How Commercial Off-the-Shelf (COTS) Applications Can be Supported with XACML

Joffry Ferrater   ·   Wednesday, August 2nd, 2017

As a Sales Engineer, it’s not uncommon to meet with a customer – or a prospective customer – who, along with securing APIs, microservices, and a web portal, would also like to secure some commercial off-the-shelf application (“COTS application” from here on). And why not? They see themselves shifting from the limitations of RBAC to the possibilities of ABAC, so the question makes sense. The challenge, of course, is that the said COTS application isn’t built by your team, nor can you change its already compiled code. So what can be done about it?

Often the answer depends on the situation, or better put: the answer depends on the application. Let me elaborate a bit on this in the following paragraphs.

Visiting The Netherlands last year, this topic came up again, albeit with an interesting angle that will help me tie my answer together in an unexpectedly neat way (wait for it… wait for it…). After discussing how Axiomatics could help implement ABAC on the data tier, accessed by multiple homegrown applications, one of the architects, I believe it was the “Microsoft guy”, asked the inevitable: “What about our COTS?” As it turned out, the prospect had a number of COTS that all supported access control through an integration with Active Directory LDAP. “How come this is the case?” I asked, sounding intrigued, but asking somewhat rhetorically.

The answer was that they simply required [it] of their vendors, as a “MUST HAVE” (yes, big letters) in any RFP. To sell to this company, up until now at least, you would have to support RBAC over (AD) LDAP.

Policy-Based Access Control Provisioning

In responding to that Dutch architect, I said that while it would require a smaller pre-study, one approach might be to provision access control to these LDAP enabled applications. The idea being that a XACML-based solution such as Axiomatics Policy Server (APS) could be used for centralized policy authoring, and a translation could be done to provide access control in a language the COTS would understand. One such approach is the Axiomatics provisioning solution for Microsoft SDDL. That smells like Active Directory, doesn’t it?

Intercept & Enforce Approach – the API & Container Tier

Provisioning to the COTS application is one option. A second option is that, if the COTS application expose an API (Application Programming Interface), then a plausible solution is to have a PEP (Policy Enforcement Point) in front of the API acting as a reverse proxy. Our partner Knowit Secure has successfully taken this approach in designing an ABAC solution for Microsoft Sharepoint (mhmm!).

A third option to look at comes from understanding how the COTS application is deployed. See, if the product runs in an application server such as Tomcat, JBOSS or WebSphere, you might be able to configure an agent or filter to do interception in the application server.

Intercept & Filter at the Data Tier

A fourth option (wow, so many) takes us back to that conference room in Amsterdam. You see, if the COTS application uses an external SQL database – and if the user identity is provided with the database query, then interception can happen at the data tier – preferably using a product such as ADAF MD which installs much like an invisible filter between the COTS and the data it consumes.

Lastly (and we are about to come full circle now so make your guess at how I will wrap this!), our friends at Gartner (2014) predict that:

“By 2020, 70 percent of enterprises will use ABAC as the dominant mechanism to protect critical assets, up from less than 5 percent today.”

Wow, nice! But this is a change that doesn’t happen on its own. Instead, it takes customers sharing that vision to make it real. In practice, and as Gartner analysts have pointed out, customers need to demand of their solution providers to support ABAC when sourcing new applications.

Specifically, I would recommend that you require of your vendors that they support externalized and standardized ABAC, as in (OASIS) XACML 3.

As it turns out, requiring a vendor to support a feature isn’t all that strange. Some customers do it habitually and often get their way. The client we met in The Netherlands had already proven it could be done. And I wouldn’t be surprised if they are now about to do it again. Join them.

Read more about ABAC and Access Control on our Access Control 101 page.