpenID Connect (OIDC). The eXtensible Access Control Markup Language (XACML tutorial) is available as well.

 

Continue reading
1051 Hits
0 Comments

In XACML, what is a bag?

Background

Attribute Based Access Control (ABAC) leverages attributes in combination with a set of policies to determine authorization decisions. A request is sent from an application, API gateway, or something else that acts as a Policy Enforcement Point (PEP). The Policy Decision Point (PDP) receives the request and applies it to the authorization policies that it has in place. While doing so, the PDP might leverage one or more Policy Information Points (PIP) in order retrieve additional attribute values.

Continue reading
413 Hits
0 Comments

How Big Data is Driving Evolution in Identity and Access Management

big Data Gartner2 blogpage

What is Big Data and Why You Should Care

In a previous post, I discussed some of the security challenges awaiting companies looking to leverage the explosion of Big Data. The term itself - “Big Data” - is sort of vague. What do we mean when we say Big Data? Is it the size of the data files? The number of files?

Continue reading
861 Hits
0 Comments

Why don’t I get Obligations or Advice back on Indeterminate or Not Applicable responses?

Background

When a policy is being evaluated in XACML 3.0 Policy Decision Points (PDP), Obligations and Advice elements will be ignored for “Indeterminate” and “Not Applicable” results. Only a "Permit " or "Deny" condition will result in an Obligation or Advice message being returned. This installment of our Question of the Week explores the reason for this behavior. 

Continue reading
1022 Hits
0 Comments

How can the permit-unless-deny combining algorithm be dangerous?

Background

We haven’t discussed combining algorithms much, but they are just one of the many powerful features of an XACML-based authorization system.  You can think of combining algorithms as a way to assign weight to many partial answers to the same question.  Let’s use a background check as an example.  A background check has many different questions/tests in it, but how do you determine if someone passes or fails?  The administrator of the background check combines all of the individual answers to produce a final, all-encompassing pass/fail result.  They know which tests carry more weight and combine the results accordingly.  If you prefer a technical mumbo jumbo explanation, you can check out this post which also includes a truth table which explains how results are combined in XACML.

Continue reading
693 Hits
0 Comments

Security, Dynamic Authorization and the Big Data Landscape

Security, Dynamic Authorization and the Big Data Landscape

The big data landscape is, not surprisingly, big. Matt Turck’s excellent blog (mattturck.com) has good coverage on the development in this area and captures how much the landscape has grown over the past few years. The figure below, created by Turck, captures the vendors in the Big Data landscape, divided by the functional aspects of their products.

Continue reading
1029 Hits
0 Comments

How do I use the map function in XACML?

In XACML, what are Map functions?

The short answer: a map function applies or maps another function to a set of values.

Background

XACML, the eXtensible Access Control Markup Language, is an authorization language that implements Attribute Based Access Control (ABAC). As the name indicates, XACML uses attributes with a policy language to convey authorization statements.

Continue reading
944 Hits
0 Comments

How do I write authorization policies for Big Data?

 

When it comes to securing access to services and data, we see many different use cases and, with that, the enforcement of authorization rules at different layers in the IT stack. This spans all the way from the Web/Presentation tier down to the data tier as illustrated in Figure 1.

Enforcing authorization directly at the data level is incredibly powerful as it could mean minimal or no changes to the applications that are accessing the data itself. The approach could be designed in such a way that, regardless of what application (web application, business analysis, etc.) is accessing the data, access is systematically controlled and consistently enforced. With this model, you can achieve tremendous leverage to cover many applications with a single ABAC integration at the data source.

Continue reading
931 Hits
0 Comments

How can commercial off-the-shelf (COTS) applications be supported with XACML?

As a Sales Engineer, it’s not uncommon to meet with a customer - or a prospective customer - who, along with securing APIs, microservices and a web portal, would also like to secure some commercial off-the-shelf application (“COTS application” from here on). And why not? They see themselves shifting from the limitations of RBAC to the possibilities of ABACso the question makes sense. The challenge, of course, is that the said COTS application isn’t built by your team, nor can you change its already compiled code. So what can be done about it?

Continue reading
574 Hits
0 Comments

How Can I Use Policy References in ALFA?

The Abbreviated Language For Authorization (Wikipedia) or ALFA is a domain specific language used to express XACML authorization policies. It is by far much easier to work with than writing the raw XML. Depending on who you ask it is easier to understand and work with than UI tools.

Currently there is only one way to write an ALFA policy and that is to use the ALFA plug-in for Eclipse. This is not going to be a post about ALFA in general but more specifically about how to define and use Policy and PolicySet references and what the end result ends up being.

Continue reading
521 Hits
0 Comments

Why Does Retrieving Attribute Values from a Secure LDAP Slow Performance?

