Support: +1-818-985-4700 (Ext. 2) | Contact Us

• Products
  • Keystone
  • Keystone for SharePoint
  • DB-Wall
• Solutions
  • XACML
  • SharePoint 2010 Security
  • Database Security
  • Cloud Security
• Services
  • Implementation
  • Training
  • Support
• Resources
• News & Events
  • Blog
• Partners
• About BiTKOO
  • Company Overview
  • Management Team
  • Careers
  • Contact Us

Product

• Keystone
  • Features and Benefits
  • How it Works
  • Delivery Models

• Schedule
• demo
• Download

Keystone

Keystone is a software solution that provides fine-grained authorization using the XACML standard. Keystone enables consistent management of fine-grained access to applications, web services, and data regardless of operating system or application framework. In most cases, developers do not need to write a single line of code in order to fully protect applications, services, and data with comprehensive access control capabilities.

Implementing the industry standard XACML, versions 2.0 and 3.0, Keystone delivers fine-grained authorization that accommodates a broad range of access-control policy needs by supporting the entire XACML specification and seamlessly handles attribute based access control (ABAC) decisions as well as role based access control decisions (RBAC). Keystone has an extensible architecture that supports virtually all authorization-related use cases.

BiTKOO is fully committed to supporting industry standards and is an active participant and sponsor of OASIS, the standards body governing the XACML standard.

Most systems can be Keystone-enabled using the various methods that are made available by the Keystone components and API. For example, legacy applications that can only consume LDAP are able to consume the LDAP interface of Keystone. Keystone also supports JSP apps, ASP.NET apps, Silverlight apps, Winforms, WPF, WCF, CXF and additional frameworks.

The XACML processing provided by Keystone is compiled into machine code prior to being evaluated resulting in significant performance improvements over interpretive techniques; this, combined with advanced caching algorithms make Keystone the fastest and most scalable XACML engine in the industry.

In addition to the Keystone PDP, there are a growing number of PEPs that provide out of the box policy enforcement for the following platforms:

• SharePoint 2010
• SQL Server 2005, 2008, 2008 R2 and Azure
• .NET WinForms
• .NET WPF
• .NET ASP.NET
• .NET ASP.NET MVC
• Silverlight 4
• WCF
• Java JSP
• Any Java application
• Java Apache CXF
• Any IIS application (using the ISAPI Filter)
• Any Apache application (using the Apache filter)

To understand the benefits of Keystone, consider a typical enterprise application, which generally consists of multiple layers:

Front End- JSP, ASP.NET, Silverlight, iOS, Flex, etc.

Middle Tier- SOAP or REST - based web services, i.e. WCF, CXF, etc.

Database- SQL Server, MySQL, DB-2, Oracle, Azure SQL, etc.

Enterprise architects must ensure that data and services flowing through multiple application layers are protected from unauthorized access. Historically a lot of effort and cost was expended to ensure that only authorized users and system components had access to functionality and data. With every new system, new security logic and code was developed. Aside from being expensive to develop, this “one-off” approach often yielded sub-par results because:

• Business application developers made mistakes that resulted in weak security for systems and data because they are not security experts.
• Proper and complete audit trail was less important and often omitted as to quickly move on to the business requirements of the application.
• Scalability and high-availability took a back seat to addressing an application’s business requirements, and often were not considered, resulting in scalability and availability issues, post-deployment.
• Authorization rules were hard-coded in application logic, condemning any future business rule changes to expensive and error-prone application retrofitting efforts.
• Security audits were tedious, expensive and time consuming because hard-coded rules are virtually impossible to report on, a difficulty compounded by the lack of a common entitlement management vocabulary.
• Administrators had to learn as many user interfaces as there were applications, thereby reducing effectiveness and increasing costs.
• Business owners had to wait and rely on IT personnel to make authorization policy changes, thereby slowing the business down and adding pressure to an already taxed IT staff.
• Proper use of industry standards such as SAML and XACML was overlooked because standards are hard to implement properly and add time to development. However, not adhering to shared standards during development causes systems to be less interoperable and more expensive to interconnect, multiplying the costs of future maintenance and development.

