Vendor Assessment: Axiomatics

Authored by Editor
on March 25, 2022
Last Updated25 March 2022
Document Idtch-vendor-assess-axiomatics
Authorsimonm@thecyberhut.com
Part of Research ProductNext Generation Authorization – A Market Overview

Company Key Facts

Web – https://www.axiomatics.com/ 
LinkedIn – https://www.linkedin.com/company/axiomatics/ 
Twitter – https://twitter.com/axiomatics 
YouTube –  https://www.youtube.com/user/axiomaticsab 
Founded Date2006
FoundersBabak Sadighi, Erik Rissanen
No. of Employees~60
Total Funding$6.5 million
LocationsChicago US, Stockholm Sweden
In Their Own Words“Orchestrated Authorization is the future of authorization”
“It’s time for a modern approach to attribute-based access control (ABAC) that is at the center of a successful Zero Trust strategy, solving even the most complex access challenges.”

Funding

Announced Date Transaction Name Number of Investors Money Raised Lead Investors 
May 7, 2013Venture Round – Axiomatics3$6.5MMonterro

Source: Crunchbase

Axiomatics has had one official funding round, from May 2013, raising $6.5 million.

Customer Case Studies

CustomerRegion / SectorDetails
Un-namedUSA / Finance for EnergyA financial services organisation, that specifically focused on the energy sector, had a home grown authorization system that focused on a complex B2B2C model.  This model was outdated, RBAC based with permissions siloed in different systems and a lack of visibility hampered productivity and security.
✔Improved FICAM (Federal Identity Credential & Access Management) Compliance  ✔ Migration to policy driven approach  ✔ Secure third party sharing model  ✔Regulation to policy mapping   
Further Details
Un-namedUSA / Fortune 500 FreightWith 50,000 employees and 175,000 user accounts under control, legacy RBAC projects had resulted in over 54,000 roles and 800,000 user to role assignments.  An inefficient model that was hampering future developments.  Distributed and duplicated authorization data was also a concern.
✔ Authorization responsibility shift from IT to the business  ✔ Migration to an ABAC model  ✔ Leverage standards  ✔ Leverage contextual and risk based access control
Further Details
Danish Defence AgencyDenmark / DefenceThe Danish Defence force required an API first way of securely communicating with internal and citizen based identity services.  The aim was to reduce reliance on physical and manual data communications with the use of an API gateway and centralised policy management solution.
✔ 96% reduction on paper communications  ✔ Reduced reliance on manual USB data exchanges  ✔ 6 months RoI  ✔
Further Details

Full list available from the Axiomatics website.

Technology Key Facts

Go To Market MessageCentralised Orchestrated Authorization
SolutionsIP Protection / Secure Collaboration / Export Control Compliance / IoT Access Control / PII Protection / Financial Transaction Control
Products / PlatformApplication Authorization / Database Authorization / ABAC / Centralised Management / API Protection / Standards / PAP, PDP, PEP
Useful LinksRequest a Demo

Technology Review

Overview

Axiomatics is a long standing and mature authorization provider.  They have a range of case studies for supply centralised authorization functionality to a range of both public and private sector clients.

They were an early supporter of the XACML authorization language and have since added a range of capabilities for protecting APIs, applications and data across a range of different deployment options.

They, like many authorization providers, are benefiting from the large increase in interest in authorization due to zero trust adoption, B2B2X ecosystems, cloud-native environments and the API-first economy.

What They Do

Orchestrated Authorization

A relatively recent narrative Axiomatics have adopted is focused upon Orchestrated Authorization.  A press release in February 2022 explained the new direction.  They seem to be focusing on the cloud-native ecosystems, by providing a framework for bringing both business and technical stakeholders together, to create authorization policies that improve security and efficiency.

Whilst authorization is a common concept in many enterprises, it has been described as being isolated and unable to scale according to Axiomatics.

