XACML is Dead? Long Live XACML!

 Posted by at 2:45 pm  Work
May 082013
 

Forrester analyst Andras Cser has proclaimed XACML is Dead.

Unfortunately, the data used to justify this proclamation is flawed at many levels.

Disclosure: I am the architect of the XACML 3.0 PDP authorization engine at the heart of the Dell/Quest Authorization Policy Server product, and I am a member of the OASIS XACML technical committee. I am a Dell employee, but the opinions stated here are my own, not my employer’s.

Cser writes:

Lack of broad adoption. The standard is still not widely adopted with large enterprises who have written their authorization engines.

Setting out to write your own authorization engine makes as much sense as writing your own operation system or your own encryption algorithm. Authorization is a complex topic. Rolling your own security system for each application is not a good use of resources, nor a good approach to security in general. For businesses savvy enough to recognize this, there is no shortage of capable authorization engine products available on the market today, most of which support XACML either natively or through an interop transform.

Inability to serve the federated, extended enterprise. XACML was designed to meet the authorization needs of the monolithic enterprise where all users are managed centrally in AD. This is clearly not the case today: companies increasingly have to deal with users whose identities they do not manage.

Wow. Where’d that come from? XACML has absolutely nothing to do with Active Directory, nor user identity in general. I’ve helped customers design XACML policy systems that weren’t dependent upon user identity at all.

A business can write XACML authorization policy rules that test for user identity metadata such as roles, group membership, or attribute values stored in Active Directory. If the business runs multiple AD domains, then they should be careful to write their policy logic in a way that spans their AD domains.

A better solution would be to move away from the central directory model into a claims based model so that the XACML policy rules evaluate security claims about the user submitted with the authorization request. SAML is one mechanism to securely convey user claims. OAuth can carry user claims as well, via token formats such as JWT. When user attributes and claims are presented with the user identity in a XACML authorization request, the XACML PDP can make fine-grain authorization decisions involving user identities from different domains of control. The PDP need only trust the issuer of the user attributes and claims and verify that the cryptographic signature on the user data comes from a trusted issuer.

PDP does a lot of complex things that it does not inform the PEP about.If you get a ‘no, you can’t do that’ decision in the application from the PEP, you’d want to know why. Our customers tell us that this can prove to be very difficult. The PEP may not be able to find out from the complex PDP evaluation process why an authorization was denied.

XACML does provide a mechanism for the PDP to communicate such information to the PEP – Advice. All the business security officer writing policy has to do is attach an Advice element to a policy rule to return information or messages to the PEP and application. Example: If the disk-quota-exceeded rule evaluates to Deny, an Advice element attached to the rule can return a message to the PEP like “You have exceeded your disk quota of {N} MBytes.”

Other responses to this criticism of the tight-lipped PDP returning only a terse Permit or Deny authorization decision:

  • “It’s none of your business”
  • “That’s classified”
  • “It’s not the PEP’s role to ask why. It asks for permission, it gets a Permit or Deny.”
  • “The decision involved other people’s personal data which is not appropriate to disclose to you.”
  • And my favorite: “Divulging the details of the factors that led to this decision can be exploited to construct targeted attacks to circumvent the security system”

A PDP can be configured to have access to back-end data that the client application is not trusted with. Returning this data with the decision would present a significant breach of security. The PDP defaults to returning only the authorization decision itself with no supporting data because this is the most secure option for all cases. A policy writer can opt to add Advice elements to rules to selectively disclose data to the PEP about the decision.

Granted, it is useful to have full disclosure of what’s going on inside the PDP when you are debugging a security policy that isn’t returning the authorization decisions you wanted. That’s outside the XACML spec and left as an exercise for the vendors. Because debugging the internal state of a PDP is inherently tied to the implementation details of the PDP, this isn’t a strong candidate for standardization because every implementation will be different.

When you put your PDP and policies into a production environment, you will turn off everything related to debugging.

Not suitable for cloud and distributed deployment. While some PEPs can bundle the PDP for faster performance, using a PEPs in a cloud environment where you only have a WAN link between a PDP and a PEP is not an option.

Wow. Another “Where did this come from?” A PDP should be a stateless service, which makes it ideal for scaling up to thousands of PDP nodes in the cloud to handle any amount of load. With every PDP instance running the same set of policies, so it doesn’t matter which PDP instance the PEP talks to: they’ll all give the same authorization decision for a given request.

