Enhancements and new features in #XACML 3.0

I recently had a chat with the editor of XACML 3.0, Erik Rissanen – also the CTO of Axiomatics – about the latest news on XACML 3.0: the enhancements the standard has gone through and the new features we can look forward to. Multiple Decision Profile: Multiple resource request (XACML 2.0) was renamed Multiple Decision Profile (XACML 3.0) and enhanced with new variants. This profile lets a requestor –typically the Policy Enforcement Point (PEP) ask several questions in one go to which the Policy Decision Point (PDP) returns one answer with multiple decisions. This profile is particularly useful in web-portal-based scenarios where decisions have to be reached for different parts of a portal within a given page for a given […]

railroad tracks in city

When Swedish Rail Loses Track Of Its Infrastructure

Where have the tracks gone?Yesterday morning, as I arrived on the platform of the local train station, Täby Centrum, where I grab a train Stockholm-bound, I was surprised to see that the railway tracks had disappeared (in part) overnight. I had been told that this was an unsafe neighborhood. Little did I know they meant the target of theft was the railroad. Honestly, what is anyone going to do with that amount of steel? They are bound to be tracked down…

#XACML Architecture Implementations should be modular

When customers decide to externalize their authorization and to go for a standards-based solution, namely a XACML-based solution, they need to be extremely careful how the vendor implements XACML. It is not just about implementing XACML’s request-response protocol. It is not just about authoring policies natively in XACML. It is also about implementing in an elegant, efficient, and modular way the XACML architecture. The latter contains several key components as listed hereafter: 1. Firstly, the Policy Decision Point (PDP): this is where policies are evaluated and a decision is reached. 2. Secondly, the Policy Enforcement Point: this is where the request is created sent to the PDP and the response received and handled. The PEP can be application-specific. 3. Thirdly […]

#EIC2010: The Anywhere Architecture is Any-Depth too

In a recent keynote (Six Sigma For the Secure Cloud – Equip the Enterprise for Success) at the European Identity Conference, Gerry Gebel introduced the concept of the Anywhere Archictecture: Data, applications and users can be anywhere… Does your architecture allow it? “Anywhere Architecture” is required. The whole world is your market place and you need the flexibility that you could deploy [services] anywhere. The Anywhere Architecture is about deploying services and connecting to users and data wherever they might be and enabling these interactions securely. Of course, in such a distributed environment, security needs to be rethought from the ground up. This goes through federated identity, trust establishment, externalized security, and flexible authorization to name but a few items. […]

Securing web apps – Extend your gateways with fine-grained access control

Increasingly enterprises need to / want to expose their applications to the outside – be it the public internet with consumers or a virtual network of distributed enterprise sites accessing corporate resources. Either way, to securely expose web applications, it is common practice to offer access via a DMZ which is protected by a firewall on the one hand (which handles network-level security) and an XML application gateway (which handles XML security, message transformation, routing, endpoint virtualization…) The application gateway also has 2 security-critical missions: (a) authenticate the requestor and (b) authorize the request. The former is easily achieved by integrating with the authentication solution (e.g. an LDAP) and picking up the credentials from the request (username/password, certificates…). The latter […]