XACML will help enterprises in three areas



On February 18, 2003, the Organization for the Advancement of Structured Information Standards (OASIS) announced that it has approved XACML as an Open Standard. XACML is a common description language for access control policies.

First Take

XACML provides a necessary component for complex, interactive Web services, enterprise-wide security management and DRM. Using XACML, an enterprise can define platform-independent rules for how its resources are used by those inside and outside the enterprise. Enterprises can work together without having to align their computing platforms (whether based on Java, .Net or another technology); they just have to align their access policies. By allowing each to examine the access control policies of the other, XACML can foster a certain level of trust between enterprises even without prior contact. This capability will spur enterprises to develop business models involving the deployment of general Web services across the firewall to new business partners. XACML provides another Web services security building block, along with Security Assertion Markup Language (SAML), XML Key Management Specification and Web Services Security (WS-Security).

As a less recognized but likely more valuable use, the platform independence of XACML will allow an enterprise with a heterogeneous computing environment to define access control policies centrally for implementation on each platform in that platform’s format rather than managing policy for each manually. XACML can thus provide a security oversight framework on which enterprises can create strong security management and monitoring tools. XACML will likely boost the development of centralized security and system monitoring mechanisms, including network security platforms.

XACML will support DRM by defining how individuals, automated agents or enterprises can use intellectual property. XACML’s platform independence can bridge the proprietary technologies used in today’s DRM systems and will therefore foster the evolution of standard approaches to DRM. XACML faces at least one major roadblock – the Extensible Rights Markup Language (XRML) initiative spearheaded by Microsoft and ContentGuard (it’s also an OASIS working group). XRML has some overlaps with XACML, but Gartner believes that, in the near term, the two will integrate or at least interoperate as XACML enjoys a level of industry support near that of SAML.

In all three areas, XACML can ease the integration of disparate technologies. Enterprises should look for platform access control mechanisms and centralized policy management tools compatible with XACML by 2H04. Enterprises extending their trusted environment by deploying Web services beyond the firewall should require XACML-, SAML- and WS-Security-compatible platforms by 1H04. DRM systems using XACML (or compatible XRML) and Web services will also begin to appear by 1H04.

Analytical Source: Ray Wagner, Gartner Research

Recommended Reading and Related Research

“Web Services Security in 2003” – Enterprises should take a cautious approach to Web services deployment across the enterprise perimeter in 2003. By Ray Wagner

“SAML Approval Brings Secure Web Services a Step Closer” – The newly approved SAML standard will play a central role in Web services deployments because it supports complex workflow and new business models. By Ray Wagner and John Pescatore

(You may need to sign in or be a Gartner client to access all of this content.)

Entire contents