Companies Demonstrate Interoperability of XACML OASIS Standard
Eight Companies Demonstrate Interoperability of XACML OASIS Standard at Catalyst Conference
BEA Systems, CA, IBM, Jericho Systems, Oracle, Red Hat, Securent and Others Showcase Access Control Standard in a Web Server Environment
San Francisco, CA, USA. June 28, 2007.
At Burton Group's Catalyst Conference today, eight companies will join together for the first time to demonstrate interoperability of the eXtensible Access Control Markup Language (XACML) 2.0 OASIS Standard. An extremely flexible language for expressing access control, XACML is particularly designed to support large-scale environments where resources are distributed and policy administration is federated. XACML 2.0 is also ITU/T Recommendation X.1142.
"Access control is a requirement of almost every application," said Dan Blum, senior vice president and research director of the Burton Group. "XACML goes beyond simply denying or granting information access, it defines the mechanism for creating the rules and policy sets that enable meaningful authorization decisions."
The Catalyst demonstration will include two scenarios. In the first, different implementations exchange XACML policies that control access for a variety of Web server addresses. This demonstrates the ability of different implementations to understand the language defined by XACML.
In the second scenario, authorization decisions are enforced by applications based on interaction with an external policy decision point. Both the application and the policy decision point can be independently implemented, and communication between them will use the XACML Security Assertion Markup Language (SAML) Authorization Decision Request Protocol. This shows how components such as services, applications and containers are able to defer to a centrally managed authorization service when making authorization decisions.
"XACML attributes are extensible, so that information specific to particular industry segments or verticals can be encoded in policy rules and communicated to and from applications," explained Hal Lockhart of BEA Systems, co-chair of the OASIS XACML Technical Committee. "XACML also recognizes that attribute values may originate at the point of enforcement or from databases found elsewhere and supports flexible deployment architectures."
Support for XACML
"The XACML OASIS InterOp demo illustrates that BEA AquaLogic Enterprise Security is designed to support the latest version of the XACML standard required by today's enterprises to manage and enforce access control policy across a diverse SOA ecosystem in a simple and flexible way," said Geoff Charron, VP & Unit Executive.
"CA supports the industry's collaborative efforts to create interoperability standards that facilitate implementation of secure access control policies across federated, multi-enterprise, multi-vendor infrastructure. We will continue to support XACML in our Identity and Access Management solutions so that our customers can take full advantage of this interoperability," said Andy Rappaport, architect for identity and access management, CA.
"This InterOp session comes at a time when our customers are seeing a significant missing link with XACML and interoperability. OASIS is taking an excellent step in the right direction by assembling this industry leader group to help promote interoperability between the various vendors that support XACML," said Anthony Nadalin, IBM Distinguished Engineer and chief security architect for IBM Tivoli Software.
"Jericho Systems is incredibly excited about the group of eight vendors that have come together to advance the state of the privilege management and entitlement management segment of the security industry. We believe the XACML InterOp will positively demonstrate the power of open standards based-interfaces and lead towards more vendors supporting XACML-enabled policy enforcement points (PEPs) for externalized security decisioning," said Brendon Unland, President & Founder of Jericho Systems.
"Access control is a complex space in comparison to authentication. Enterprise customers and software products have made attempts at solving authorization use cases via proprietary access control lists or such mechanisms. Role Based Access Control (RBAC) has proven insufficient in many cases. XACML is an industry standards effort at bringing sanity to the growing needs of access control. XACML provides mechanisms to define policies and make decisions based on a combination of subject (user in the simple case), resources (that need access control), actions and optionally environmental factors like date-time etc. Adopters of XACML are free to provide custom attributes that can affect the final access control decision. Interoperability events for XACML will aid in providing confidence in implementations to adopters," said Anil Saldhana, Project/Technical Lead, JBoss Security and Identity Management, Red Hat Inc.
"XACML 2.0 provides a sophisticated model for authorization that can represent complex policies required by enterprise-scale applications and administrators. Through Oracle's support of XACML and participation in the OASIS InterOp event, our customers gain a real-world example of how the power of the XACML authorization model can enable the benefits of reduced costs and improved manageability," said Prateek Mishra, director, Security Standards, Oracle.
"Securent was founded for the purpose of providing fine-grained access control for distributed enterprise applications and data. We were one of the earliest adopters of XACML, and have leveraged it in Securent's Entitlement Management Solution to demonstrate real-world applicability of XACML in addressing access control needs at the application and data levels at some of the largest enterprises in the world. The traction the standard is getting, including all of the new-found interest and interoperability work, is clear validation of our strategic decision to build our entitlement management product around the powerful XACML standard," said Rajiv Gupta, Securent CEO.
XACML 2.0 OASIS Standard
OASIS XACML Technical Committee
OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit, international consortium that drives the development, convergence, and adoption of e-business standards. Members themselves set the OASIS technical agenda, using a lightweight, open process expressly designed to promote industry consensus and unite disparate efforts. The consortium produces open standards for Web services, security, e-business, and standardization efforts in the public sector and for application-specific markets. Founded in 1993, OASIS has more than 5,000 participants representing over 600 organizations and individual members in 100 countries.
Prepared by Robin Cover for The XML Cover Pages archive. See also: (1) XACML Interoperability Demonstration (details); (2) the announcement "Symlabs Federated Identity Suite Demonstrates XACML Interoperability." General references in "Extensible Access Control Markup Language (XACML)."