Technology Report: XACML – Extensible Access Control Markup Language

Report Details

This report explains XACML, an evolving standard in the field of access control. Access control in IT is of vital importance. Companies use access control technology to protect sensitive systems and information, and to keep assets safe.

At the same time, compliance with external regulations and internal policies is very important and access control technology is key. We can think about access control doing two things:

  • 1. Identifying the users (who are you)
  • 2. Allowing known users to do things (what are you allowed to do)

The first part is authentication and solutions are very mature at the time of writing. The industry has very many solutions available to authenticate users through a variety of methods - from a standard username/password combination to highly secure multi-factor authentication systems. The second part is authorisation and unfortunately the picture there is not as pretty. In fact, authorisation is far from being "solved". and is typically left to the applications. This presents several fundamental problems. There are many applications running in an enterprise, and many of these applications manage their own entitlements, and do it differently. This makes access control very difficult to manage! Compliance with regulations is also a tricky business: regulations and policies are not application specific, yet entitlements are specific to each application. Hence there is always the problem of mapping general business policies into the many different styles of entitlements found within the applications.

The solution is to externalise authorisation from the actual applications. Instead of implementing access control policy, applications should use an external access control system in order to make the decision regarding access control policy. For applications, this presents a shift in thinking. For a service oriented architecture (SOA) this comes as a natural way of thinking. Services in a SOA tend to be more modular than monolithic applications; hence the need to enforce access control policy over a set of services is a natural requirement. SOA provides both a new level of needs and a new level of capabilities which make it possible to think in terms of authorisation as an application-external, shared and generic service. It is important however to stress that XACML is not at all specific to SOA, nor is implementing a SOA required to make use of XACML. In fact, XACML is valuable regardless of whether a SOA is deployed or not.

You can get access to this document for free, if you register for KuppingerCole Select access now.

Date Title Price
Sep 29, 2009

Technology Report: XACML – Extensible Access Control Markup Language

This report explains XACML, an evolving standard in the field of access control. Access control in IT is of vital importance. Companies use access control technology to protect sensitive systems and information, and to keep assets safe. At the same time, compliance with external regulations…

€165.00 Get Access
Mastercard Visa PayPal INVOICE

Latest Related Reports

Discover KuppingerCole

KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Blog

Blog

Not Just Another Buzzword: Cyber Risk Governance

Today, companies are increasingly operating on the basis of IT systems and are thus dependant on them. Cyber risks must therefore be understood as business risks. The detection and prevention of cyber security threats and appropriate responses to them are among the most important activities to [...]

Latest Insights

Hot Topics

Spotlight

Privacy & the European Data Protection Regulation Learn more

Privacy & the European Data Protection Regulation

The EU GDPR (General Data Protection Regulation), becoming effective May 25, 2018, will have a global impact not only on data privacy, but on the interaction between businesses and their customers and consumers. Organizations must not restrict their GDPR initiatives to technical changes in consent management or PII protection, but need to review how they onboard customers and consumers and how to convince these of giving consent, but also review the amount and purposes of PII they collect. The impact of GDPR on businesses will be far bigger than most currently expect. [...]

Become a Client

Learn more about becoming a Client

Contact Us

Call Us

+49 211 2370770
Mo - Fr 8:00 - 17:00