Keeping track of authorization management
It’s been very interesting to follow the ascension of authorization management as an important segment of the IdM market over the course of the last year. The challenge of handling authorizations across a vast array of applications is not a new problem, certainly – but a number of stars have aligned to alter the market recently. Namely, there is the maturation of the Extensible Access Control Markup Language (XACML) standard, the appearance of startup vendors like Securent and Jericho Systems, and the pressing need by enterprises to enforce business, security, and regulatory policies across applications.
Looking back at some of the events of 2006 helps to illustrate the phenomenon. Starting with Catalyst 2006 in June, the segment on authorization featured a SRO audience that showed great interest in case study presentations from Disney and Qualcomm. The good folks from Disney came back to do a follow-up session during the December TeleBriefing. In the interim, we helped to put on a seminar hosted at Credit Suisse in New York where a session on authorization management turned into a lively discussion with the audience. Shekhar Jha was also in attendance and posted comments to his blog. James McGovern is also a frequent commenter on authorization in general and XACML in particular on his blog.
When contemplating authorization management scenarios, I’m hearing a common set of questions, such as:
• I have thousands of applications with almost uncountable resources, transactions, data elements, etc. How do I catalog all of this? How do I determine which are in play?
• How can the namespace for all the rules be managed efficiently?
• How much granularity is really needed? Isn’t this overkill?
• Won’t performance be an issue if I have to process all this XML data?
• Is XACML expressive enough for my needs?
• Will this work for COTS applications?
• How much authorization should be externalized from applications?
These are great questions and help to cool the hype around this technology a bit. Early adopters are at least comfortable enough to move forward, but many skeptics remain on the sidelines waiting for more field experience to draw from. Where do you stand? Are there other questions that come to mind?
[posted by Gerry Gebel]
I'd briefly like to comment on the questions list. I think what you are referring to is the fact that authorization management does not really provide that much value if the full complexity of all access rules across the IT environment is simply aggregated into one place. There are numerous vendors in this space, and I believe this is where XACML may eventually provide vendor interoperability.
The more interesting question is how to actually manage these policies. Neither XACML and "normal" authorization management solutions provide any support for actually reducing the complexity. This topic is called "Model Driven Security" (www.modeldrivensecurity.org, www.modeldrivensecurity.com). Gartner has put this topic onto the hype cycle.
We are currently the only real vendor in this space with our OpenPMF 2.0 technology (www.openpmf.com). It uses the concepts of Model Driven Architecture actually allow you to generate the rules that go into authorization management systems (e.g. XACML).
This may clarify things somewhat.
Dr. Ulrich Lang
CEO ObjectSecurity
www.objectsecurity.com
Posted by: Ulrich Lang, CEO ObjectSecurity | April 13, 2008 at 07:57 AM