It’s been very interesting to follow the ascension of authorization management as an important segment of the IdM market over the course of the last year. The challenge of handling authorizations across a vast array of applications is not a new problem, certainly – but a number of stars have aligned to alter the market recently. Namely, there is the maturation of the Extensible Access Control Markup Language (XACML) standard, the appearance of startup vendors like Securent and Jericho Systems, and the pressing need by enterprises to enforce business, security, and regulatory policies across applications.
Looking back at some of the events of 2006 helps to illustrate the phenomenon. Starting with Catalyst 2006 in June, the segment on authorization featured a SRO audience that showed great interest in case study presentations from Disney and Qualcomm. The good folks from Disney came back to do a follow-up session during the December TeleBriefing. In the interim, we helped to put on a seminar hosted at Credit Suisse in New York where a session on authorization management turned into a lively discussion with the audience. Shekhar Jha was also in attendance and posted comments to his blog. James McGovern is also a frequent commenter on authorization in general and XACML in particular on his blog.
When contemplating authorization management scenarios, I’m hearing a common set of questions, such as:
• I have thousands of applications with almost uncountable resources, transactions, data elements, etc. How do I catalog all of this? How do I determine which are in play?
• How can the namespace for all the rules be managed efficiently?
• How much granularity is really needed? Isn’t this overkill?
• Won’t performance be an issue if I have to process all this XML data?
• Is XACML expressive enough for my needs?
• Will this work for COTS applications?
• How much authorization should be externalized from applications?
These are great questions and help to cool the hype around this technology a bit. Early adopters are at least comfortable enough to move forward, but many skeptics remain on the sidelines waiting for more field experience to draw from. Where do you stand? Are there other questions that come to mind?
[posted by Gerry Gebel]