XACML: A still-emerging standard worth watching
This standard has the potential to help simplify the issues of who should have access to which IT resources and what they should be able to do with that access.
We work in an industry with its own language--acronyms.
A lot of them come and go or are so esoteric that few people in industry even know about them. I'm hopeful that a standard I'm tracking won't fall into one of these buckets. It is called the Extensible Access Control Markup Language (XACML, pronounced zack-mil). This markup language was first ratified by OASIS in 2003. XACML 3.0 is currently in the works.
What's so special about XACML? This standard has the potential to help simplify the mess around two questions:
Who should have access to which IT resources?
What should users be able to do once they are provided access?
The first question is generally answered through authentication technologies, ranging from user name and password to stronger authentication technologies such as biometrics, PKI, smart cards, and tokens. The industry is pretty good at this stuff.
The second question is far more dicey. This category is called authorization, entitlement management, or fine-grained access control. Typically, entitlement policies are written into each application and aren't very good. Changing entitlements usually means writing new code, which is never an expeditious way to solve dynamic problems.
This is where XACML comes in. Rather than write access control policies into each application, XACML may enable some type of federated entitlement management where policies are "negotiated" based upon user roles and environmental factors such as time-of-day, physical location of the user, etc. Ultimately, XACML could also turn entitlement management from an application-by-application slog to a standalone service that acts as an entitlement middleman between people and applications on a transaction-by-transaction level. This could improve security, regulatory compliance, and software development efficiency.
Will XACML fulfill this potential? I hope so. Software vendors have been dragging their feet, but that is likely to change now that Oracle acquired XACML supporter BEA. Cisco Systems'doesn't hurt either.
In a SOA/Web 2.0, world we need a new identity model that can match the flexibility, customization, and dynamic nature of user behavior, device proliferation, and applications. Let's hope that the industry recognizes this need and agrees to address current shortcomings with standards like XACML rather than a slew of proprietary alternatives that will hold things back for two or three years.