XACML, transports, crypto, and management – a dev’s view

Travis Spencer (@travisspencer) with whom my colleague Gerry (@ggebel) and I have had chats over the past few months, recently published an interesting article on XACML, its shortcomings, and the possible solutions. Travis structured his ideas around 3 main points: transport / communication protocols, trust, and management. Following this, Gerry had a bit of chat with our folks in Sweden (@axiomatics) and came up with a response which you can read on his blog. I wanted to take a few minutes to look back at the challenges from a developer’s / architect’s perspective. It’s worth remembering that XACML define 3 particular areas: the policy language; the request / response protocol; and the architecture. A XACML request by any other protocol […]

XACML 101 – a quick intro to Attribute-based Access Control with XACML

Acronym XACML: eXtensible Access Control Markup Language. Highlights XACML: is XML: you can actually read and write XACML with your favorite text editor (not that I would recommend writing XACML that way). is human-readable and verbose enough for users to get an understanding of what it’s doing belongs to the OASIS family of standards. You can download the latest standard material here. is eXtensible: you can add profiles to cater for specific scenarios e.g. a profile for hierarchical resources, for role-based access control, for export control… is about access control: authorizing who can do what when and how implements ABAC, attribute-based access control What’s ABAC? ABAC stands for attribute-based access control. It is a natural evolution from role-based access control […]

Enhancements and new features in #XACML 3.0

I recently had a chat with the editor of XACML 3.0, Erik Rissanen – also the CTO of Axiomatics – about the latest news on XACML 3.0: the enhancements the standard has gone through and the new features we can look forward to. Multiple Decision Profile: Multiple resource request (XACML 2.0) was renamed Multiple Decision Profile (XACML 3.0) and enhanced with new variants. This profile lets a requestor –typically the Policy Enforcement Point (PEP) ask several questions in one go to which the Policy Decision Point (PDP) returns one answer with multiple decisions. This profile is particularly useful in web-portal-based scenarios where decisions have to be reached for different parts of a portal within a given page for a given […]

#XACML Architecture Implementations should be modular

When customers decide to externalize their authorization and to go for a standards-based solution, namely a XACML-based solution, they need to be extremely careful how the vendor implements XACML. It is not just about implementing XACML’s request-response protocol. It is not just about authoring policies natively in XACML. It is also about implementing in an elegant, efficient, and modular way the XACML architecture. The latter contains several key components as listed hereafter: 1. Firstly, the Policy Decision Point (PDP): this is where policies are evaluated and a decision is reached. 2. Secondly, the Policy Enforcement Point: this is where the request is created sent to the PDP and the response received and handled. The PEP can be application-specific. 3. Thirdly […]

#EIC2010: The Anywhere Architecture is Any-Depth too

In a recent keynote (Six Sigma For the Secure Cloud – Equip the Enterprise for Success) at the European Identity Conference, Gerry Gebel introduced the concept of the Anywhere Archictecture: Data, applications and users can be anywhere… Does your architecture allow it? “Anywhere Architecture” is required. The whole world is your market place and you need the flexibility that you could deploy [services] anywhere. The Anywhere Architecture is about deploying services and connecting to users and data wherever they might be and enabling these interactions securely. Of course, in such a distributed environment, security needs to be rethought from the ground up. This goes through federated identity, trust establishment, externalized security, and flexible authorization to name but a few items. […]