Orchestrated Authorization aims to:

✔ Focus on FGAC – fine grained access control

✔ Multi-layered protection – application, data, APIs

✔ Contextually aware

✔ Business facing user interface

✔ Developer adoption tools

There seems to be a number of external factors that are driving the need for something like an orchestrated approach.  Business maturity, the increased need for an identitycentric approach to security, increasing threats and perhaps more importantly unknown and at times existential threats such as the pandemic, as pushing organisations to have a centrally managed authorization control stack, that can protect assets from a range of different classifications across different deployment models.

A key catalyst in the success of authorization however, is making sure the business is correctly represented in the policy design and ongoing operational maintenance processes.  Any authorization system needs to correctly represent the business outcomes it aims to protect, along with the correct level of observability, success metrics and the ability to evolve and adapt.

It seems the Axiomatics Orchestrated Authorization approach is trying to bring those stakeholders together.

Their “State of Authorization 2022” whitepaper explains this approach in more detail.  

An interesting comment in that paper is the use of “signals” into the authorization process.  The signals approach was made common by firstly the authentication platform providers and then more recently the SOAR (security orchestration automation and response) providers, who saw the need to integrate attributes from a multitude of different data sources in order to make more informed decisions.

These signals could be coming from persistent data stores (like groups and identity attributes) or more contextual such as data pertaining to current request or transaction history.  More information essentials more power to make finer grained decisions.

Authorization for Applications

But what are Axiomatics seeking to protect?  They break down their go to market into two buckets: applications and data.

Application protection seems focused on migrating customers away from existing role based access control (RBAC) deployments where  role explosion, data separation and a lack of future proofing is driving the need for some more attribute-based in nature.

The concept is to apply runtime security based on identity attributes, analysed by a centralised policy system that contains the rules logic to deliver fine grained application access.

Axiomatics externalises authorization logic from within the applications and centralises that logic in the form of policies.  This can increase security visibility by having a single-pane of glass that can see protected assets and the fine grained controls that are in place.

Enforcement via gateway services, or native REST call outs to the centrally managed policy centre allow for a flexible deployment pattern.  Integration with Open Policy Agent as a decision engine is also possible.

Database Authorization

Whilst web application and API protection is a huge area of demand, the underlying data is also of huge importance to both the security and compliance area of many large organisations.

Here Axiomatics provides a SQL interceptor that in turn also integrates with the centralised policy repo.  Depending on policy evaluation, the downstream SQL request can be re-written to reduce data exposure or even transform the requested data into something more policy compliant.

Why They Do It

IP Protection

Intellectual Property (IP) is a huge concern across numerous different sectors from pharmaceutical, manufacturing, military and many other innovation driven sectors. Axiomatics has a narrative that benefits export controls, secure collaboration, finance account management and IoT data protection.

Secure Collaboration

The modern enterprise is now a highly dependent and complex supply chain – covering partnerships, federated relationships and other business entity interactions.  Axiomatics aims to deliver the ability to open up infrastructure to potentially untrusted parties, in an efficient and cost reducing manner.

IoT Access Control

IoT data generation, aggregation and sharing results in new requirements as they pertain to scale, elasticity and efficiency.  Axiomatics has a dedicated IoT offering leveraged on attribute based policy.

PII Protection

Personally Identifiable Information (PII) has come to the forefront due to compliance initiatives such as the GDPR and CCPA in the United States.  The consumer has more power than even before and their sensitive data needs to be protected, in tune with competitive business operations.

How They Do It

Axiomatics describes their offering as an authorization platform that provides a range of capabilities from centralised management to distributed enforcement options.

Source: Axiomatics website

Policy Management Services

Policy management is handled by the Axiomatics Service Manager (ASM). This is essentially the policy administration point (PAP) which is typically deployed by customers within their own environment – albeit this could be in a cloud-native environment.  

This web based console allows for the centralised administration and management of control domains, policies and the operational governance of the environment.

The ASM allows for the creation of policy sets, policies and rules in order to protect downstream assets.  The ASM has attribute connectors that can ingest persistent data from the likes of LDAP stores and SQL databases that can be leveraged during rule creation. 

Source: Axiomatics YouTube channel

Modelling

A major challenge for any authorization project is how to model policy?  The ASM is the central console where business and application stakeholders can be invited to help design the necessary security controls, develop migration plans from existing authorization solutions or help to augment existing decision points such as Open Policy Agent.

