OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: For Thursday: Policy Authoring

Without any question I believe that the biggest barrier to XACML adoption at the current time is difficulties in creating and modifying Policies. Admittedly the TC shares some of the blame for a syntax which is bulky and hard to distinguish by eye the “meat” from the “punctuation”. However most of us believe the conceptual understanding is the fundamental problem, not the syntax. A main reason that SQL has been so widely adopted is that it is easy to hire people with SQL skills. We need a cadre of Security Officers who are conversant with Policy design.

 

I see lots of fronts on which progress can be made.

 

Including the open source projects and the various products there are many examples of policy editors. Nobody claims to have a perfect solution, but much can be learned by analysis of existing features. Which are most useful? Which make understanding policies easier? Which help with overall policy structure?

 

A library of sample policies identified by where they might apply. The NCCoE could play a valuable role in collecting policy samples and fragments, cleansing them of any personal or corporate info and making them available as models.

 

Much work could be done on overall policy structure. A common problem is that people don’t know where to start. I have long advocated a policy structure oriented around resources. The idea is the policy sets near the root would determine which organization and then which server(s) the resource is located on. Policies further down the tree would then check subject attributes and make other, more detailed tests. I believe this structure would facilitate policy federation, by which I mean having distinct individuals of groups responsible for different parts of a common policy tree. I don’t know if this model is best. There may be others which work even better.

 

Axiomatics created the ALFA language, implemented as an Eclipse plugin. It is essentially a much more friendly syntax for XACML. They have contributed the language to the TC and there is a draft Profile. Any exploration of policy authoring should consider ALFA.

 

A what-if capability is very important for policy development. How well do current tools work and how easy are they to use? They should be capable of both one off checks as well as enabling the development of libraries of regression tests. Analysis tools, such as semantic analyzers should also be examined and integrated into the environment. To what extent can these tools help with authoring and to what extent do they simply allow policies to be verified?

 

This strikes me as the kind of activity where as the knowledge and understanding of the problem increases, it will become clearer what to do next.

 

Hal

 

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]