RE: [xacml-dev] Database data access control using XACML

David,

BiTKOO’s Keystone is 100% XACML 3.0 compliant. Just an FYI. We haven’t attested that in the TC because of a miscommunication between myself and one of our employees who is no longer with BiTKOO. We will submit an attestation to the TC to that effect this week.

The difference between theory and reality is vast. While in theory you can protect anything with XACML, the reality is that in order to protect database access, you either can use DB-Wall, or write custom code that can call out to a PDP. I suggest that people stand up a database, define use cases to test the row, column and cell level security and then test the various products and see what works, how fast it performs and whether it requires an advanced degree to operate.

Doron Grinstein │ CEO │ BiTKOO │ 818-985-4700 Ext. 31 │www.bitkoo.com

From: David Brossard [mailto:david.brossard@axiomatics.com]
Sent: Friday, August 12, 2011 3:12 PM
To: Doron Grinstein
Cc: xacml-dev@lists.oasis-open.org; Security Developer
Subject: Re: [xacml-dev] Database data access control using XACML

Yes vendors such as Axiomatics and Bitkoo do offer products for db access control. To date only the Axiomatics product conforms to xacml 3.0.

Note that xacml is application agnostic so you can theoretically protect anything with any xacml policy.

The integration strategy determines what sort of application you can protect and how.

You need to check how that integration works what performance impact there may be, whether there is caching or precomputation and what sort of queries are allowed.

Make sure the product you choose achieves live access control using standard xacml 3.0 policies. Axiomatics Reverse Query (announced at Catalyst 2011) does.

Xacml is flexible enough to let you achieve row / column / data access control.

Therefore there are no special policies to be written which makes xacml particularly elegant.

Cheers
David.

On Aug 11, 2011 7:51 PM, "Doron Grinstein" <doron@bitkoo.com> wrote:

xacml-dev message