Presentation is loading. Please wait.

Presentation is loading. Please wait.

XACML and the Cloud.

Published byClarissa Summers Modified over 6 years ago

Similar presentations

Presentation on theme: "XACML and the Cloud."— Presentation transcript:

1 XACML and the Cloud

2 What is XACML? XML language for access control Coarse or fine-grained
Extremely powerful evaluation logic Ability to use any available information Superset of Permissions, ACLs, RBAC, etc Scales from PDA to Internet Federated policy administration OASIS and ITU-T Standard XACML specifies an abstract access control policy language and rules for evaluating policies, an XML format for exchanging policies and an optional XML format for decision inputs and outputs. Information provided may be included in complex logical expressions to produce evaluatable policies corresponding to real world policy requirements. XACML provides all the functionality of familiar Access Control models, while enabling capabilities far beyond them. XACML was designed to operate in many different software and hardware environments, operating at a range of scales. XACML enables multiple administrators to create policies with overlapping scopes without close cooperation. Decision conflicts are resolved by combining rules. XACML 2.0 is an OASIS Standard and ITU-T Recommendation X.1142. XACML 3.0 has reached the level of OASIS Committee Specification and is expected to become as OASIS Standard and ITU-T Recommendation.

3 XACML Cloud Features Powerful language features
Capture complex business relationships Federated Administration Combining algorithms resolve conflicts Administrative Policies Policies managed by providers, customers, end users Global identifiers prevent name conflicts Domain-specific Profiles Healthcare, Intellectual property, Privacy XACML has many built-in features which meet important Cloud Computing requirements. The language, with its ability to combine virtually any available data in arbitrarily complex logical expressions is well suited to expressing the complex rules needed in multi-party service environments which characterize the Cloud.. Administrators working for cloud providers, their customers and end users may all potentially manage policies which cover the same sets of users or resources without the need for close coordination. Decision conflicts at runtime will be resolved by combining algorithms. XACML 3.0 provides the capability to create Administrative Policies which enable individuals to create policies within a specified scope. For example, a cloud provider can permit its customers to create policies covering their own services or users. Administrative Policies can be nested, allowing further access to be delegated in a controlled way. XACML identifiers are all set in a global namespace (urn:oasis:names:tc:xacml:…) thus avoiding conflicts. The core XACML specifications cover Access Control in general. The TC has also specified identifiers which are applicable to specific domains of use for example the XSPA profile which covers Healthcare and the Intellectual Property Control Profile and the Privacy profile.

4 XACML Enables Efficient Cloud Implementations
Stateless Server Choice of imbedded or server-based PDP Max performance or Access Control Service Specification permits optimizations Order of evaluation Caching of Attributes Caching of decisions or partial evaluations The XACML Specifications have been written with the goal of enabling implementations to be highly efficient and scalable. These are some examples of this. The XACML PDP is operates in a stateless mode, which reduces the resources it needs to consume and greatly simplifies error recovery. The overall effect is to enable scalability. An XACML Policy Decision Point (decision engine) may be imbedded in the same process as the Policy Enforcement Point for minimum overhead and maximum performance. Alternatively, the PDP may be implemented as an Authorization server which is accessed remotely. This greatly simplifies integration into existing applications and also permits Authorization to be offered as a Cloud service. The XACML Specifications provide as much implementation flexibility as possible, while retaining the principle that given the same policies and the same input attributes, all compliant XACML PDPs should produce the same decision. This flexibility allows XACML implementations to perform optimizations which further enhance scalability. For example, an XACML-compliant PDP can evaluate policy expressions in any order it chooses or even distribute the evaluation over multiple processors or systems. An XACML PDP can cache Attribute values for use in future decisions. A PDP can also cache complete Policy decisions or even results of expressions within policies for use in future requests or within a multiple decision request.

Download ppt "XACML and the Cloud."

Similar presentations

Trust and Security for Next Generation Grids, www.gridtrust.eu Implementing UCON with XACML for Grid Services Bruno Crispo Vrije Universiteit Amsterdam.

Trust and Security for Next Generation Grids, Implementing UCON with XACML for Grid Services Bruno Crispo Vrije Universiteit Amsterdam.
News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,

Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,
1 Authorization XACML – a language for expressing policies and rules.

1 Authorization XACML – a language for expressing policies and rules.
Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.

Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.
Illinois Security Lab Using Attribute-Based Access Control to Enable Attribute- Based Messaging Rakesh Bobba, Omid Fatemieh, Fariba Khan, Carl A. Gunter.

Illinois Security Lab Using Attribute-Based Access Control to Enable Attribute- Based Messaging Rakesh Bobba, Omid Fatemieh, Fariba Khan, Carl A. Gunter.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Open Cloud Sunil Kumar Balaganchi Thammaiah Internet and Web Systems 2, Spring 2012 Department of Computer Science University of Massachusetts Lowell.

Open Cloud Sunil Kumar Balaganchi Thammaiah Internet and Web Systems 2, Spring 2012 Department of Computer Science University of Massachusetts Lowell.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.

XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
Katanosh Morovat.   This concept is a formal approach for identifying the rules that encapsulate the structure, constraint, and control of the operation.

Katanosh Morovat.   This concept is a formal approach for identifying the rules that encapsulate the structure, constraint, and control of the operation.
Authorization Infrastructure, a Standards View Hal Lockhart OASIS.

Authorization Infrastructure, a Standards View Hal Lockhart OASIS.

Similar presentations

Ads by Google