XACML Interop

["Carol Geyer" <carol.geyer@oasis-open.org>]

OASIS Members Demonstrate Interoperability of XACML Access Control Standard in
HITSP Health Care Scenario

Axiomatics, BEA, Cisco, IBM, Oracle, Red Hat, Sun Microsystems, the U.S.
Department of Veterans Affairs, and Others Collaborate at RSA 2008

San Francisco, CA, USA; 7 April 2008 -- At the RSA Conference today, members of
the OASIS open standards consortium, in cooperation with the Health Information
Technologies Standards Panel (HITSP), demonstrated interoperability of the
eXtensible Access Control Markup Language (XACML) version 2.0. Simulating a
real world scenario provided by the U.S. Department of Veterans Affairs, the
demo showed how XACML ensures successful authorization decision requests and
the exchange of authorization policies.

"XACML is widely regarded as the standard for solving complex access control
problems in the enterprise," noted James Bryce Clark, director of standards
development at OASIS. "Today's demo shows that XACML can play a key role in
health care. By successfully enforcing fine-grained access control decisions to
protected health information, XACML meets HITSP's requirements for security and
privacy."

"We're pleased to work with OASIS on addressing the very sensitive issues
related to the access of patient information," said John (Mike) Davis,
standards architect with the VHA Office of Information in the Department of
Veterans Affairs, and a member of the HITSP Security, Privacy and
Infrastructure Technical Committee. "XACML helps ensure that patients,
physicians, hospitals, public health agencies and other authorized users share
critical information appropriately and securely."

The XACML Interop at the RSA 2008 conference utilizes requirements from Health
Level Seven (HL7), ASTM International, and the American National Standards
Institute (ANSI). The demo features role-based access control (RBAC), privacy
protections, structured and functional roles, consent codes, emergency
overrides and filtering of sensitive data. Vendors show how XACML obligations
can provide capabilities in the policy decision making process. The use of
XACML obligations and  identity providers using the Security Assertion Markup
Language (SAML) are also highlighted. 
 
XAMCL Interop Participants:

Axiomatics 
"The XACML Interop demonstrates the power, speed, and flexibility which XACML
delivers to application developers and IT users. XACML is the technology which
will deliver efficient and future-proof authorization management for the
service oriented world," said Erik Rissanen, CTO, Axiomatics AB.

BEA
"The XACML Interop at the RSA conference illustrates BEA's continuing
commitment to the latest version of the XACML standard in AquaLogic Enterprise
Security. Centralized access control policy that uses a standards-based
framework is critically important to the success of SOA initiatives," said
Geoff Charron, VP & Unit Executive.

Cisco
"As a company that believes in open standards, Cisco is pleased to participate
in the XACML Interop at RSA and excited by the increasing adoption of XACML
across all segments of the industry," said Rajiv Gupta, vice president, policy
management business unit, Cisco. "The Cisco Enterprise Policy Manager-formerly
Securent Entitlement Management Solution-was one of the first commercial
products to support XACML, and we remain committed to the standard."

IBM
"This Interop session supports IBM's approach to interoperability, in that
significant customer value is possible when industry leaders work together.
OASIS and these vendors that support XACML are moving towards improved levels
of interoperability through our collaboration as demonstrated this week with
the health care industry," said Anthony Nadalin, IBM Distinguished Engineer and
chief security architect for IBM Tivoli Software. 

Red Hat
"XACML has proven to be a strong candidate in building complex access control
infrastructures, not only in verticals such as the health care and financial
industries, but also in the extension of access control for the various
containers of an Enterprise Application Server such as the JBoss Application
Server. Health care poses immense challenges in establishment of access control
policies and enforcement. Patient privacy is an important issue that needs
immediate focus, and its access control use cases have been driven by XACML in
this interoperability. Emergency overrides of the privacy controls has been
given prominence in this demo, along with the modeling of roles and privileges.
XACML has the flexibility of extensions to solve similar complex use cases in
other verticals," said Anil Saldhana, Leader and Chief Security Architect,
JBoss Security and Identity Management, Red Hat Inc.

Oracle
"XACML 2.0 can provide an authorization model for complex policies required by
enterprise-scale applications and administrators. Through our support of XACML
and participation in the OASIS InterOp event at the RSA conference, Oracle will
demonstrate key authorization concepts important to our customers. These
include role-based access control and access to medical records based on
patient consent," said Prateek Mishra, director, Security Standards, Oracle.

Sun 
"Sun is committed to the industry's collaborative efforts to develop and
promote interoperability standards that facilitate the creation of dynamic
federated identity networks," said Mark Herring, vice president of marketing,
Software Infrastructure, Sun Microsystems. "Support for XACML allows our
customers to share access control policies across corporate boundaries and
offers more dynamic standards-based tools for creating federated mashups. As a
result, our customers can continue to expand their business reach while using
open-standards to enforce security decisions and minimize security risk."

Additional information:
XACML 2.0 OASIS Standard
http://www.oasis-open.org/specs/index.php#xacmlv2.0

OASIS XACML Technical Committee
http://www.oasis-open.org/committees/xacml/

XACML FAQ
http://www.oasis-open.org/committees/xacml/faq.php


About OASIS:
OASIS (Organization for the Advancement of Structured Information Standards),
drives the development, convergence, and adoption of open standards for the
global information society. A not-for-profit consortium, OASIS advances
standards for SOA, security, Web services, documents, e-commerce, government
and law, localisation, supply chains, XML processing, and other areas of need
identified by its members. OASIS open standards offer the potential to lower
cost, stimulate innovation, grow global markets, and protect the right of free
choice of technology. The consortium has more than 5,000 participants
representing over 600 organizations and individual members in 100 countries.
http://www.oasis-open.org

Press contact:
Carol Geyer, OASIS Director of Communications
carol.geyer@oasis-open.org, +1.978.667.5115 x209 (office), +1.941.284.0403
(mobile)