IBM Security Verify

 View Only
  • 1.  ISAM as PDP for authorization decisions

    Posted Sat June 15, 2019 07:00 AM
    Hi Community,

    Is anyone (extensively) using ISAM as a PDP for authorization, not just authentication? Since ISAM supports XACML, theoretically it seems that it could be used as such. 

    We are looking into solutions which can aid in decoupling authorization from the business logic of an application. Typically an application executes a lot of authorization decisions internally (e.g. function X can only be called if user context shows that you have the admin role). Initiatives such as XACML and NGAC try to provide standardized protocols to externalize these authorization decisions.

    However, since ISAM is mainly focused on authentication, I doubt that ISAM would be a good fit. Perhaps someone who has experimented with ISAM to externalize authorization decisions can prove me wrong?

    Kind regards,
    Michael

    ------------------------------
    Michael
    ------------------------------


  • 2.  RE: ISAM as PDP for authorization decisions

    Posted Mon June 17, 2019 02:24 AM

    Hi Michael, 

    You're right that ISAM has some capabilities around XACML and in fact, our Context Based Access capabilities are all based around the use of XACML and the broader capabilities under the covers. And these are utilized extensively by our customer base. I would still describe this use case as an "Authorization" use case, rather than "Authentication" - where the authentication capabilities are simply used to mitigate risk - as an "obligation" in XACML terms.

    In terms of servicing generic XACML calls, we've made some enhancements to the XACML engine interface to allow for a number of customers who have been using TSPM, our historical XACML based centralised decision engine (PDP) to migrate their use cases to ISAM (TSPM has now gone end of support).

    In short, if you're using ISAM today, and you have some needs for a generic decision engine, ISAM could meet your requirements and allow you to avoid purchasing an alternative (and often expensive) solution. In my experience, you will typically build your policy in combination with a data tier (DB or LDAP), and store significant portions of the relevant data in the accompanying PIPs - (mostly since XACML only scales so well in large quantities), using the XACML policies to build/map the data into Access Decisions. And you will need to configure/code/customise your enforcement points to call the XACML APIs - these are documented interfaces in our REST API documentation.

    Strategically, we are focused on ensuring the CBA AZN engine evolves with our product, with 'ISAM' as the primary PEP. If your requirements have some alignment with that, then it can work nicely. If not, then your results may vary.

    I hope this helps.



    ------------------------------
    Philip Nye
    IBM
    Gold Coast
    ------------------------------



  • 3.  RE: ISAM as PDP for authorization decisions

    Posted Mon June 17, 2019 03:56 AM
    Whilst lots of things are possible with ISAM, this is not an adoption pattern I would recommend.

    Regards,
    Shane.

    ------------------------------
    Shane Weeden
    IBM
    ------------------------------



  • 4.  RE: ISAM as PDP for authorization decisions

    Posted Tue June 18, 2019 03:52 AM
    Thanks Philip and Shane. These answers give us the direction we need.

    ------------------------------
    Michael
    ------------------------------



  • 5.  RE: ISAM as PDP for authorization decisions

    Posted Thu September 05, 2019 04:30 PM
    @Shane Weeden - Are you saying don't use ISAM as a centralized PDP for XACML?  Trying to comprehend the pattern you are against.​

    ------------------------------
    Stacey Moore
    ------------------------------



  • 6.  RE: ISAM as PDP for authorization decisions

    Posted Thu September 05, 2019 06:48 PM
    It's my position that that is in general not a common use of ISAM because of the entitlements management problem for fine-grained access. ISAM *can* be used as a general purpose PDP,  but often the *data* needed to make the ultimate decision is not ISAM-managed data, and ISAM then becomes some kind of ESB responsible for calling out to a number of external data sources to get the data to make a decision. Seems like a fairly heavy-weight implementation for what is essentially an if/then/else expression that an application is trying to implement.

    ------------------------------
    Shane Weeden
    IBM
    ------------------------------



  • 7.  RE: ISAM as PDP for authorization decisions

    Posted Thu September 05, 2019 08:20 PM
    Edited by Stacey Moore Thu September 05, 2019 09:47 PM
    I understand and agree with your viewpoint that yes the data that ISAM needs to rely on is outside of ISAM.  With that said is your recommendation to just house the policy in ISAM and user Datapower as the enforcement points an let it do all the callouts to the external data points and then submit xacml request to ISAM to evaluate? Essentially just submit requests with all the data to ISAM and let ISAM be the PDP so it doesn't have to do all the callouts?


    ------------------------------
    Stacey Moore
    ------------------------------



  • 8.  RE: ISAM as PDP for authorization decisions

    Posted Fri September 06, 2019 01:51 AM
    That is a reasonable approach, but to be perfectly honest I'm just not a big fan of XACML - I think of it as a sledgehammer for a thumbtack.

    ------------------------------
    Shane Weeden
    IBM
    ------------------------------