Presentation is loading. Please wait.

Presentation is loading. Please wait.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Published bySilvester Joshua Melton Modified over 8 years ago

Similar presentations

Presentation on theme: "Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any."— Presentation transcript:

1 Combining KMIP and XACML

2 What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any available information Superset of Permissions, ACLs, RBAC, etc Scales from PDA to Internet Federated policy administration OASIS and ITU-T Standard

3 Key XACML Features Federated Policy Administration – Multiple policies applicable to same situation – Combining rules to resolve conflicts Decision may include Obligations – In addition to Permit or Deny – Obligation can specify present or future action – Examples: Log request, require human approval, delete data after 30 days Protect any resource – Web Server, Java or C++ Object, Room in building, Network Access, Web Service, Geographic Data, Health Records, etc.

4 XACML Benefits Standard Policy Language – Investment protection – Skills reuse Leverage XML tools Policy not in application code – Reduce cost of changes – Consistent application – Enable audit

5 XACML Architecture PDP Decision Application Administration Policy Repository PEP Enforcement Client Authorities Attribute Repositories PDP Resources

6 Policy Evaluation in Brief - 1 Attribute-based access control (ABAC) Attributes associated with Subject(s), Action, Resource or Environment Attributes may represent static (Group) or dynamic (# of accesses) properties PDP is stateless Policies contain Boolean expressions If false, policy is not applicable If true, Effect (Permit or Deny) is returned

7 Policy Evaluation in Brief - 2 Combining Algorithms resolve conflicting policy results – Typical: Deny Overrides Obligations which are associated with final Effect are also returned Policies are tree structured to simplify management

8 Reasons for KMIP Servers to Use XACML Implement more complex key relationship policies – Dependancies: derived key, wrapped key, split key Enhance policies to meet Enterprise needs – Other Subject attributes (Roles) – Environmental attributes – Privacy or contractual requirements

9 What to consider Not Policy structure (this would be necessary with RBAC for example) Attributes What ones may be needed Where will the come from How will they get to PDP Interface – Remote/Local – Protocol/API

10 Attributes Datatypes – XACML defines 14 scalar types – KMIP types are a subset – Commonly used are easy, e.g. string Access – With decision request – KMIP request – Other request, e.g. LDAP KMIP must maintain dynamic values

11 Interfaces PDP may be remote or imbedded Tradeoff is ease of integration vs. performance – Most KMIP servers relatively low decision volume Remote call via SOAP defined by XACML – Clearly the easiest to implement OpenAz open source project is defining APIs Defining a TTLV remote call is possible

12 Excellent paper on this subject Masters thesis by Divay Bansal IBM / ETH Zurich http://issuu.com/divaybansal/docs/master- thesis http://issuu.com/divaybansal/docs/master- thesis If nothing else it demonstrates how XACML can implement key-dependancies policies Alternative architectures

Download ppt "Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any."

Similar presentations

Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.

Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.
News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics
NRL Security Architecture: A Web Services-Based Solution

NRL Security Architecture: A Web Services-Based Solution
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
1 Authorization XACML – a language for expressing policies and rules.

1 Authorization XACML – a language for expressing policies and rules.
New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.

Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.
Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses.

Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses.
Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.

Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Illinois Security Lab Using Attribute-Based Access Control to Enable Attribute- Based Messaging Rakesh Bobba, Omid Fatemieh, Fariba Khan, Carl A. Gunter.

Illinois Security Lab Using Attribute-Based Access Control to Enable Attribute- Based Messaging Rakesh Bobba, Omid Fatemieh, Fariba Khan, Carl A. Gunter.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
A Privacy Policy Enforcement System Kaniz Fatema David Chadwick Stijn Lievens University of Kent School of Computing Canterbury, UK Primelife IFIP Summer.

A Privacy Policy Enforcement System Kaniz Fatema David Chadwick Stijn Lievens University of Kent School of Computing Canterbury, UK Primelife IFIP Summer.
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,

Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Audumbar Chormale Advisor: Dr. Anupam Joshi M.S. Thesis Defense

Audumbar Chormale Advisor: Dr. Anupam Joshi M.S. Thesis Defense
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

Similar presentations

Ads by Google