This week's question gets into a very specific XACML implementation detail but it is one that I encounter often so I thought this might be a good place to raise awareness. You are probably already aware that one of the key features of an Attribute Based Access Control system (ABAC) is the ability to use many attributes to make fine-grained authorization decisions.  The XACML reference architecture makes getting these attributes easier by defining Policy Information Points (PIP’s) but what happens when the underlying datasource requires a secure LDAP connection? 

Continue reading
677 Hits
0 Comments

The Benefits of Fine-Grained Dynamic Authorization: An introduction to Attribute Based Access Control

One of the great benefits of Attribute Based Access Control (ABAC) is that it can be as coarse or fine-grained as you need it to be. You start with two attributes: role and data, and you have Role Based Access Control (RBAC). But from there, it gets much more interesting, as you can add as few or as many attributes as necessary to your authorization policy in order to control who can access what. Attributes such as time of day, location of user, device being used, etc. The context of each attribute is then taken into consideration at the time of request before access is granted or denied.

Continue reading
699 Hits
0 Comments

ABAC, the dynamic authorization solution for your APIs and Applications

ABAC, the dynamic authorization solution for your APIs and Applications

Scale the heights of enterprise access control:

IT and security leaders in large organizations often find themselves standing at the foot of a daunting mountain. That mountain is a mandate from their leadership to “improve security,” “do a better job in protecting data,” and “improve visibility on who can see what data and when it is accessed.”  And,do this for the entire enterprise.

Continue reading
821 Hits
0 Comments

100% Pure XACML

100% Pure XACML

X may mark the spot if you’re looking for treasure, but if you’re looking to protect something dear to you, such as your sensitive assets, X can also form part of your security program. That’s because X is the first letter in XACML, the OASIS standard language that authorization solutions from Axiomatics are based on. eXtensible Access Control Markup Language (XACML) offers a standardized way to achieve externalized and dynamic authorization. This means that authorization decisions are made by an authorization service at run-time, based on policies which determine what actions a user or service can perform on a given information asset and in a specific context.

Continue reading
1088 Hits
0 Comments

Dynamic Authorization: The Natural Evolution of Access Control

Dynamic Authorization: The Natural Evolution of Access Control

Access Control has been around ever since there has been the need to protect valuable assets. Sentries were posted and moats were built. Still, history is littered with access breaches, many of which, such as the Trojan horse, have gone down in folklore.

Continue reading
1575 Hits
0 Comments

When and How Can I Express Negative Logic in XACML?

When authoring an access control policy, you may be creating a logical structure that calls for a negative expression. For example, you might be protecting a resource where access approval requires that the requestor not be a part-time employee [e.g. not(employeeType==partTime)].

Continue reading
812 Hits
0 Comments

Attribute Based Access Control Beyond Roles

Attribute Based Access Control Beyond Roles

Over the past 20 years the IT road map has changed beyond recognition. Cloud computing, smartphones and online services are part of our daily routines. Until now however, access control has been predominantly managed with a static, antiquated model, namely RBAC. The time has now come to look beyond this, and use a dynamic, intelligent model. It's time for ABAC.

Continue reading
1426 Hits
0 Comments

What is an XACML Policy Reference?

XACML, the eXtensible Access Control Markup Language, is an authorization language that implements Attribute­Based Access Control (ABAC). XACML uses attributes inside policies to convey authorization statements. Policy authoring can be an art form and we won’t be getting into every aspect of policy authoring in this article. For a brief overview of what a policy is check this Axiomatics article out.

Continue reading
920 Hits
0 Comments

In XACML what is the StringOneAndOnly function?

XACML, the eXtensible Access Control Markup Language, is an authorization language that implements Attribute-Based Access Control (ABAC). As the name indicates, XACML uses attributes inside policies to convey authorization statements.

Continue reading
1011 Hits
0 Comments

How Can I implement Access Control Lists (ACL) Using XACML Policies?

Let me first give you a short introduction to Access Control Lists (ACL). In software, an ACL, is a list of permissions granted to subjects on an object, where the subject might be Bob or Alice and the object might be the vacation calendar. The ACL is (typically) attached to and administered on the object and (again: typically) each list entry contains a user or a group and a permitted action such as ‘read’. Simpler lists contain the user identity only which means all actions are possible.

Continue reading
1289 Hits
0 Comments

Why Should I Define Attribute Connectors Using JNDI?

One of the key benefits of an Attribute Based Access Control (ABAC) system is the ability to use many attributes to make fine-grained authorization decisions. The XACML reference makes getting these attributes easier by defining Policy Information Points (PIP).

Tags:
Continue reading
1327 Hits
1 Comment