ALFA 

Axiomatics promotes the ALFA language for the rapid creation of authorization logic.  ALFA standards for the abbreviated language for authorization.  ALFA is an OASIS standard aimed at the developer to accelerate rule and policy creation.  ALFA is essentially based on the XACML nomenclature with concepts such as policy sets and rules.

OPA integration

Open Policy Agent is a widely used authorization decision engine, popular within microservices and cloud native (Kubernetes) environments, where a repeatable and lightweight solution is needed.  Axiomatics provides integration options for OPA in the form of leveraging ALFA to augment OPA Rego policy creation.

Policy Operations

Policy creation is only one aspect of the authorization lifecycle.  Policy operations including testing and change simulation as well as access review capabilities are also needed and the ASM is where these functions reside.

Source: Axiomatic Policy Server Data Sheet

Runtime Services

The Axiomatics Access Decision Service (ADS) is effectively the policy decision point (PDP) where designed policies can be evaluated.  ADS is a cloud native approach to this.  This is a microservice based approach, containerized with a small footprint.  It has a query API that is OpenAPI compliant to allow enforcement services to query the ADS for authorization decisions from any service type.

Gateway

There are a number of integrations for existing gateways to access the ADS for the likes of Apigee and Mulesoft.

SQL Data Interceptor

Axiomatics extend the authorization landscape by providing decision and enforcement support for SQL databases.  Their SmartGuard solution provides SQL query interception and modification for the likes of the Apache Spark data analytics platform.

Source: Axiomatics Smart Guard Data Sheet

Data masking for the likes of PII can be made based on the policy decision response.  Transformations can be made on a database table per cell level.

The SQL proxy is based on the Apache HiveServer2 protocol, which is a database RPC service. 

Integration Points

Authorization services are in demand from a range of different stakeholders and systems within the large enterprise.  Axiomatics provide integrations for the following system types:

  • Application Layer (Mulesoft, Kong, Sailpoint, Java, AD, Radiant Logic)
  • Microservices (Kong, Istio, Envoy)
  • Containers (K8, Docker)
  • Databases (Databricks, Spark, Colibra)
  • Identity Management (LDAP, JWT, OAuth2, OIDC) 

The Cyber Hut Comment

Axiomatics are a long term player in the growing authorization market.  Their market understanding and industry contribution standards such as XACML and ALFA should not be underestimated.

Authorization functionality is growing in demand and Axiomatics well understands the past, current and future problems many large enterprises are facing when it comes to policy migration, augmentation and extension into a broad range of services.

They should be considered for any large scale project or one that requires a strong set of modelling tools and operational support requirements.

Strengths

  • Mature and long standing contribution to the authorization space, through support for XACML and ALFA
  • Flexibility in the policy modelling and design components
  • Ability to handle complex policy sets with both contextual and static data sources
  • Cloud native approach to decision services
  • Ability to leverage OPA as an emerging enforcement technology via their centralised management console
  • Ability to deliver decision and interception services for SQL data
  • Strong set of customer case studies across a range of different sectors

Methodology

The Cyber Hut Vendor Assessments are always independent and free from vendor sponsorship.  We follow a 5 step process to create a body of knowledge that provides buyside decision makers with a tool that can assist with overcoming the information asymmetries often associated with vendor due diligence.

1 – OSINT

The first stage in the process is to leverage a range of open source intelligence data points (OSINT) to create an impartial and empirical view of the vendor, through their natural actions, talk tracks and observable data points.

We leverage free and paid for data sources to help understand the basic history and vision of the organization, as well as technical details that help to create a picture of capabilities, features and functions.  

This process takes between 2 and 4 weeks to complete and uses sources such as the following:

  • Crunchbase / Glassdoor
  • YouTube / Twitter / LinkedIn
  • Vendor Website
  • Vendor Webinars & Events
  • Vendor Whitepapers & Datasheets
  • Vendor Case Studies
  • Patent Search
  • Blogs
  • Documentation & Release Notes
  • APIs and SDKs
  • Downloads and Trials

2 – Vendor Briefings

After a basic dossier has been created, a reach out to a vendor is performed to arrange a briefing, pitch and demo and to answer any questions that may have been raised during the OSINT phase.

