Is XACML actually used and implemented?

Question

I have been working for quite a lot of time on a research project at University focused on Access Control. More specifically, I am studying how to protect unauthorized access to personal data in a distributed system and in general in the Internet.

In this context, I stumbled on the XACML (wiki, official spec) specification, which seemed quite interesting. After some time spent digging into it, though, it seemed more and more that no company would actually spend a lot of effort (time, money) in realizing the described architeture (to my understanding, it needs at least three different entities to store policies, evaluate them and enforce the decision).

I am still studying, so I don't know a lot about common industrial procedures: is something like XACML really implemented for data management and protection? If not, is there any alternative (possibly effective) technology which is employed?

It seems to me that most companies do not care so much about personal data protection (mostly because of the profit and insight gained from data analytics and ads), so I doubt that personal data protection is thoroughly employed.

Answer 1

I am the author of the XACML wikipedia page and I work for one of the leading vendors, Axiomatics.

Yes, XACML is very much used across a wide range of verticals: from finance (a lot of banks even implemented their own engines as early as 12 years ago) to defense (a lot of export control-related use cases) and healthcare (after all you need to prevent your company from ending up on HHS's Hall of Shame.

In the last couple years, we've seen 2 new vendors and 2 new open source implementations surface (AuthZForce for instance is part of an EU project and is backed by Thales, one of the leading Defense companies globally). We've also seen the birth of ALFA, the Abbreviated Language for Authorization, a lightweight notation for XACML and the definition of a JSON/REST Authorization API based on XACML (I actually wrote that piece myself). Axiomatics has expanded the use of XACML to Big Data and Cloud.

It seems to me that most companies do not care so much about personal data protection (mostly because of the profit and insight gained from data analytics and ads), so I doubt that personal data protection is thoroughly employed.

There are severe consequences for not implementing privacy rules. GDPR is one such example. This is the penalty:

If it is determined that non-compliance was related to technical measures such as impact assessments, breach notifications and certifications, then the fine may be up to an amount that is the GREATER of €10 million or 2% of global annual turnover (revenue) from the prior year.

That's a huge number. You definitely have an incentive to comply. And that does not include brand damage of course. Take a look at Equifax. Who trusts them nowadays?

And in the US, HIPAA is a piece of legislation you need to keep in sync with.

Remember that privacy is not the only reason you would want to use XACML for. XACML is a policy-based language. It is aimed at authorization i.e. determining whether a user can or cannot do a given action. It does not have to be about data privacy. It could be about business processes or trade secrets or IP protection. For instance, one of the customers at Axiomatics, a leading shoe manufacturer, uses Axiomatics Policy Server to make sure brand secrets are only shared with those managers with the right portfolio.

Ewan's point is excellent too: XACML is only one piece in your security arsenal. It is about deciding and enforcing. But before and after that, you want to do governance, access reviews, identity & entitlement management. You will need to implement the protection of your data at rest through data management & encryption. There is more to security than just the access control piece.

I hope this helps, David.

Answer 2

The Wikipedia article lists major implementations : "SunXACML, Axiomatics, AuthzForce, InfoBeyond Technology" so it is being used.

I don't think many companies manage their regulatory compliance with a single piece of software though. I believe most do care about data protection, after all there are fines if you are caught. But in my experience the compliance regime is managed through a set of policies and checks.

For example you might have a data retention policy which says, "whenever you store data, fill in a form saying how long you are going to store it and why. Also note the process which deletes the old data and the audit check to perform to check whether it was deleted or not"

Now every system in the company will have a different technical solution to the deleting of the data. Cron jobs, expiring private keys, not storing anything etc. The compliance bit though is filling in the form and the audit trail.

After a while a slick sales person will sell the company a "single sign on solution" to combine all the checks together, and this may well use one of the many possible authentication methodologies or standards.

But in all likely-hood this will still only be one of many technical solutions in use at any given time and auditors will still go back to the paper trail of "Show me the document which says what your policy is", "Show me the documents which show you are following your policy". They don't really care how you generate those documents