Access control in CESP is performed by CESP-Access. Once the user has been uniquely identified his/her ability to access data or application is checked. The PEP (policy Enforcement Point) is the gatekeeper that collects data about the caller and the request. This data is the sent to the Authorization Engine that performs this check. The Authorization Engine uses the Axiomatic Policy Server to evaluate the policies.

CESP-Access Cybercom Enhanced Security Platform

Page 2

Cybercom

#2-12-2009

CESP-Access

CESP-AccessThe Access Control is evaluating if an actor has the required attributes to get access to a requested service. An actor can be a physical person or another service that needs access to one or more resources.

Access is based on the all the user attributes. The ap-plication can, based on these attributes, grant access to the information based on its own access policies. The technique used is ABAC (Attribute Based Access Control). This way of granting access give much more flexibility that traditional access control that is based on groups or roles. This flexible access control system also reduce the burden of an extensive administration of groups and roles when a lot of different applica-tions can be accessed using the CESM-ID Single Sign-On functionality.

The rules that govern the access policies are managed using a graphical user interface that makes it very easy and intuitive to define and test different access control rules.

Technical DataThe components of CESP-Access are built with Mi-crosoft’s .NET technology to ensure efficient integra-tion with other .NET based applications. It may also integrate with legacy systems by using adapters that interpret log messages stored in text files.

Additionally, CESP-Access is built according to the Service Oriented Architecture (SOA) model and provides Web Service interfaces which enables easy integration with other applications and technical platforms, such as Java based systems.

Page 3

Cybercom

CESP-Access

Axiomatic Policy Server (APS)Once the user has been uniquely identified his/her ability to access data or application is checked. APS is the authorization engine in CESP. The authoriza-tion process is performed in the same way across the whole CESP.

Access policies are defined using rules that are based on eXtensible Access Control Markup Language (XACML). XACML is an OASIS standardized XML language that besides the possibility to express access control rules also give a possibility to formulize the way that rules should be interpreted and combined based on the attributes of the different entities that they are applied on. The access control policies are stored in the Access Control Service.

CESP-Access Authorization ProcessThis following sections section gives an overview of the authorization process and the function of the PEP (Policy Enforcement Point) and the PDP (Policy Deci-sion Point).

The service call delivers a SAML ticket which contains the caller’s attribute. This ticket has typically been produced by CESM-ID.

This ticket is then processes by the PEP and the PDP in accordance with the access policies that is defined using the XACML language.

CESP-Access PEPAll calls to a service always pass a check point that helps the service to determine if a request for an activity should be performed or if the call should be rejected. This function is called PEP (Policy Enforce-ment Point).

The PEP doesn’t take this decision on its own but rather its task is to collect all facts about the prop-erties of the caller, the attribute of the requested resources and other facts about the context in which the call is done. All this information is packed and sent to the Access Control service that takes a deci-sion if the call should be accepted or rejected

CESP-Access PDPThe right to get access to the resources is based on the attributes of the requestor ant the attributes of the resource that is requested. This function is called PDP (Policy Decision Point) and is located in the access control service. The information is sent as a XACML Request Context.

All policies and rules are stored in the access control service. Based on these policies and rules and the information from the PEP an access decision is taken. The decision is sent back to the PEP in a XACML Re-sponse Context. The service can then get the decision from the PEP and depending on the answer allow the caller to get access to the requested resources or not.

Page 4

Cybercom

Cybercom Group Europe AB (publ.)P.O. Box 7574 · SE-103 93 Stockholm · SwedenPhone: +46 8 578 646 00 · www.cybercom.com

CESP-Access

About CybercomThe Cybercom Group is a high-tech consultancy that offers global sourcing for end-to-end solutions. The Group established itself as a world-class supplier in these segments: security, portal solutions, mobile services, and embedded systems.

Thanks to its extensive industry and operations ex-perience, Cybercom can offer strategic and techno-logical expertise to these markets: telecom, industry, media, public sector, retail, and banking and financial services.

The Group employs 2,000 persons and runs projects worldwide. Cybercom has 28 offices in 11 countries. Since 1999, Cybercom’s share has been quoted on the NASDAQ OMX Nordic Exchange. The company was launched in 1995.

Contact DetailsFor further information, please contact:

Henrik Johansson, Business Unit Managerhenrik.johansson@cybercomgroup.com+46 70 825 00 80

or vistit our website www.cybercom.com