Google Site Search


Wednesday, May 8, 2013

Is XACML really dead? Should we all go OAUTH?

Andras Cser from Forrester has a blog entry titled "XACML is dead". That is a catchy title for the blog post. :)

As a participant in the creation of OASIS XACML v3 specification ( and having dabbled with an open source XACML implementation (PicketBox XACML), I would like to put forward some of my thoughts on this topic.

Let me move forward with some general questions and my answers. One of those questions will be about XACML.  After that, I am going to provide some feedback on Andras's blog entry.

Question : Is XML dead?  
Answer: Probably not. Enterprise Integration still relies heavily on XML.

Question: Is REST architecture the vogue?
Answer:  For new applications and new workflows, REST architecture is heavily favored.  To some extent, this is due to the growing importance of Cloud Technologies and APIs.

Question: Is JSON the best format for applications?
Answer: It depends on where the applications are.

For web applications and REST applications,  JSON is certainly the better format compared to XML.  But the challenge lies in securing JSON.  JSON Token Format, Signature and Encryption are still work in progress at the IETF. Bill Burke has done some excellent work with REST security at the RESTEasy project.

For enterprise applications, XML is still the norm in backend integration and configuration.

Question: Is there one security standard that I can use?
Answer:  Wishful thinking.

You can pick the best one from the following: SAML, OAuth, XACML, PKI, SSL/TLS, XML Signature/Encryption, RSA, AES and a million others.

The answer is it depends on the problem you are solving and which standard applies to the problem domain.

Question: Are there standards for access control?
Answer:  There are two standards as far as I know.

a) OASIS XACML: Language for defining access control policies. It also defines architectural elements such as PDP, PEP, PAP etc for access control infrastructure.

b) IETF OAuth2:  Authorization of resources at Internet Scale.

Question: Are SAML and XACML dead?
Answer:  It depends on who you ask.

Customers and large enterprises who have built their identity management infrastructure on SAML and XACML, will say that they are not dead.

Going by the latest buzz around cloud/mobile services, you will think OAuth is the panacea to all security problems.

SAML and XACML are standards that are pretty mainstream in enterprises and large infrastructure. They are doing their work.

Question:  Am I excited about OAuth?
Answer: Definitely.

Given that the world is going mobile heavy, OAuth is an important step in the direction of secure mobility. The future is in Cloud and APIs. Securing the APIs is what OAuth is aiming toward.

Now, for the best part, let me talk about what I think about Andras's specific points.

Andras: Lack of broad adoption.
This is a security standard.  Security standards do not get a lot of press like standards from other verticals.  XACML vendors are plenty and many customers are using XACML for their infrastructure. I certainly would like to see some additional adoption. But it is a work in progress.

Andras: Inability to serve the federated, extended enterprise
There is nothing in the XACML standard to prohibit this. It depends on the practitioners and architects.

Andras: PDP does a lot of complex things that it does not inform the PEP about.
PDP is supposed to perform the access control policy number crunching to give an answer back to the PEP's enforcement question. The answer certainly can carry obligation/advices.

I would like to bring your attention to the new TC at OASIS called the OASIS Cloud Authorization TC that I am co-chairing where we want to do a better job at defining the entitlement model compared to the classic enforcement mode (XACML/OAuth operate in).  Please refer to my use case submission called Context Driven Entitlements.

I do agree that the PEP needs more information than what it gets via the classic enforcement model.

Andras: Not suitable for cloud and distributed deployment.
I do not think this is true at all.

Andras: Commercial support is non-existent. 
It depends on who you are talking to.  There are pure XACML vendors such as Axiomatics. JBoss Middleware does have support for XACML. At the XACML interoperability events in the past, I have seen vendors such as Oracle, IBM and CA.

Andras: Refactoring and rebuilding existing in-house applications is not an option
Then those applications are doomed to fail when the requirements for access control change. I presume those applications are like "house of cards".

Andras: OAuth supports the mobile application endpoint in a lightweight manner. 
There is nothing in the XACML standard that says it cannot support lightweight workflows. Even though OAuth is more suited for mobile workflows, it should not be an issue to have XACML policy engine integrated for finer access control.  OAuth is geared toward lightweight authorization of resources under particular scopes. At internet scale, it works good. But it falls short when greater granularity of access control is needed.
Remember OAuth does not have the granularity of XACML in terms of rules (Subject, Action, Environment, Attributes). XACML is an extreme fine grained policy language framework.


Gerry Gebel on XACML:

Ray Sinnema on XACML:

Danny Thorpe on XACML:

No comments: