Historically, access control solutions for government information sharing projects have been implemented on a project-by-project basis, using point solutions that are neither interoperable with each other nor flexible enough to handle the complex requirements of modern information sharing initiatives that cross traditionally isolated branches of government.
For this reason, policy based access control (PBAC) approaches, which allow access rules to be defined and updated in a policy-oriented fashion, have become increasingly popular. The eXtensible Access Control Markup Language (XACML) has emerged as an extremely flexible policy expression language for PBAC.
Unfortunately, XACML was not quickly or widely adopted by identity and access management (IAM) vendors. Moreover, those IAM products that do provide some level of support for XACML usually fail to meet the loose-coupling and policy-based configuration goals required for PBAC best practices.
A best-practice solution for XACML-based PBAC consists of various architectural components. These components usually include a policy enforcement point (PEP), policy decision point (PDP), policy administration point (PAP), policy information point (PIP), obligation service (OS) and context handler (CH).
The core architectural requirements—PEP and PDP—can be met by deploying an XACML-enabled SOA, XML or API gateway at the edge of the departmental architecture. Specifically, a gateway appliance can be used as a central policy decision point and as part of the policy enforcement point. However, not all gateway appliances support XACML.
CA API Gateway is built on a legacy of award-winning XML and SOA functionality. The API Gateway provides wide support for XACML, allowing it to be used directly as an authorization policy language. It can also be used indirectly, as support for integration with third-party XACML-compliant enterprise products.
CA API Gateway is recognized by top analyst firms as one of the leading appliances in its class. It comes with a range of government-grade security certifications (including FIPS 140-2 and Common Criteria) and is widely used across various branches of the US Federal Government.
CA API Gateway delivers two of the most important requirements for XACML-based PBAC:
When deployed as a centralized PDP, CA API Gateway can:
These PDP capabilities, combined with the ability of CA API Gateway to provide SAML-based attribute services and authentication token services through its integrated Secure Token Service (STS), make it possible to implement all aspects of policy decision, attribute collection and identity federation in a single product.