It's not often that security personnel -- or technology folks of any sort, for that matter -- gush. That's the case, though, in this RiskBloggers' post by Securent advisory board member Jim Reavis about the eXtensible Access Control Markup Language (XACML).
XACML, which was approved by an international standards consortium called the Organization for the Advancement of Structured Information Standards (OASIS) more than four years ago, provides a framework for advanced security for Web and other applications. XACML is a way to share vital information related to access control. So, for instance, the policies governing access to a particular database or application can be read and understood by the program trying to gain access to that data.
Explanations of XACML get pretty complex pretty quickly. In these cases we take our cues from the experts, and Reavis is excited about XACML:
To me, it is not a question of if you will implement XACML, but when. What will be the project, regulation, compatibility issue, partner mandate or other tipping point that will get your organization on the XACML bandwagon? When you have implemented it once, the dividends you will receive by creating entitlements for follow-on applications will be tremendous.
Perhaps Reavis' post was timed to coincide with a what appears to have been a big day in the life of XACML. At the Burton Catalyst Conference late last month in San Francisco, eight companies -- BEA, IBM, JBoss/Red Hat, Oracle, CA, Jericho Systems, SymLabs and Securent -- demonstrated cross-vendor XACML interoperability, according to this InfoQ story. XACML in general and the demo in particular is described in this podcast produced by Burton Group.
It's possible, though a bit difficult, for a layperson to appreciate the importance of such initiatives without understanding the underlying technology. A tremendous amount of vital data is housed on the Web. Simultaneously, companies increasingly need to cooperate and confederate across site boundaries. The challenge is enforcing security and oversight in such a diffuse environment.
XACML could be a way to do this. It is related to the eXtensible Markup Language (XML), as the name implies. At its highest level, XML is a way of organizing data on the Web by tagging it to make it usable by other Web-based applications. XACML does the same thing for security information and does so, apparently, in a very powerful manner.