Sunday, July 8, 2018

Access Control and Mark Up Languages



Just like humans use language to talk to each other, we use languages to talk to computers as well. From an identity management and access control purposes, we are going to learn about some specific languages, but before that, it is important to understand the basics.

Today, if you visit a website, you see different kinds of animations, text floating around, advertisements which are interactive, customs views etc. How does this happen? This happens through markup languages and of course some background coding. What is a markup language then?  A markup language is a way to structure text and data sets, and it dictates how these will be viewed and used. When you adjust margins and other formatting capabilities in a word processor, you are marking up the text in the word processor’s markup language. If you develop a web page, you are using some type of markup language.

One such language which you would have heard about is the HTML (Hypertext Markup language). HTML came from Standard Generalized Markup Language (SGML), which came from the Generalized Markup Language (GML).

If you design a web page today, there are multiple such languages to choose from. The markup language allows you to structure your web page and you can control how it looks and some of the actual functionality the page provides. The use of a standard markup language also allows for interoperability. Following basic markup language standards will help you design a page that looks exactly the same on any platform.

Now, you can say, that I would use a particular language to design a webpage or a particular company can choose to adopt a proprietary language of its own. You can appreciate the chaos it would make by considering that if everyone on this earth decided to speak his/her own language, what would happen?

So to make things standardized, intelligent minds came up with a solution. The answer was XML. XML is a universal and foundational standard that provides a structure for other independent markup languages to be built from and still allow for interoperability. Markup languages with various functionalities were built from XML, and while each language provides its own individual functionality, if they all follow the core rules of XML then they are interoperable and can be used across different web-based applications and platforms.

Sounds confusing? so let’s understand this through a simple example. Let’s consider the English language. Mayur is a cybersecurity analyst, John is a zoologist and Karina is a chef. We all can speak to each other using the basic English communication rules. The basic grammatical and sentence building rules will remain the same. However, each of these individuals can use this common language to talk in terms which they can better understand. So while Mayur can have some terms such as firewall, cryptographic controls, mandatory access control, John would use the terms such as carnivorous, mammals and Karina would be using the words such as roasting, poached egg, simmering etc. Each profession has its own “language” to meet its own needs, but each is based on the same core language—English.

In a similar manner, the world wide web also uses a common language such as XML and then each profession can build a new language based on this language to cater to their specific needs.

Now, I’m into the field of cybersecurity and I would like to tweak some languages to help me out with identity and access management. So what should I do?

Well, the intelligent minds before us came together and developed some languages for you which we are going to learn about.

The first one is - Service Provisioning Markup Language (SPML) that allows for the exchange of provisioning data between applications, which could reside in one organization or many.

Consider, John has joined the company IloveITSolutions as a security specialist. An account needs to be created for him, where he would have access to multiple servers, accounts and what not. The language which comes to the rescue of the administrator is the SPML. SPML allows for the automation of user management (account creation, amendments, revocation) and access entitlement configuration related to electronically published services across multiple provisioning systems. This markup language allows for the integration and interoperation of service provisioning requests across various platforms.

It is easy to say that SPML will do all the work. But we must understand how does it do that? SPML is made up of three main entities: The Requesting Authority (RA), which is the entity that is making the request to set up a new account or make changes to an existing account; the Provisioning Service Provider (PSP), which is the software that responds to the account requests; and the Provisioning Service Target (PST), which is the entity that carries out the provisioning activities on the requested system.

When John joins the company, the RA is asked to get to work. The RA creates SPML messages, which provide the requirements of the new account. Whom does it send these requests to? The PSP. This piece of software reviews the requests and compares them to the organization’s approved account creation criteria. If these requests are allowed, the PSP sends new SPML messages to the end systems (PST) that the user actually needs to access. Software on the PST sets up the requested accounts and configures the necessary access rights.


Now John’s account is created in the organization. He has a certain set of credentials with him which is used to authenticate him. Now if John needs to access multiple web applications, there can be two ways of authenticating him. Every application should have his credentials stored in its own database to compare it at the time of authentication or every application can share the actual authentication data securely and in a standardized manner.

So which one sounds better? The second one is better and much secure. But how does this happen in the background? A markup language helps me to implement all this. Security Assertion Markup Language (SAML) is an XML standard that allows the exchange of authentication and authorization data to be shared between security domains. In simple terms, this language helps implement federation. If you look confused, don’t be. Let’s say, you log onto Trivago to choose the best hotel. By logging into Trivago, you provide your credentials only once. Trivago may redirect you to the website of Taj hotels for further booking and then to Vistara Airlines for the flight booking, but you’ll not be asked to authenticate yourself multiple times. This is federation and SAML helps you implement it.

The last XML-based standard we will look at is Extensible Access Control Markup Language (XACML). XACML is used to express security policies and access rights to assets provided through web services and other enterprise applications. Continuing with the above example, how can we be sure that all the three websites would use the same authentication mechanism? What happens when Trivago approves the authentication and sends a response to Taj Hotels. How does its website interpret it? SAML is just a way to send around your authentication information, as in a password, key, or digital certificate, in a standard format. SAML does not tell the receiving system how to interpret and use this authentication data.

XACML is both an access control policy language and a processing model that allows for policies to be interpreted and enforced in a standard manner. So when John enters his credentials to authenticate himself, there is a rules engine on that system that interprets and enforces the XACML access control policies. If the access control policies are created in the XACML format, they can be interpreted by everyone to allow for consistent security to be enforced and managed.

Throughout the article, I have mentioned intelligent minds. Well, these minds are - The Organization for the Advancement of Structured Information Standards (OASIS). This organization develops and maintains the standards for how various aspects of web-based communication are built and maintained.


What do you think of this? Have some other examples to improve this article? Fire those away in the comment(s) section below. 

No comments: