API dynamic authorization – Interview with Axiomatics

September 14, 2017 Stephane Castellani

I would like to warmly welcome David Brossard today, VP Customer Relations at Axiomatics.

Stephane Castellani: Hi David, can you please present Axiomatics in a few words?

David Brossard: The company is headquartered in Stockholm, Sweden and has offices across the US (including Chicago and Washington, D.C.). We are a team of approx 60.

As the global independent leader in Dynamic Authorization solutions, our people, expertise, and our best-in-class software set us apart. Customers come to us to solve complex use cases around access control to APIs, applications, databases, Big Data, and microservices. Through a policy-based approach to dynamic authorization that utilizes the Attribute Based Access Control (ABAC) model, Axiomatics helps enterprises across industries lock down confidential data and IP while securely sharing and collaborating with authorized users.

SC: What is your flagship product?

DB: The Axiomatics Policy Server is our flagship product. It is the most complete solution available for enterprise-wide roll out of externalized dynamic authorization, delivered with Attribute Based Access Control (ABAC). It’s built from an eXtensible Access Control Markup Language (XACML), an industry standard originally authored by Axiomatics teams members.

It is an independent solution which easily integrates with Identity & Access Management (IAM) tools from leading vendors in the space. The authorization APIs for all types of scenarios come combined with user-friendly interfaces for policy life-cycle management, service administration and monitoring.

SC: What needs does it answer?

DB: The Axiomatics Policy Server solves complex uses cases around fine-grained access control – to help companies balance the need to share information and easily collaborate internally and externally, but also to lock down the most sensitive IP. Some common use cases you may hear are helping with the evolution from legacy role-based systems:  role explosion, toxic combinations or managing segregation of duties. It also addresses complex control and compliance needs. Examples range from implementing export control in heavily regulated industries such as aerospace to securing sensitive medical information (PHI) in healthcare organizations.

SC: What is Dynamic Authorization for APIs and why is it important?

SC: API Gateways effectively manage the authentication of the user, secure the communications between clients and APIs, and provide service orchestration capabilities. But if business critical data, personal identifiable information (PII) or any other sensitive data is involved, additional fine-grained authorization capabilities are required to ensure information is being shared securely and under the right circumstances. Combining an API Gateway with dynamic authorization can help. ABAC is considered to be the next step in the evolution of access control. This scalable, forward-thinking way of managing access can help enterprises address business challenges by dynamically controlling access rights across an entire enterprise. This enables enterprises to manage the actions individuals or services can carry out on information assets such as documents, transactions and records.

Dynamic Authorization (or ABAC) takes a policy based-approach to govern who can access certain information and under what conditions.  It uses a standards-based and rich policy language to capture policies and rules. ABAC provides an extensive set of possible combinations of those variables to reflect a broad set of possible rules, policies or restrictions on access. Attributes of the user, the resource, the API, the action, and the context can all be used to express authorization policies.

SC: How do you integrate with existing API Gateway vendors, such as Axway API Gateway?

DB: We have custom integrations with most leading API Gateways. For Axway, we work together well, and have several mutual customers, including the Danish Defence.

The Axway API Gateway supports coarse-grained authorization and has the OOTB capability to call out to Axiomatics Policy Server. By connecting the Axway API Gateway to APS it is possible to achieve finer-grained, centrally managed authorization using the very latest version of XACML 3.0

Not only does this make the Axway API Gateway more secure, APS can also protect applications in other tiers, and making it possible to centrally define and enforce the very same authorization policies across an enterprise’s entire IT ecosystem.

axiomatics and axway api gateway

SC: What throughput can you manage? What is the largest technology challenge you usually face when integrating your product?

DB: Throughput is limited by the APIs that the API gateway secure.s Both the Axway API gateway and the Axiomatics Policy Server can be easily scaled up to tackle larger loads. In some setups, Axiomatics has handled well over 20,000 requests per second.

In ways of integration there is little technology challenge given both products are implemented using mature, well-known standards. This makes integrating both products extremely easy for customers.

SC: Which industries and accounts do you target?

DB: We service a variety of customers across the United States and Europe, mostly Global Fortune 1000 companies. The industries we serve include but are not limited to: healthcare, pharmaceutical, insurance, financial services, media, manufacturing, power and utilities, federal government, software and high tech, and the private sector.

 SC: What are the benefits or your product? Can you share any available ROI?

DB: Axiomatics helps businesses that are highly regulated, with data that is confidential in the form of intellectual property (IP) or relating to individuals’ privacy to ensure that information is securely shared only under the right conditions. We help organizations shift to using externalized dynamic authorization for applications, APIs, databases and Big Data, to accelerate digital transformation and meet the complexity of today’s access control demands.

Axiomatics delivers proven results with the ability to demonstrate ROI quickly in terms of efficiency, saving time/cost in the development process, speed to market for business initiatives. ROI is unique to our customers – in some cases we’ve improved speed of authorization tasks by 10x, especially as enterprises go enterprise-wide with the implementation. In addition, Axiomatics expands the possibilities and performance of development teams and helps customers gain a competitive advantage.

Using Axiomatics, companies can avoid multi-million dollar fines as well as save costly development time.

SC: How you do position on the market?

DB: Axiomatics is the industry leader in dynamic authorization solutions. We employ industry thought leaders and dynamic authorization experts (several members of the company hold Ph.D.s in areas relating to dynamic authorization and ABAC), including the original authors of the XACML standard.

In addition, the Axiomatics team holds 25 patents and counting. Our team has successfully deployed some of the world’s largest XACML projects to date.

SC: Which channels do you sell your product through? Online, via sales teams, via partners?

DB: We have a terrific sales team, supported by my technical team (Customer Relations) at each step of the way. And we also work with many outstanding partners that provide integration services, technology or supporting consulting work.

SC: Can you share with us a recent customer success story, indicating the challenges they faced and the outcomes they got with your product?

DB: The combined Axiomatics / Axway solution was successfully used to secure information at Denmark’s Ministry of Defense (MoD). This was a joint project with Axway, Axiomatics and Sopra Steria. The result was a secure solution for exposing APIs to send and receive information between the MoD’s network and e-Boks, the national platform for communicating with citizens. The solution also had to enable Danish Defence to communicate with other trusted third-party vendors, automate their processes, and sharply reduce costs.

The key challenges revolved around defining the APIs, the data flows, and the policies the customer wanted to apply.

SC: Can you share with us your product presentation video?

 

SC: Are there any other topics you would like our audience to be aware of about your company?

DB: Beyond APIs, Axiomatics can be used to secure other layers such as the presentation tier, enterprise service buses, business applications, microservices, databases, and big data systems.

Using externalized authorization with Axiomatics enables a consistent and coherent authorization across tiers which enables a more secure ecosystem, eliminates gaps, and breaks down silos.

axiomatics_policy_server

SC: Thanks David for this excellent discussion. This was fascinating to hear about your expertise in API Dynamic Authorization.

DB: Thank you Stephane.

 

The post API dynamic authorization – Interview with Axiomatics appeared first on API Friends.

Previous Article
Checklist before launching an API Management project
Checklist before launching an API Management project

Your company is ready for API adoption and you are asked to prepare an API Management RFP. Here are a … Mor...

Next Article
Hey, what does an API do?
Hey, what does an API do?

I often talk to people who understand the value of the Apps they use on mobile devices and tablets but … Mo...