If you’re looking at a PDP that cannot be hosted in the cloud or cannot be scaled up through replication because of some statefulness issue, you need to look for another PDP product.

When considering where to place a PDP service relative to an application, it helps to think of the PDP authorization service like storage. Would you implement a cloud hosted application that consumes data stored on your private corporate network? In most cases, probably not because the round-trip latency would drag your app responsiveness down. You’d locate your storage in the same data center that hosts your app so you have fast and easy access to the data – and no data bandwidth costs or quotas. In special cases where the data is too sensitive or too large to be uploaded to the cloud, taking the performance hit to remotely access the data residing on your private network may be more acceptable than the general case.

The same is true of other services your cloud-hosted application relies upon, including authorization. In most cases, it makes the most sense to locate one or more PDP servers in the same data center that hosts your app. The PDP servers may need to occasionally get policy updates from your corporate network, but these are relatively rare events and won’t affect service availability. The use case of having a cloud based app always calling into your corporate network for authorization would be extremely rare/unusual, requiring a mountain of extenuating circumstances to justify.

Commercial support is non-existent.

A curious statement considering the Forrester article opened with a mention of a commercial authorization product (Quest APS) which supports XACML and includes PEP libraries to facilitate application development. There’s no shortage of other commercial XACML PDP system vendors as well.

I suppose the fact that one of the largest network router makers uses XACML as part of their router security policy authoring system doesn’t count as commercial support for XACML. Or Boeing, or major banks and brokerage houses. I suppose the fact that the US Government (Defense Information Systems Agency JPES) requires XACML conformance in new systems doesn’t count as commercial support either. That’s the public sector, after all.

It’s true that you won’t find a PEP enabled shrink-wrapped software product in stores today. External authorization doesn’t provide much benefit for consumer applications installed at home (yet*). Large enterprises generally don’t send an intern out to pick up a 10,000 seat software product at OfficeMax. We shouldn’t judge the health of the business software industry by what you find on the shelf at the local office supply store.

(*)With the rapid acceleration of the rise of the machines the “Internet of Things” (tiny devices all through your house or office that communicate with each other over TCP/IP networks) authorization and access control in the home environment is going to become a big issue very soon.

Refactoring and rebuilding existing in-house applications is not an option.

It’s true. It’s hard to convert an application built long ago on the premise that it makes its own authorization decisions based on its own internal authorization policy logic into something that defers those decisions to an external authorization service, where policy can be changed rapidly without requiring a redeployment of applications.

You can avoid the cost of refactoring in-house applications by committing development resources to implementing corporate policy logic in each application in your organization, to updating each of those application every time corporate policy changes, and to deploying those updated applications in the field.

This will be much less expensive than refactoring for external authorization, so long as the number of applications you’re responsible for is less than 2, your corporate policy changes less than once annually, and/or all of your users reside in the same building.

OAuth supports the mobile application endpoint in a lightweight manner XACML today largely supports web based applications. While OAuth’s current profiles are not a full-blown replacement for XACML functionality, we see that OAuth’s simplicity made it the de-facto choice for mobile and also non-mobile applications.

Apples vs oranges here. OAuth doesn’t provide fine-grain authorization. OAuth doesn’t provide external policy evaluation either. OAuth is a lighter weight response to things like SAML which can convey identity and user attributes in a secure manner. OAuth is a communication protocol to pass authorization data around securely. XACML is a policy evaluation system that produces authorization data.

You can use OAuth with XACML. You can use OAuth authorize a PEP to make requests to a PDP, or to convey user identity & attributes to the PDP as part of an authorization request. But since OAuth and XACML are fundamentally different things in the authorization stack, one cannot replace the other.

Yes, OAuth’s relative simplicity has enabled OAuth to trump SAML, particularly in the consumer web application space (Google, Facebook, Twitter, etc). That’s hardly a criticism of XACML. If constructing XACML authorization requests in XML is too difficult on your mobile device, then use the XACML REST and JSON profiles instead.

