Historically, access control solutions for information sharing projects have been implemented on a project by project basis using point solutions, such as Role Based Access Control (RBAC) or Access Control Lists (ACL). Unfortunately, these approaches are neither interoperable with each other, nor flexible enough to handle the complex requirements of modern information sharing initiatives that cross traditionally isolated branches of government.
For this reason, “Policy Based Access Control” (or PBAC) approaches are starting to become the best practice for projects that require access control. PBAC allows access rules can be defined in a flexible, policy-oriented fashion, with policies being easily updated as rules change.
The most noteworthy recent PBAC effort centers on eXtensible Access Control Markup Language (XACML). While XACML is not a policy model in its own right, it is an extremely flexible policy expression language that allows for an XML standard specification of access control policies in terms of entity attributes.
An XACML PBAC solution consists of a number of architectural components, including a Policy Enforcement Point (PEP), Policy Decision Point (PDP), Policy Administration Point (PAP), Policy Information Point (PIP), Obligation Service (OS) and Context Handler (CH). The most critical components in support of XACML are the PEP, PDP, and PAP:
Unfortunately, at this point in time, support for XACML among the major Identity and Access Control vendors is not widespread. Moreover, those vendors that do provide XACML support usually fail to meet the loose-coupling and policy-based configuration goals required for PBAC.
The Layer 7 SecureSpan and CloudSpan product lines provide wide support for XACML, allowing it to be used directly within the appliance as an authorization policy language, or indirectly by supporting integration to third-party XACML-compliant enterprise products. Not only does this allow for high speed, XACML-based policy decision within the Layer 7 appliance for in-line authorizations as part of a PEP, but it additionally allows Layer 7 to be utilized as a central Policy Decision Point (PDP).
When deployed as a centralized PDS, Layer 7 can:
These PDS capabilities, combined with Layer 7's ability to provide SAML-based Attribute Services and authentication token services through its integrated Secure Token Service (STS) means customers can implement all aspects of policy decision, attribute collection, and identity federation in a single product.