Tuesday, August 4, 2009

Kuppinger-Cole: Finally, An Open XACML API

Felix Gaehtgens of Kuppinger-Cole writes about his conversation with Prateek Mishra of Oracle, who indicated that Cisco and Oracle have posted a new XACML API to the OASIS XACML TC.
It was a “soft launch” that was announced at the Kantara meetings on Monday at Burton Catalyst (which very unfortunately, I missed). When Prateek mentioned it to me, it stopped me dead in my tracks, because I find it really significant news – a very important step towards flexible access control policy based on XACML.
Felix's article gives a great example of why Attribute Based Access Control (ABAC) is going to be the next generation of access control and why it will ultimately replace Role Based Access Control (RBAC).

In my opinion, this will be a space to watch closely. RBAC has always been a lot like physical building security guards. They are very good at protected the building entrances and exits; but when it comes to determining who should be able to go where inside the building, or who should be able to interact with whom, the building guard model quickly reaches limits. It is easy to see that one of the enforcement points in security architecture has to be within applications themselves. ABAC and the open XACML API will make this possible.

No comments:

Post a Comment