I hope you find these data points useful, and I look forward to Forrester learning more about XACML in the future. ;>

Window Firewall Won’t Start – Error 6801

 Posted by at 12:41 pm  Software
Oct 252012
 

Great googly-moogly. I’ve been fighting with a variety of services on one of my Windows machines for several weeks. Windows updates have been deadlocked since mid August. Some troubleshooting guide suggested disabling Windows Firewall temporarily until the updates could complete. Not only did disabling Windows Firewall not resolve the Windows Update issue, but Windows Firewall [...]

We Are DELL

 Posted by at 9:14 am  Work
Sep 282012
 

Dell has completed the acquisition of Quest Software. We are now Dell! It has been a busy year or so. I joined BiTKOO in October 2010 to help expand and scale BiTKOO’s push into the nascent XACML external authorization space. 14 months later, Quest Software acquired BiTKOO in part to fill a gap in Quest’s [...]

First Cast Glass

 Posted by at 4:08 pm  Ceramics
Sep 192012
 
First Cast Glass

I’ve wondered for awhile whether my old electric kiln could manage the long slow heat soak required for glass casting. Flat kilns with heating elements in the top are recommended for hot glass work because a) a lot of glass work is flat (plates, windows) and b) heating large flat pieces of glass from the [...]

Delphi Compiler Core blog (2003-2005) Added to Archives

 Posted by at 12:02 am  Web
Sep 142012
 

Stage 2 of my personal Own Your Words quest has been completed. 75 articles I wrote for the Delphi Compiler Core blog from 2003 to 2005 while at Borland are now republished here on my personal site. You can find them all in the Delphi Compiler Core category. This archiving task was considerably more of [...]

Windows Live Quantum Mechanics MSDN Blog Added to Archives

 Posted by at 10:27 am  Web
Sep 132012
 

In the spirit of Own Your Words I recently completed importing all 81 articles I published on my “Windows Live Quantum Mechanics” blog on MSDN while I worked at Microsoft in the Windows Live development group (2006-2007). These articles are now archived on my personal web site under the Windows Live Quantum Mechanics category. I’d like to give [...]

Own Your Words

 Posted by at 11:59 pm  Web
Sep 122012
 

I learned the “Own Your Words” mantra the hard way several years ago. I’ve blogged on technical topics under a number of banners and web sites over the years. My blog moved twice while at Borland as new/better blog services came online every few years. While at Microsoft I was delighted to have the opportunity [...]

Broadening Horizons

 Posted by at 5:55 pm  Ceramics
Aug 212012
 
Broadening Horizons

In the spirit of consolidating my online identity onto a server I control and actually own the content, I’m repurposing dannythorpe.com to include non-software stuff I’m into as well as the software and technology related stuff I’ve posted here for years. I have been intending to build separate sites for my various fields of interest, [...]

A Tale of Two Bowls

 Posted by at 5:23 pm  Ceramics
Aug 212012
 
A Tale of Two Bowls

These two bowls are made with the same stoneware clay, the same glazes, and the same firing temperatures and schedules. They were fired in the kiln together, side by side. And yet the colors are so distinctly different between the two. Why? The only difference between these two pieces is the thickness of the glaze [...]

Green Rimmed Rivet Bowl

 Ceramics  Comments Off
Jul 282012
 
Green Rimmed Rivet Bowl

I’ve been trying to get a nice clean rim impression from my “circle dot” pattern wheel for ages. We don’t have failures, we just have lots of practice and educational opportunities. Clay too wet/sticky, too much pressure, not enough pressure, uneven distance from the rim, and worst of all the tail not meeting up with [...]

Green Rimmed Doodle Bowl

 Ceramics  Comments Off
Jul 282012
 
Green Rimmed Doodle Bowl

As I was finishing this bowl with a saturated iron teadust glaze I idlely swirled a finger around in the goop puddling in the bottom of the bowl.  Who doesn’t enjoy a finger swirl in goop every now and then? I didn’t realize my brief moment of doodling would create a distinct indelible pattern in [...]

A Wee Wisp

 Ceramics  Comments Off
Jul 282012
 
A Wee Wisp

The blue “wisps” in this piece are very hard to see in these photos, but jump out and dance in direct sunlight. The shadowy sprites are the by-product of an uncharacteristically gluttonous glaze interaction. This black base glaze has a tendency to swallow up color that is put over it, but for this particular top [...]

Page 1 of 16 1 2 3 15 16