Is XACML the Esperanto of IT Security?

Posted by Edward Killeen on Wed, May 08, 2013

Andras Cser of Forrester writes that XACML is Dead.  The first analyst question I was asked as head of marketing at EmpowerID was, "do you support XACML?"  The easy answer was (and is), "we will when application vendors do."  Andras' first point as the cause of the death of XACML: "Lack of broad adoption."

Andras' second point is the one that really gets to the technical heart of the matter rather than the logistical: XACMML's "inability to serve the federated, extended enterprise."  Identity and Access Management (IAM) has moved way beyond the borders of an Active Directory forest.  Organizations are managing their internal users, partners, customers, and contractors and need a flexible authentication and authorization system that can accomodate the unique needs of each constituency.

xacml is deadAdditionally, the applications they are accessing are growing more varied and widespread.  You have legacy applications, cloud applications, web applications, and mobile applications.  Organizations demand an IAM platform that can authenticate and authorize not against the ones that support a specific standard, but all of them.

So, while some analysts have been trumpeting loudly that XACML is going to make authorization easy and standards based, the market and forward thinking analysts like Andras have realized that IAM in today's world is too complicated for it.

Unfortunately, this leaves us at the question: how the heck do we manage authorization in this new complicated world?  We believe that EmpowerID has hit on the best way to manage it, by integrating roles into every single aspect of IAM from provisioning to authentication to password reset to SSO.  Making your roles pervasive in all aspects of IAM gives you flexibility on the who has access to what and when question.

EmpowerID's role engine was designed as part of a purpose-built single codebase IAM platform; roles fit in as an integral part of each IAM function.  Our polyarchical role structure is flexible and intuitive, allowing organizations a tremendous amount of flexibility in how they apply permissions and authorization.

When roles are too static, we combine ABAC with RBAC to give runtime decisions based on attributes in any connected system, giving even more flexibility.

EmpowerID includes an advanced authorization policy engine that allows organizations to define a user’s access to a diverse set of corporate and cloud-hosted resources via flexible RBAC and ABAC rules. This “resultant access” information is then either consumed or “pulled” by systems that support leveraging an external authorization engine to make access decisions or “pushed” down onto systems that don’t.

Read more about EmpowerID's authorization engine, schedule a demo, or request a whitepaper on Best Practices in Enterprise Authorization.  XACML isn't walking through that door ready to save enterprise authorization, take a look at a solution that will.

Click me

Tags: Role Based Access Control (RBAC)