Technology Report: XACML – Extensible Access Control Markup Language

Report Details

This report explains XACML, an evolving standard in the field of access control. Access control in IT is of vital importance. Companies use access control technology to protect sensitive systems and information, and to keep assets safe.

At the same time, compliance with external regulations and internal policies is very important and access control technology is key. We can think about access control doing two things:

  • 1. Identifying the users (who are you)
  • 2. Allowing known users to do things (what are you allowed to do)

The first part is authentication and solutions are very mature at the time of writing. The industry has very many solutions available to authenticate users through a variety of methods - from a standard username/password combination to highly secure multi-factor authentication systems. The second part is authorisation and unfortunately the picture there is not as pretty. In fact, authorisation is far from being "solved". and is typically left to the applications. This presents several fundamental problems. There are many applications running in an enterprise, and many of these applications manage their own entitlements, and do it differently. This makes access control very difficult to manage! Compliance with regulations is also a tricky business: regulations and policies are not application specific, yet entitlements are specific to each application. Hence there is always the problem of mapping general business policies into the many different styles of entitlements found within the applications.

The solution is to externalise authorisation from the actual applications. Instead of implementing access control policy, applications should use an external access control system in order to make the decision regarding access control policy. For applications, this presents a shift in thinking. For a service oriented architecture (SOA) this comes as a natural way of thinking. Services in a SOA tend to be more modular than monolithic applications; hence the need to enforce access control policy over a set of services is a natural requirement. SOA provides both a new level of needs and a new level of capabilities which make it possible to think in terms of authorisation as an application-external, shared and generic service. It is important however to stress that XACML is not at all specific to SOA, nor is implementing a SOA required to make use of XACML. In fact, XACML is valuable regardless of whether a SOA is deployed or not.

You can get access to this document for free, if you register for KuppingerCole Select access now.

Date Title Price
Sep 29, 2009

Technology Report: XACML – Extensible Access Control Markup Language

This report explains XACML, an evolving standard in the field of access control. Access control in IT is of vital importance. Companies use access control technology to protect sensitive systems and information, and to keep assets safe. At the same time, compliance with external regulations…

€165.00
excl. VAT
Get Access
Mastercard Visa PayPal INVOICE

Latest Related Reports

Discover KuppingerCole

KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Blog

Blog

Future-Proofing Your Cybersecurity Strategy

It’s May 25 today, and the world hasn’t ended. Looking back at the last several weeks before the GDPR deadline, I have an oddly familiar feeling. It seems that many companies have treated it as another “Year 2000 disaster” - a largely imaginary but highly publicized issue [...]

Latest Insights

Hot Topics

Spotlight

Compliance, Risk & Security Learn more

Compliance, Risk & Security

Whether public, private or hybrid clouds, whether SaaS, IaaS or PaaS: All these cloud computing approaches are differing in particular with respect to the question, whether the processing sites/parties can be determined or not, and whether the user has influence on the geographical, qualitative and infrastructural conditions of the services provided. Therefore, it is difficult to meet all compliance requirements, particularly within the fields of data protection and data security. The decisive factors are transparency, controllability and influenceability of the service provider and his [...]

Become a Client

Learn more about becoming a Client

Contact Us

Call Us

+49 211 2370770
Mo - Fr 8:00 - 17:00