The briefings usually last about 60 mins and normally cover a general go to market pitch and position, followed by a secondary demonstration session by a sales engineer.  This process typically results in some further more technical questions that can be easily answered via email and existing documentation.

At this point, The Cyber Hut are in a position to start creating the first version of their Vendor Assessment.

This will take up to 2 weeks and will contain all the information gathered in the OSINT and vendor briefing stages.  Existing public case studies will also be analysed.

3 – Vendor Fact Check

Once the initial draft of the Vendor Assessment has been created, this is sent back to the vendor, to allow them to validate any technical points and “fact check” any information that has been documented.  The vendor typically responds within 14 days with any corrections and edits.

4 – Vendor Assessment Completion

After the vendor has been given the opportunity to fact check the assessment any corrections are incorporated into the final document.

At this stage, the document can be made available to buy side practitioners as a standalone artifact.  This is provided as a non-distributable PDF available in single-seat and enterprise-wide licenses.

Vendors may also purchase a redistributable version of the Vendor Assessment which they can use as marketing and pre-sales collateral for a 6 or 12 month period.

Methodology Benefits

The benefits to this approach are twofold:  firstly the vendor is not burdened with cumbersome questionnaires, normalised market requirements and time consuming templates.  The “heavy lifting” is performed by The Cyber Hut in order to provide a more empirical and evidence based assessment.

The vendor has full control over the ability to correct and fact check any written material, which validates the evidence that has been collected.

Secondly, The Cyber Hut does not place emphasis on the concept of “ranking” vendors and identifying “who is the best” in a particular segment, vertical or implementation.  

The Cyber Hut aims to produce impartial evidence based reports that help to bridge the supplier and buyer divide.

Vendor Assessments are typically re-evaluated every 12 months.

About The Cyber Hut

The Cyber Hut (previously Infosec Professional) has a 10+ year history of delivering research, analysis and insight on the global cyber security industry.

The Cyber Hut blends economic theory with deep technical understanding of information security, cyber security and the protection of critical information assets.  

We are leaders in the field of security economics, helping to provide actionable insight for buy side, sell side and technical practitioners.

We leverage open source, publicly available data signals and vendor briefings to analyse patterns at the edge of the emerging security plane. 

Our analysts are deep technical specialists, called upon by national bodies for standards advisory, are published authors, board members and senior community leaders.

The Cyber Hut is the trading name of TCH Research Ltd, registered in England & Wales, company number 13188456.  

Registered address: 7 Christie Way, Christie Fields, Manchester, UK, M21 7QY

Corrections should be sent to sales@thecyberhut.com.

About The Author

Simon Moffatt is Founder and Analyst at The Cyber Hut.  Simon provides the overall strategy and content management, analysing unique positions with many different lenses. He is a published author and contributor to identity and security standards at the likes of NIST and the IETF.  He has a 20+ year career working within the identity & access management and cyber security sectors – for vendors, system integrators and within industry.  


Education

B.Sc (hons) Economics (York, 2001)

PG.Dip Information Security (Royal Holloway, University of London, 2022)

Professional Memberships

MBCS – Member of the British Computer Society

F.CIIS – Fellow of the Chartered Institute of Information Security

Professional Qualifications

CISSP (Certified Information Systems Security Professional) – 2007 to present

CCSP (Certified Cloud Security Professional) – 2020 to present

CEH (Certified Ethical Hacker) – 2018 to present

CISA (Certified Information Systems Auditor) – 2010 to 2014

Categories:

MemberVendor

Tags:

tch-research-next-gen-authz

Signup for New Content Updates

Registered in England & Wales as TCH Research Ltd 13188456. Registered Office: 7 Christie Way, Christie Fields, Manchester, M21 7QY, UK. Email: info@thecyberhut.com

© 2021 - 2025 The Cyber Hut.