Dynamic Authorization, Secure by Design
For enterprise architects and security architects the Attribute Based Access Control (ABAC) reference architecture offers great advantages. The model is often referred to as Externalized Authorization since it introduces a centralized authorization service which replaces authorization logic within application code. As a result, you achieve a clean separation of concerns: no authorization logic is needed inside the application code and a complete logical separation between authentication and authorization is achieved.
Axiomatics products externalize authorization through strict conformance with the eXtensible Access Control Markup Language (XACML).
The Policy Enforcement Point intercepts access requests and forwards them to a policy engine, the Policy Decision Point, which evaluates policies which may depend on attributes values retrieved from external sources, so called Policy Information Points. The policy evaluation leads to a decision, a PERMIT or a DENY, which is returned to the enforcement point for execution. Policy administrators use an editor, the Policy Administration Point, to maintain the policies of the engine.
Externalized authorization brings a number of benefits for software development teams.
- Write Once – Use Many Times
Systems and applications protected by Axiomatics are integrated via Enforcement modules at suitable access points. It can be achieved with an integration block inside applications, in XML gateways, portals, servlets, ESBs etc. The Enforcement block captures access requests, forwards them to the authorization service and then takes action depending on the response: PERMIT or DENY. The code block is written once and called over and over again whenever an access request is made. Conventional authorization rules, by contrast, are implemented as a series of “if… then… else”-clauses in programming code. Common estimates show that 20%-40% of programming code in applications with non-trivial access control requirements relate to authorization. With Axiomatics you can expect to reduce this effort by 50%.
- Reduced Time-to-Market
The separation between functional requirements and the non-functional access control rules allows much more rapid development. Developers can start writing code to meet functional requirements even if access control schemes are not yet known. Business analysts work in parallel with software developers and define or change policies as needed with minimal impact on development.
- Simplified Change Management
In conventional software life cycle management, you have to recompile and re-test applications every time a changed business rule impacts user permissions in an application. Once the authorization rules have been externalized from the application, a change in business rules can easily be catered for through policy updates, a much more agile procedure.
Conformance with applicable business rules and regulatory mandates are tested and verified at the level of the authorization engine. As a result, the externalized authorization policies become more transparent and easier to verify.