Vendors Showcase Access Control Standard in a Web Server Environment

["Carol Geyer" <carol.geyer@oasis-open.org>]

BEA Systems, CA, IBM, Jericho Systems, Oracle, Red Hat, Securent and Others
Showcase Access Control Standard in a Web Server Environment

San Francisco, CA, USA; 28 June 2007 -- At Burton Group's Catalyst Conference
today, eight companies will join together for the first time to demonstrate
interoperability of the eXtensible Access Control Markup Language (XACML)  2.0
OASIS Standard. An extremely flexible language for expressing access control,
XACML is particularly designed to support large-scale environments where
resources are distributed and policy administration is federated. XACML 2.0 is
also ITU/T Recommendation X.1142.

"Access control is a requirement of almost every application," said Dan Blum,
senior vice president and research director of the Burton Group. "XACML goes
beyond simply denying or granting information access, it defines the mechanism
for creating the rules and policy sets that enable meaningful authorization
decisions."

The Catalyst demonstration will include two scenarios. In the first, different
implementations exchange XACML policies that control access for a variety of
Web server addresses. This demonstrates the ability of different
implementations to understand the language defined by XACML. 

In the second scenario, authorization decisions are enforced by applications
based on interaction with an external policy decision point. Both the
application and the policy decision point can be independently implemented, and
communication between them will use the XACML Security Assertion Markup
Language (SAML) Authorization Decision Request Protocol. This shows how
components such as services, applications and containers are able to defer to a
centrally managed authorization service when making authorization decisions.

"XACML attributes are extensible, so that information specific to particular
industry segments or verticals can be encoded in policy rules and communicated
to and from applications," explained Hal Lockhart of BEA Systems, co-chair of
the OASIS XACML Technical Committee. "XACML also recognizes that attribute
values may originate at the point of enforcement or from databases found
elsewhere and supports flexible deployment architectures."

Support for XACML

BEA Systems
"The XACML OASIS InterOp demo illustrates that BEA AquaLogic Enterprise
Security is designed to support the latest version of the XACML standard
required by today's enterprises to manage and enforce access control policy
across a diverse SOA ecosystem in a simple and flexible way," said Geoff
Charron, VP & Unit Executive.

CA
"CA supports the industry's collaborative efforts to create interoperability
standards that facilitate implementation of secure access control policies
across federated, multi-enterprise, multi-vendor
infrastructure. We will continue to support XACML in our Identity and Access
Management solutions so that our customers can take full advantage of this
interoperability," said Andy Rappaport, architect for identity and access
management, CA. 

IBM
"This InterOp session comes at a time when our customers are seeing a
significant missing link with XACML and interoperability. OASIS is taking an
excellent step in the right direction by assembling this industry leader group
to help promote interoperability between the various vendors that support
XACML," said Anthony Nadalin, IBM Distinguished Engineer and chief security
architect for IBM Tivoli Software. 

Jericho Systems
"Jericho Systems is incredibly excited about the group of eight vendors that
have come together to advance the state of the privilege management and
entitlement management segment of the security industry.  We believe the XACML
InterOp will positively demonstrate the power of open standards-based
interfaces and lead towards more vendors supporting XACML-enabled policy
enforcement points (PEPs) for externalized security decisioning," said Brendon
Unland, President & Founder of Jericho Systems.

Red Hat
"Access control is a complex space in comparison to authentication. Enterprise
customers and software products have made attempts at solving authorization use
cases via proprietary access control lists or such mechanisms. Role Based
Access Control (RBAC) has proven insufficient in many cases. XACML is an
industry standards effort at bringing sanity to the growing needs of access
control. XACML provides mechanisms to define policies and make decisions based
on a combination of subject (user in the simple case), resources (that need
access control), actions and 
optionally environmental factors like date-time etc. Adopters of XACML are free
to provide custom attributes that can affect the final access control decision.
Interoperability events for XACML will aid in providing confidence in
implementations to adopters," said Anil Saldhana, Project/Technical Lead, JBoss
Security and Identity Management, Red Hat Inc.

Oracle
"XACML 2.0 provides a sophisticated model for authorization that can represent
complex policies required by enterprise-scale applications and administrators.
Through Oracle's support of XACML and participation in the OASIS InterOp event,
our customers gain a real-world example of how the power of the XACML
authorization model can enable the benefits of reduced costs and improved
manageability," said Prateek Mishra, director, Security Standards, Oracle. 

Securent
"Securent was founded for the purpose of providing fine-grained access control
for distributed enterprise applications and data. We were one of the earliest
adopters of XACML, and have leveraged it in Securent's Entitlement Management
Solution to demonstrate real-world applicability of XACML in addressing access
control needs at the application and data levels at some of the largest
enterprises in the world.  The traction the standard is getting, including all
of the new-found interest and interoperability work, is clear validation of our
strategic decision to build our entitlement management product around the
powerful XACML standard," said Rajiv Gupta, Securent CEO.  


Additional information:

XACML 2.0 OASIS Standard
http://www.oasis-open.org/specs/index.php#xacmlv2.0

OASIS XACML Technical Committee
http://www.oasis-open.org/committees/xacml/

XACML FAQ
http://www.oasis-open.org/committees/xacml/faq.php


About OASIS:

OASIS (Organization for the Advancement of Structured Information Standards) is
a not-for-profit consortium that drives the development, convergence, and
adoption of open standards for the global information society. Members
themselves set the OASIS technical agenda, using a lightweight, open process
expressly designed to promote industry consensus and unite disparate efforts.
The consortium produces open standards for Web services, security, e-business,
and standardization efforts in the public sector and for application-specific
markets. Founded in 1993, OASIS has more than 5,000 participants representing
over 600 organizations and individual members in 100 countries.
http://www.oasis-open.org


Press contact:
Carol Geyer
OASIS Director of Communications
carol.geyer@oasis-open.org
+1.978.667.5115 x209 (office)
+1.941.284.0403 (mobile)