Application Architecture Summit

Modern Application Development for Digital Business Success

REGISTER

Online Conference

As the hunt continues for reliable-yet-simple ways to secure cloud elements, Axiomatics is improving the delivery of dynamic authorization for multiple assets across hybrid, cloud and on-prem environments.

Axiomatics upgraded its Axiomatics Policy Server’s (APS) cloud-native Policy Decision Point (PDP) to now integrate both JSON and REST profiles of XACML 3.0 version 1.1.

This additional support of JSON and REST extends that reach to the next wave of scenarios users are looking to support. “Our cloud-native PDP ensures all elements of the cloud remain safe and secure, even under the most complex access control scenarios,” Gerry Gebel, Axiomatics vice president of business development told IDN.

The Axiomatics Policy Server also supports cloud-native authorization with elastic scale, easy deployment in containers and management with popular orchestration tools. 

“As more organizations migrate to cloud platforms, we need to find better ways to solve complex access control use cases – especially with larger and larger volumes of sensitive information,” Gebel added. “With Axiomatics Policy Server, we continue to ensure sensitive information is shared securely, only with those parties that are authorized to see it, under the right conditions,” he said.

Cloud-Native Authorization PDP for Modern Dynamic Authorization

Axiomatics “dynamic authorization” simplifies and automates protection for a wide range of resources, including apps, databases, big data – and even APIs and microservices. 

From the start, these capabilities were designed to be flexible and extensible – without incurring any performance hits on apps and data availability - to keep pace with companies’ changing needs and environments, Gebel said. 

Axiomatics product manager Andres Martinelli explained bringing PDP to a cloud-native architecture pushes the envelope for modern authorization in a recent blog.

The cloud-native authorization PDP is a new form factor for our authorization engine that is designed to suit modern deployment workflows and architectures, in particular cloud and microservices oriented ones. It’s easy to use for deploying dynamic authorization at scale. It adheres to configuration-as-code principles that equate to easily repeatable deployments and straightforward configuration roll-back and disaster recovery.

You can use it at scale; you can deploy it as a side-car, close to the application that needs extra performance; you can use it on-premises, in the public cloud, or in hybrid clouds. It is cloud and container agnostic, so it does not matter if all your services run on your favorite vendor’s cloud, or you are embracing a poly-cloud approach; whether you are keeping a high degree of control of your infrastructure or you deploy a serverless architecture over a shared service mesh. Our authorization engine will bring you all the benefits of leveraging externalized dynamic authorization while not standing in your way; it’s the right tool for the right job.

Here’s an example of how our customers use the cloud-native authorization engine. The dynamic authorization engine provides an independently deployable service that offers the flexibility, deployment and automation characteristics required by microservices architectures. In addition, the engine is configurable using plain text files, allowing for a policy-as-code approach to the storage and management of authorization assets.

[In another sign of Axiomatics push to cloud-native services, the company recently joined the Google Cloud Connect Partner Program. The cooperation will make it easier for users of Google Cloud to extend access control capabilities in the cloud.]

In his recent blog post, Gebel wrote about the growing need to update authorization to cope with limitations of JSON web tokens

We had many enthusiastic conversations around microservices and the need to solve issues around bloated JSON tokens...By deploying the Policy Decision Point in its own container alongside the microservice, several issues can be addressed and streamline the deployment.

Axiomatics’ cloud-native PDP delivers standards-based functionality of policy-based access control via ABAC (Attribute Based Access Control). 

“ABAC is just more responsive to the changing needs of the enterprise,” Gebel added. “It’s an authorization model that provides dynamic, context-aware and risk-intelligent access control.” 

Unlike role-based access control (RBAC), which uses pre-defined roles and pre-set privileges, ABAC offers more fine-grained and flexible ways to support situational responses for security, management and protection.

ABAC is a key technology for providing “a dynamic layer of security,” which in turn helps organizations accelerate their cloud migration efforts, Gebel noted. 

For example, he noted that ABAC policies can use any type of attributes (user attributes, resource attributes, object, environment attributes, etc.) ABAC can also support a virtually limitless array of conditional or if/then statements, to align access with a specific set of conditions, people, endpoints and devices.

As a result, Axiomatics can benefit both IT and non-technical business, thanks to the way it implements dynamic authorization – which abstracts an intense amount of hand-coding and complex configuration. Among the stakeholder benefits are:

1. Business users can leverage data more securely to analyze insights and meet business objectives
2. IT and cloud professionals can simplify scalability and speed deployment
3. App owners have easier ways to support change management and portability
4. Developers can launch apps faster, avoid possible errors from custom-coding and more rapidly cope with updates

In another blog posted during a Gartner conference, Gebel wrote:

“We’re hearing of more successful implementations, new use cases, cloud migrations and more. It’s great to hear stories of the business impact dynamic authorization, implemented with Attribute Based Access Control, is having across the IT landscape. The requirement for access to any resource, from any device, and from anywhere in the world, but within business and security constraints [is resonating] loud and clear.” 

Axiomatics Fine-Grained Dynamic Authorization Reaches APIs & Microservices

Axiomatics’ ABAC approach to fine-grained dynamic authorization can reach as deep as individual APIs, gateways and microservices, Gebel added.

Axiomatics can easily integrate with popular API gateways – and thereby enriches the security provided by those technologies.

“Axiomatics offers an extra layer of access controls for API gateways,” Gebel said, because Axiomatics lets users add a any number of more specific attributes. “IT can apply and enforce a whole new range of more specific and tougher policies.  They can also be situational, to deal with a special use case for a certain location – or even just for a certain period of time,” he added.

At runtime, Axiomatics’ dynamic authorization adds punch to popular API platforms that offer governance, privacy and compliance, including IBM, MuleSoft, CA, Apigee (Google Cloud) and others.

A sample of the common API Gateway Use Cases Axiomatics supports includes:

• Expose data via APIs securely (secure collaboration)
• Enable efficient reuse of sensitive information assets
• Enforce policy-based authorization aligned with business rules
• Extend the authorization capabilities of API Gateways
• Remove the need to re-code individual APIs when corporate policies change
• Any time there is a need to securely collaborate, while also protecting sensitive data via an API, an ABAC approach is the perfect fit to fine-tune the access control.

Also worth noting for IT, this fine-grained access control doesn’t need to disrupt traditional approaches. ABAC is compatible and works seamlessly with popular access control frameworks, including OAuth and OpenID Connect.

The Axiomatics Policy Server is a part of a portfolio of fine-grained dynamic authorization solutions.