I was working with the IT R&D team at Credit Suisse when we provided seed funding for Securent, which was one of the first major XACML implementations. My colleague Mark Luppi and I had come across Rajiv Gupta and Sekhar Sarukkai when we’d been looking at Web Services Management platforms as their company Confluent had made our short list. The double acquisition by Confluent by Oblix then Oracle set Rajiv free, and he came to us saying ‘I’m going to do a new startup but I don’t know what it is yet’. Mark had come to the realisation that authorization was an ongoing problem for enterprise applications, and we suggested to Rajiv that he build an entitlements service, with us providing a large application as the proof point.
Back in March 2008 (when I was still at Credit Suisse) I wrote ‘Directories 2.0‘ in which I laid out my hopes that XACML based authorization services would become as ubiquitous as LDAP directories (particularly Active Directory).
I also at that time highlighted an issue – XACML was ‘like LDIF without LDAP’ – that it was an interchange format without an interface. It was going to be hard for people to universally adopt XACML based systems unless there was a standard way to plug into them. Luckily this was fixed the following year by the release of an open XACML API (which I wrote about in ‘A good week for identity management‘).
I’ll reflect on why my expectations were ruined toward the end of the post.
Best practices for access control
Anil Saldhana has stepped up out of the idendity community internicine warfare about XACML and written an excellent post ‘Authorization (Access Control) Best Practices‘. I’d like to go through his points in turn and offer my own perspective:
- Know that you will need access control/authorization
The issue that drove us back at Credit Suisse was that we saw far too many apps where access control was an afterthought. A small part of the larger problem of security being a non functional requirement that’s easy to push down the priority list whilst ‘making the application work’. Time and time again we saw development teams getting stuck with audit points (a couple of years after going into production) because authorization was inadequate. We needed a systematic approach, an enterprise scale service, and that’s why we worked with the Securent guys.
- Externalize the access control policy processing
The normal run of things was for apps to have authorization as a table in their database, and this usually ran into trouble around segregation of duties (and was often an administrative nightmare).
- Understand the difference between coarse grained and fine grained authorization
This is why I’m a big fan of threat modeling at the design stage for an application, as it makes people think about the roles of users and the access that those roles will have. If you have a threat model then it’s usually pretty obvious what granularity you’re dealing with.
- Design for coarse grained authorization but keep the design flexible for fine grained authorization
This particularly makes sense when the design is iterative (because you’re using agile methodologies). It may not be clear at the start that fine grained authorization is needed, but pretty much every app will need something coarse grained.
- Know the difference between Access Control Lists and Access Control standards
We’re generally trying not to reinvent wheels, but this point is about using new well finished wheels rather than old wobbly ones. I think this point also tends to relate more to the management of unstructured data, where underlying systems offer a cornucopia of ACL systems that could be used.
- Adopt Rule Based Access Control : view Access Control as Rules and Attributes
This relates back to the threat model I touched upon earlier. Roles are often the wrong unit of currency because they’re an arbitrary abstraction. Attributes are something you can be more definite about, as they can be measured or assigned.
- Adopt REST Style Architecture when your situation demands scale and thus REST authorization standards
This is firstly a statement that REST has won out over SOAP in the battle of WS-(Death)Star, but is more broadly about being service oriented. The underbelly of this point is that authorization services become a dependency, often a critical one, so they need to be robust, and there needs to be a coherent plan to deal with failure.
- Understand the difference between Enforcement versus Entitlement model
This relates very closely to my last point about dependency, and whether the entitlements system is an inline dependency or out of band.
So what went wrong?
It’s now over 5 years since I laid out my expectations, and it’s safe to say that my expectations haven’t been met. I think there are a few reasons why that happened:
- Loss of momentum
Prior to the Cisco acquisition Securent was one of a handful of startups making the running in the authorization space. After the acquisition the Securent stopped moving forward, and the competition didn’t have to keep running to keep up. The entire segment lost momentum.
- My app, your apps
Entitlements is more of a problem for the enterprise with thousands of apps than it is for the packaged software vendor that may only have one. We ended up with a chicken and egg situation where enterprises didn’t have the service for off the shelf packages to integrate into, and since the off the shelf packages didn’t support entitlements services there was less incentive to buy in. Active Directory had its own killer app – the Windows Desktop, which (approximately) everybody needed anyway, and once AD was there it was natural to (re)use it for other things. Fine grained services never had their killer app – adoption always had to be predicated on in house apps.
- Fine grained is a minority sport
Many apps can get by with coarse grained authorization (point 4 above) so fine grained services find it harder to build a business case for adoption.
- In house can be good enough
When the commercial services aren’t delivering on feature requests (because the industry lost momentum), and the problem is mostly in house apps (because off the shelf stuff is going its own way) then an in house service (that isn’t standards based) might well take hold. Once there’s a good enough in house approach the business case of a 3rd party platform becomes harder than ever to make.
It’s been something like 9 years since I started out on my authorization journey, and whilst the state of the art has advanced substantially, the destination I envisaged still seems almost as distant as it was at the start. XACML and systems based upon it have failed to live up to my expectations, but that doesn’t mean that they’ve failed to deliver any value. I think at this point it’s probably fair to say that the original destination will never be reached, but as with many things the journey has bourne many of its own rewards.
 Stupidly we didn’t take any equity – the whole thing was structured as paying for a prototype
Filed under: identity, security | Leave a Comment
Tags: access control, ACL, authorisation, authorization, coarse grained, entitlements, fine grained, ldap, ldif, REST, Securent, service, SOA, SOAP, xacml
Raspberry Pi Downloads
- Making an image file from an SD card on Windows
- Raspberry Pi GPIO Joystick
- Apache 2.2 on Ubuntu 14.04
- Forwarding DNS queries to AWS VPC resolvers
- Howto stunnel from HTTPS to HTTPS
- Raspberry Pi sous vide water bath
- Using Overlay file system with Docker on Ubuntu
- Review - Dell PowerEdge T110 II
- Three doesn't feel at home on 4G networks
- AirPlay on Raspberry Pi the easy way
Gurpreet Singh on Why my X230 might be my last L… aaron ng on USB Shaver Charger Chris Swan on Raspberry Pi GPIO Joystic… Fernando Cunha JR on Raspberry Pi GPIO Joystic… Chris Swan on Raspberry Pi GPIO Joystic…
- How to Write Email with Military Precision
- Civil Service had to expand 600% to cope with WW2.
- Bridge reportedly cost 548 million yuan. Next time you read China is a technocracy run by engineers, remember it.
- Natural selection making 'education genes' rarer, says Icelandic study
- Incremental consistency guarantees for replicated objects
- Google reveals its servers all contain custom security silicon
- Software platform for 1,000 cannabis businesses crashed over the weekend
- Beautifully-shot video of a box being made
- Europe’s rich since 1300
- The End of Enterprise IT (ING story)
- RT @dgouldin: Professional film developers want digital cameras banned for 50 years twitter.com/amcafee/status… 22 minutes ago
- RT @MarcusRamsden_: Introducing LEGO Red Arrows Hawk. Your support is needed. Please vote on @LEGOIdeas & it might become an actual set! ht… 27 minutes ago
- RT @manupaisable: Make sure to fill in the 2017 #Devops Survey and spread the word! buff.ly/2iJP1bu 2 hours ago
- RT @shawn_douglass: trib.al/7ad3wUD 6 hours ago
- @potato_heads I made my Synology a BIND slave, but it doesn't come back up quickly enough to be the master 6 hours ago