A centralized server for Authentication, Authorization and Auditing (AAA) using industry standards security components.
The processes of Authentication, Authorization and Auditing are fundamental and critical for business security. These activities, usually known as AAA, protect access to company data and the use of resources in general.
While globalized computing facilitates the exchange of information, it also increases security problems. To maintain high levels of data security it is therefore essential to be able to identify the user at all times (Authentication) and know what he is allowed to do (Authorization).
It is equally important to understand who performed a particular operation (Auditing). These three issues have given rise to a series of solutions in a scenario usually referred to as AAA: Authentication, Authorization, Auditing.
The issue of AAA has existed since the origins of IT, and for this reason various solutions are available on the market.
Most of these solutions are incorporated fully or partially inside the application. It appears that application streamlining was very difficult to implement, especially in the case of authorization.
The solution proposed by Primeur is Spazio A3 Server, an AAA class tool that allows businesses to achieve significant savings, agility, flexibility and adhesion thanks to the following characteristics:
- Central service external to the applications
- Reuse of existing infrastructures such as LDAP and Active Directory, or the possibility to create new ones based on a wide choice of technologies
- Standards based
- Acts as a central service for any application or process
- Allows high flexibility as company needs change.
Architecture: components, interfaces, functions
Spazio A3 Server behaves as a generalized server, accessible using common techniques such as WS or Java APIs, that can resolve AAA problems for applications.
- User and Password on Active Directory/LDAP, sequential file
- Authentication with X.509 certificates
- OTP Authentication
- Authentication with the Radius protocol
- … and others.
Its main characteristics are:
- Based on standards: XACML
- Authorization policies completely external to applications
- Allows fine grain authorization, down to the field content level
- Authorization may depend on the context and the attributes of the user, according to the ABAC (Attribute Based Access Control) scheme, which is more powerful and flexible than RBAC
The deployment of Spazio A3 Server
Spazio A3 Server is a component with a modern architecture based on recognized SOA ESB standards for deployment of the solution. The PEP and PDP elements are particularly important.
The PEP, Policy Enforcement Point, is the architectural point that is logically delegated to intercept processes/users trying to access a resource. It enforces the relevant policies after requesting instructions from the PDP. The PEP doesn’t make decisions on access, but simply requests “instructions” from the PDP and applies them to the user/process intercepted.
The PDP is provided by A3 Server and is the central component of the architecture. The PDP is the decision maker that gives the green (or red!) light for access to the protected resources, based on the parameters received and according to policies.