A Brief on the Role of the Axway APIGW in ABAC

Short, sweet, and to the point. Less than 500 words that talks about the role of an API Gateway in ABAC security, and how things can tie together or be orchestrated. Enjoy!

The Axway API Gateway (APIGW) has the ability to act as many roles regarding the components of ABAC security. While generally not used for the actual IDP (identity provider) portion, it does have capabilities around user generation and attribute storage. Generally the Axway APIGW will be used to connect to one or more IDPs, such as LDAP, AD, Siteminder, OAM, etc. When a user attempts to access a resource, the APIGW will authenticate the user against the appropriate IDP, which can be chosen contextually by things such as IP, URI, service invoked, digital channel [ie mobile], etc. After successful authentication, the APIGW will gather attributes from the IDP and any other sources such as attribute servers, user credential (such as a PKI credential with OU and the like), or microservices to build out a profile for the user. This profile can either be cached locally with a reference session ID or cookie given to the user for invoking future calls or given to the user to resubmit, though generally the aforementioned method is used for lowering bandwidth required and client side storage.

For the actual secured resources, the APIGW can also handle creating and storing the entitle management portion on behalf of the application or resource, can read the entitle management portion from the resource and compare it to the authorization information collected in the form of user-agent attributes, or can provide the attribute token to the resource to make the decision on its own behalf. As a result, it can act as a PDP, PEP, or both depending on the security architecture. Effectively this gives the APIGW the ability to tag the user, tag the data, and set the digital policy management to compare the security assertions created against the entitlement management to make an appropriate authorization decision regarding user access for the request, or anything in between.

The APIGW does not however have to act on the entire resource or application container. It has the ability to compare ABAC controls to apply authorization granularly to a response to redact document fields before streaming them back to the user, allowing for very fine grain control based on document markup language of field names/attributes.


Finally due to the nature of the APIGW, once it has done the authentication and attribute retrieval portions of the security, it can even generate new credentials (Basic, X509, etc) as needed and supply those dynamically to the back end based on its needs, allowing for full services as a security token service as well as a lightweight ESB. The API Management and OAuth functionality extend this further allowing developers or resource owners to choose different policies to secure their APIs and applications, as well as managing things such as OAuth rights derived from SAML, client credentials, JSON Web Tokens, etc, which it can both consume and create. The Axway APIGW is a very powerful tool that can handle all aspects of ABAC and create custom and very granular process flows for any use case.

Comments

Post a Comment

Popular posts from this blog

Firewall, IDS, IDP, WAF, API Gateway: Choose Your Shield

To long a read? Feel free to jump to the bottom for the exciting conclusion! Often in US Federal we see different requirements and use cases arise than our commercial counterparts. Quite often I might get asked to provide insight into security, identity, and compliance queries in the same way I might ask for insight on team development or CICD requirements from my commercial focused brethren. It just so happens that this week I have provided some insights on three of four discussions around the role of our API Gateway in enterprise security. The role of an API Gateway in enterprise architecture in general always seems to bring up interesting discussion points (can it replace my load balancer?), but none more so than enterprise security. I have often heard of API Gateways jokingly referred to as a 'Swiss army knife' because you can really do so much with them. Often I find myself saying to both customers and colleagues that 'It's not what you can do with it, it is what
Read more

API Security - The Next Generation with Elastic Beam

Image
The Prime Directive - Open more technology doors without increasing risk. I can distinctly recall being fresh in the Federally focused aspect of my career and having a conversation with a customer where he said to me "We don't measure failure in dollars, but in the loss of lives." It was a powerful statement that has stuck with me ever since that speaks to the sensitivity of the data and the critical nature of US Federal systems. The challenge becomes that this creates a situation where disruption can be far from ideal, and risk-adverse strategies with a strong focus on security are often paramount.  And yet, recent times have brought an explosion of new technologies and capabilities with tactical and practical value that cannot be ignored. Servicemen and women look to utilize their own devices to accessing PII focused data and services, or basic applications such as time sheets, without all the hassle of going through CAC-secured desktop systems. Officers in command wa
Read more

REST API Best Practices: HTTP Status Codes and You, Part 2(xx) - Status 200; Success!

Ah, the HTTP Status Code 200 series. Request sent by client, received by server, understood and processed, and a response has been sent. He shoots he scores, GOALLLLLLLL! The status code 200 series is the "Pass GO, Collect 200 Dollars" of HTTP Responses, this is the result for which we strive. In this part of the series, I will cover some of the major HTTP 200 series response codes and how they can be used as part of an effective REST API strategy. Do note, that I will not cover them all here, but I want to touch on some of the ones you may already know, and some you may not know, but might easily start to use in API development process. So with that, let's start at the very beginning, a very good place to start! HTTP Status Code 200 - OK What it means: Success! Everything worked out. What content to expect returned: This largely depends on your request verb. For example, a GET request might return the requested resource, such as a JSON formatted response. A P
Read more