Risk Management

API dynamic authorization–interview with Axiomatics

I would like to warmly welcome David Brossard today, VP Customer Relations at Axiomatics.

Stephane Castellani: Hi David, can you please present Axiomatics in a few words?

David Brossard: The company is headquartered in Stockholm, Sweden, and has offices across the US (including Chicago and Washington, D.C.). We are a team of approx 60. As the global independent leader in Dynamic Authorization solutions, our people, expertise and our best-in-class software set us apart. Customers come to us to solve complex use cases around access control to APIs, applications, databases, Big Data, and microservices. Through a policy-based approach to dynamic authorization that utilizes the Attribute-Based Access Control (ABAC) model, Axiomatics helps enterprises across industries lock down confidential data and IP while securely sharing and collaborating with authorized users.

SC: What is your flagship product?

DB: The Axiomatics Policy Server is our flagship product. It is the most complete solution available for the enterprise-wide rollout of externalized dynamic authorization, delivered with Attribute-Based Access Control (ABAC). It’s built from an eXtensible Access Control Markup Language (XACML), an industry standard originally authored by Axiomatics team members.
It is an independent solution that easily integrates with Identity & Access Management (IAM) tools from leading vendors in the space. The authorization APIs for all types of scenarios come combined with user-friendly interfaces for policy life-cycle management, service administration, and monitoring.

SC: What needs does it answer?

DB: The Axiomatics Policy Server solves complex uses cases around fine-grained access control – to help companies balance the need to share information and easily collaborate internally and externally, but also to lock down the most sensitive IP. Some common use cases you may hear are helping with the evolution from legacy role-based systems: role explosion, toxic combinations, or managing segregation of duties. It also addresses complex control and compliance needs. Examples range from implementing export control in heavily regulated industries such as aerospace to securing sensitive medical information (PHI) in healthcare organizations.

SC: What is Dynamic Authorization for APIs and why is it important?

SC: API Gateways effectively manage the authentication of the user, secure the communications between clients and APIs, and provide service orchestration capabilities. But if business-critical data, personal identifiable information (PII), or any other sensitive data is involved, additional fine-grained authorization capabilities are required to ensure information is being shared securely and under the right circumstances. Combining an API Gateway with dynamic authorization can help. ABAC is considered to be the next step in the evolution of access control.

This scalable, forward-thinking way of managing access can help enterprises address business challenges by dynamically controlling access rights across an entire enterprise. This enables enterprises to manage the actions individuals or services can carry out on information assets such as documents, transactions, and records.

Dynamic Authorization (or ABAC) takes a policy based-approach to govern who can access certain information and under what conditions.  It uses a standards-based and rich policy language to capture policies and rules. ABAC provides an extensive set of possible combinations of those variables to reflect a broad set of possible rules, policies, or restrictions on access. Attributes of the user, the resource, the API, the action, and the context can all be used to express authorization policies.

SC: How do you integrate with existing API Gateway vendors, such as Axway API Gateway?

DB: We have custom integrations with most leading API Gateways. For Axway, we work together well, and have several mutual customers, including the Danish Defence.

The Axway API Gateway supports coarse-grained authorization and has the OOTB capability to call out to Axiomatics Policy Server. By connecting the Axway API Gateway to APS it is possible to achieve finer-grained, centrally managed authorization using the very latest version of XACML 3.0.

Not only does this make the Axway API Gateway more secure, but APS can also protect applications in other tiers, and making it possible to centrally define and enforce the very same authorization policies across an enterprise’s entire IT ecosystem.
axiomatics and axway api gateway

SC: What throughput can you manage? What is the largest technology challenge you usually face when integrating your product?

DB: Throughput is limited by the APIs that the API Gateway secures. Both the Axway API Gateway and the Axiomatics Policy Server can be easily scaled up to tackle larger loads. In some setups, Axiomatics has handled well over 20,000 requests per second.

In ways of integration, there is little technology challenge given both products are implemented using mature, well-known standards. This makes integrating both products extremely easy for customers.

SC: Which industries and accounts do you target?

DB: We service a variety of customers across the United States and Europe, mostly Global Fortune 1000 companies. The industries we serve include but are not limited to: healthcare, pharmaceutical, insurance, financial services, media, manufacturing, power and utilities, the federal government, software, and high tech, and the private sector.

SC: What are the benefits of your product? Can you share any available ROI?

DB: Axiomatics helps businesses that are highly regulated, with data that is confidential in the form of intellectual property (IP) or relating to individuals’ privacy to ensure that information is securely shared only under the right conditions. We help organizations shift to using externalized dynamic authorization for applications, APIs, databases, and Big Data, to accelerate digital transformation and meet the complexity of today’s access control demands.

Axiomatics delivers proven results with the ability to demonstrate ROI quickly in terms of efficiency, saving time/cost in the development process, speed to market for business initiatives. ROI is unique to our customers – in some cases, we’ve improved the speed of authorization tasks by 10x, especially as enterprises go enterprise-wide with the implementation. In addition, Axiomatics expands the possibilities and performance of development teams and helps customers gain a competitive advantage.

Using Axiomatics, companies can avoid multi-million dollar fines as well as save costly development time.

SC: How you do position on the market?

DB: Axiomatics is the industry leader in dynamic authorization solutions. We employ industry thought leaders and dynamic authorization experts (several members of the company hold Ph.D.s in areas relating to dynamic authorization and ABAC), including the original authors of the XACML standard.

In addition, the Axiomatics team holds 25 patents and counting. Our team has successfully deployed some of the world’s largest XACML projects to date.

SC: Which channels do you sell your product through? Online, via sales teams, via partners?

DB: We have a terrific sales team, supported by my technical team (Customer Relations) at each step of the way. And we also work with many outstanding partners that provide integration services, technology, or supporting consulting work.

SC: Can you share with us a recent customer success story, indicating the challenges they faced and the outcomes they got with your product?

DB: The combined Axiomatics / Axway solution was successfully used to secure information at Denmark’s Ministry of Defense (MoD). This was a joint project with Axway, Axiomatics, and Sopra Steria. The result was a secure solution for exposing APIs to send and receive information between the MoD’s network and e-Boks, the national platform for communicating with citizens. The solution also had to enable Danish Defence to communicate with other trusted third-party vendors, automate their processes, and sharply reduce costs.

The key challenges revolved around defining the APIs, the data flow, and the policies the customer wanted to apply.

SC: Can you share with us your product presentation video?

SC: Are there any other topics you would like our audience to be aware of regarding your company?

DB: Beyond APIs, Axiomatics can be used to secure other layers such as the presentation tier, enterprise service buses, business applications, microservices, databases, and big data systems.
Using externalized authorization with Axiomatics enables a consistent and coherent authorization across tiers which enables a more secure ecosystem, eliminates gaps, and breaks down silos.
axiomatics_policy_serverSC: Thanks, David for this excellent discussion. This was fascinating to hear about your expertise in API Dynamic Authorization.

DB: Thank you, Stephane.

Read about the three things you need to secure your APIs.