OASIS Ratifies Open Standard for Access Control e-Business Gets a Syntax It Can Trust

Trust. It remains as crucial to the e-businesses of the 21st century as it was to the paper-based workplaces of the last century. And it poses an intriguing problem for today's supply chains and federated networks.

How does automated enterprise software "know" whether to trust requests for protected information, merchandise, or credit?

"It's about working safely across boundaries of trust" says Seth Proctor, a researcher at Sun Microsystems Laboratories in the Internet Security Research Group. In June, 2002, Seth and his colleagues dedicated themselves to a special project: creating a syntax of trust -- one powerful enough to protect the most sensitive government documents, yet generic enough to interoperate across changing commerical environments.

Seth, along with co-developers Steve Hanna, Yassir Elley, Anne Anderson, and intern Marco Barreno, set to work on XACML, then an emerging standard being developed by an OASIS technical committee.

Their timing was impeccable.

Less than a year later, on February 18, 2003, the XACML standard received the highest possible ratification by OASIS after passing an industry-wide peer review and meeting rigorous compliance benchmarks. The standard was hailed by OASIS XACML technical committee co-chair Carlisle Adams of Entrust. He called XACML "a key component in an authorization infrastructure than can span web services, J2SE(TM), and other e-business environments."

That same day, Seth and his colleagues open sourced their implementation of XACML to the developer community. Sun's XACML 1.0 implementation allows business and government organizations to actually use the new standard to create, deploy, and enforce polices that control access to trusted assets as well as to provide information about them.

Seth is quick to point out that XACML is only one of several irons his group has in the fire. "The group came together about 5 years ago to look at Internet-scale security problems," says Seth, who has been with the group throughout most of its existence. "We spend equal time working on concrete projects like our XACML implementation, working on evolving standards, and consulting on protocol design and system archictecture." But, Seth concedes, the group's XACML 1.0 release "was a huge milestone for us."

Milestone in Secure Access

The impact of that milestone can be gauged by the importance of XACML to the immense and still growing base of XML in enterprise environments. XML has very quickly become the lingua franca of enterprise data exchange. Its success owes much to XML's inherent strength as a simple way to integrate data. It offers an extensible syntax for sharing documents by using tags and attributes to characterize content, and to enable powerful search and storage capabilities.

XML's power and simplicity are cited time and again in research surveys as the leading reasons driving adoption of XML among corporations. But the drive to integrate and automate business-to-business and intranet-based enterprise systems behind XML has often stalled behind two roadblocks: proprietary XML implementations and security issues. Providing a measure of relief from this congestion is the ratification by OASIS of the XACML open source standard.

Calling All Policies

Sun's XACML 1.0 implementation is a set of Java(TM) classes that read, write, and process the XACML language. This allows developers to exploit the rich attribute management techniques that have made XML so popular. Developers use XACML APIs to process two related languages: a policy language that defines access control and a request/response language in which queries and decisions are conveyed.

A deployed XACML access control system works something like this: A person (or a machine) seeks access to sensitive data. Access to the data is controlled by something called a Policy Enforcement Point. It creates a request (using the XACML request/response language) and sends it to a Policy Decision Point. This entity scans the request, fetches and interprets any and all policies that are relevant to it, and returns a response for enforcement. Access is granted or denied based on XACML rules written into the policies.

XACML comes with a formidable set of data types and functions, but it is unique in its support of rules that govern how to handle policies whose rules compete or overlap. This technique is known as combining. XACML comes with many standard algorithms that support combining, and developers can define their own as needed. A powerful, related capability enables XACML-based access control systems to resolve policies that refer to other policies. This makes XACML especially well-suited to globalized enterprise structures. For example, one firm's supply chain may have a country policy for domestic transactions. The country policy can refer -- and defer -- to an international policy when data types embedded in a request indicate an international transaction. This sort of extensibility matches the increasingly federated distribution of corporate assets in today's far-flung marketplace.

XACML looks to replace the patchwork of proprietary access control languages that run against the spirit and syntax of XML-based data exchange. "XACML is a generic access control system, and as such can be used with pretty much any system," says Seth. Not only is Sun's XACML Implementation written in the Java programming language, "which means that it can run on almost any platform," says Seth, "it has a flexible plugin system so you write custom extensions as the XACML specification allows."

"Our XACML implementation supports the entire OASIS standard and passes all of the conformance tests, which means that it should work with future implementations without any trouble."
-- Seth Proctor, member of technical staff, Sun Microsystems Laboratories.

In fact, plans are underway to integrate the Sun XACML implementation with several other emerging OASIS security standards. Among them: SAML (Security Access Markup Language), a secure mechanism to convey requests and responses, and XMLDSIG.

Best of all, Seth says, "it's truly open sourced" under a BSD License. "For the present, I suspect that most people will just want to grab the code and play around with the language, but we're already getting mail from people who want to join in the project."

Street Credibility

Will its XML provenance and OASIS ratification create a snowball effect driving rapid adoption of XACML ?

"OASIS ratification means a number of things, but most importantly it means that a large number of companies and individuals think the standard is ready for use," says Seth. He acknowledges the one-hand-helps-the-other effect that often accompanies ratification of a new standard. On the one hand, "XACML 1.0 is a frozen standard that people can start using to build interoperable policy systems," observes Seth. On the other hand, "people are more likely to want to incorporate XACML into their work because it's an official OASIS standard."

As for the Internet Security Research Group, Seth and his colleagues are pushing straight ahead with work on incorporating management tools, performance enhancements, and incremental API and feature improvements. "I'm hoping that a lot of future work will come from the open source developer community, but my group will certainly continue to be active in this project," says Seth. In fact, a new version of the XACML implementation is already in the pipeline. In the meantime, "there's a good deal of work underway in different standards bodies to define how XACML interacts with other standards (protocols, databases, authentication systems, etc.), and as these efforts become more mature we'll be working to add support into our code."

Related Links

• XACML Project Page