« P2P Identity Proofing | Main | Law of Relational Risk »

January 20, 2007

Keeping track of authorization management

It’s been very interesting to follow the ascension of authorization management as an important segment of the IdM market over the course of the last year. The challenge of handling authorizations across a vast array of applications is not a new problem, certainly – but a number of stars have aligned to alter the market recently. Namely, there is the maturation of the Extensible Access Control Markup Language (XACML) standard, the appearance of startup vendors like Securent and Jericho Systems, and the pressing need by enterprises to enforce business, security, and regulatory policies across applications.

Looking back at some of the events of 2006 helps to illustrate the phenomenon. Starting with Catalyst 2006 in June, the segment on authorization featured a SRO audience that showed great interest in case study presentations from Disney and Qualcomm. The good folks from Disney came back to do a follow-up session during the December TeleBriefing. In the interim, we helped to put on a seminar hosted at Credit Suisse in New York where a session on authorization management turned into a lively discussion with the audience. Shekhar Jha was also in attendance and posted comments to his blog. James McGovern is also a frequent commenter on authorization in general and XACML in particular on his blog.

When contemplating authorization management scenarios, I’m hearing a common set of questions, such as:

•    I have thousands of applications with almost uncountable resources, transactions, data elements, etc. How do I catalog all of this? How do I determine which are in play?
•    How can the namespace for all the rules be managed efficiently?
•    How much granularity is really needed? Isn’t this overkill?
•    Won’t performance be an issue if I have to process all this XML data?
•    Is XACML expressive enough for my needs?
•    Will this work for COTS applications?
•    How much authorization should be externalized from applications?

These are great questions and help to cool the hype around this technology a bit. Early adopters are at least comfortable enough to move forward, but many skeptics remain on the sidelines waiting for more field experience to draw from. Where do you stand? Are there other questions that come to mind?

[posted by Gerry Gebel]

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/t/trackback/1045303/7569261

Listed below are links to weblogs that reference Keeping track of authorization management:

» Authorization Management from Thought Leadership
I wonder if Pat Patterson, Doc Searls, Mark Dixon, Dick Hardt and Gunnar Peterson have read the wonderful blog posting on Authorization Management by noted industry analyst Gerry Gebel of the Burton Group? [Read More]

» I'll Take Transactions in Distributed Systems for $200, Alex from 1 Raindrop
A single transaction in a standard enterprise architecture traverses multiple policy domains, namespaces, and technologies. Part of the problem to be solved by the security architecture is how to deal with authentication and authorization. At a high le... [Read More]

» Authorisation Management from pingudownunder.com
A question posed by Gerry Gebel at the Burton Group around the difficulties of implementing authorisation management solutions. Im not sure if the use of external authorisation solutions (the Access Manager products) is the... [Read More]

Comments

I'd briefly like to comment on the questions list. I think what you are referring to is the fact that authorization management does not really provide that much value if the full complexity of all access rules across the IT environment is simply aggregated into one place. There are numerous vendors in this space, and I believe this is where XACML may eventually provide vendor interoperability.

The more interesting question is how to actually manage these policies. Neither XACML and "normal" authorization management solutions provide any support for actually reducing the complexity. This topic is called "Model Driven Security" (www.modeldrivensecurity.org, www.modeldrivensecurity.com). Gartner has put this topic onto the hype cycle.
We are currently the only real vendor in this space with our OpenPMF 2.0 technology (www.openpmf.com). It uses the concepts of Model Driven Architecture actually allow you to generate the rules that go into authorization management systems (e.g. XACML).
This may clarify things somewhat.

Dr. Ulrich Lang
CEO ObjectSecurity
www.objectsecurity.com

Post a comment

Comments are moderated, and will not appear on this weblog until the author has approved them.

If you have a TypeKey or TypePad account, please Sign In

Blog powered by TypePad