Previously, applications were built with support for a specific type of authentication mechanism, such as LDAP, Kerberos, SAML, etc., and the authorization interface was custom-built by the application developers. This approach has proven to be problematic and expensive; when an organization wished to change the authentication mechanism, applications had to be retrofitted and recertified. Keystone solves this problem by providing out-of-the-box fine-grained authorization. Second, when every application managed authorization in a different way, obtaining a report showing the access rights users currently have or had in the past, across applications, was impossible. When every application has its own authorization logic, then administrators are forced to learn multiple user interfaces for managing user entitlements, reporting is difficult at best and the cost of developing new applications is substantially higher. Keystone externalizes the authentication and authorization logic away from the application code allowing administrators to run customized reports on who has or had access to what data and who granted them that access.

On average the security-related code in new applications represents approximately 30% of the application development cost. When security is re-invented with every project, the overall system is less secure, more expensive (by 30%) and makes the organization less able to respond quickly to changes. Keystone allows an organization to develop applications without having to think about how to handle authentication, federation, single sign on, fine-grained authorization, audit trail, and access reporting. This is achieved by the innovative use of access policies, which Keystone stores and associates with objects it has been configured to protect. Access policies are evaluated at runtime utilizing data stored in enterprise directories and databases.

Keystone is comprised of the following components:

PDP(Policy Decision Point) evaluates requests received from policy enforcement points (PEPs) and delivers a response or a set of responses (in the multi response profile) of either: ‘permit’, ‘deny’, ‘not applicable’, or ‘indeterminate’.

PEP(Policy Enforcement Point) enforces entitlement polices within or close to the applications and data to be protected. It communicates with the PDP and submits requests for access that include attributes about the resource(s) being accessed, the user, the environment, etc.

PAP(Policy Administration Point) is a centralized location where polices are written and stored. Keystone’s PAP allows administrators to easily create, update, or delete policies written in XACML 2.0 and 3.0 and all data access is audited, exportable and available both graphically and programmatically (via web service calls).

PIP(Policy Information Point) is a component used by the PDP which gathers attributes from external data sources such as directories, databases, web services or other types of data sources. If the XACML policy requires an attribute or a set of attributes about a user which are not available in the request from the PEP, the PDP requests from the PIP to gather the requested attributes. The Keystone PIP architecture is based on a plug-in mechanism that is capable of communicating with any data source.

Keystone-enabling applications provide the following benefits:

Increased Efficiency

Keystone presents a single point from which to manage, report, and enforce access policies across enterprise and departmental applications. Organizations no longer have to collect, collate, and transform access and audit information from disparate systems. All access to any selected system, as well as grants and privileges established for any specific user, are now easily obtained through standard and extensible reports.

Business Agility

Keystone decouples applications from the underlying authentication sources, and by doing so, future-proofs applications against changes to a business’s directory and other identity infrastructure components. For example, if an organization decides to adopt a two-factor authentication product, or switches to different directory technology, Keystone-enabled applications do not need to be changed.

Standardization for Fine-Grained Authorizations to Support Interoperability

By employing an industry-standard fine-grained authorization “dial-tone”, organizations prepare and future proof their systems for interoperability with future infrastructure components, cloud systems and management and monitoring applications.

Policy Flexibility

Keystone allows for real-time changes to authorization policy without requiring changes to application logic. By supporting all of the XACML profiles, organizations can confidently define any type of authorization scenario without requiring custom code to be written.

Strengthened Security

Keystone externalizes and unifies security policies across application/technology silos, eliminating the inconsistencies in policy interoperation, creation, deployment and enforcement. Administrators can create ethical walls, which permit the enforcement and audit of Segregation of Duties. The Keystone PEPs were designed to shield developers from having to re-invent security algorithms and techniques, which are built-in the product.

Schedule a web demo to learn more about the features and benefits of Keystone.

© Copyright 2012 Quest Software, Inc. All Rights Reserved

• Legal |Contact Us