Monday, July 17, 2006
Thoughts on Entitlements and XACML
At work, in the next couple of weeks, we will be conducting a vendor bakeoff between several different entitlement engine providers. Wanted to gain insight from folks in the blogosphere as to what would make for interesting scenarios...
In my travels, the folks over at Citigroup seem to have the most mature thinking in this space having built in-house, their own entitlements engine several years ago when no products existed. I know that folks from Bank of America and Wachovia have also travelled down this path, but haven't ran across many others in the Fortune 500 space that have embraced the notion of entitlements engines.
For those who are not familiar with this problem space I would suggest considering the following. In the early 90's, enterprises realized that they shouldn't embed basic identity within enterprise applications and moved towards the notion of a corporate directory based on the LDAP protocol. When the web became popular, enterprises realized that externalizing authentication capability away from enterprise applications provided them with the potential of doing single signon which created products such as Yale CAS, Netegrity Siteminder, Oracle CoreID and so on.
The notion of externalizing entitlements (fine grained authorization) away from enterprise applications is now on the forefront as it provides an enterprise a single location to figure out for auditing / control purposes who has access to what at a fine grain of detail. The notion of using a consistent way to express policies around who can access what is moving towards the widespread adoption of XACML which is an OASIS specification.
Anyway, if there is anyone in the blogosphere that can provide insight into any of the below thoughts, please do not hesitate to trackback:
| | View blog reactionsIn my travels, the folks over at Citigroup seem to have the most mature thinking in this space having built in-house, their own entitlements engine several years ago when no products existed. I know that folks from Bank of America and Wachovia have also travelled down this path, but haven't ran across many others in the Fortune 500 space that have embraced the notion of entitlements engines.
For those who are not familiar with this problem space I would suggest considering the following. In the early 90's, enterprises realized that they shouldn't embed basic identity within enterprise applications and moved towards the notion of a corporate directory based on the LDAP protocol. When the web became popular, enterprises realized that externalizing authentication capability away from enterprise applications provided them with the potential of doing single signon which created products such as Yale CAS, Netegrity Siteminder, Oracle CoreID and so on.
The notion of externalizing entitlements (fine grained authorization) away from enterprise applications is now on the forefront as it provides an enterprise a single location to figure out for auditing / control purposes who has access to what at a fine grain of detail. The notion of using a consistent way to express policies around who can access what is moving towards the widespread adoption of XACML which is an OASIS specification.
Anyway, if there is anyone in the blogosphere that can provide insight into any of the below thoughts, please do not hesitate to trackback:
- Sun seems to be the thought leader in the XACML space yet no one from Sun actually blogs about it. They created the XACML reference implementation. I wonder what it would take to get folks like Sara Gates, Ramesh Nagappan, Sameer Tyagi and other Sun bloggers to start talking about its importance.
- I haven't yet ran across any .NET implementations for XACML. Is Microsoft taking a backseat to Sun in this regard? Not even their MVPs are talking about it. I wonder if Harry Waldron, Donna, Alun Jones or Michael Howard could comment?
- Is anyone in the Ruby community considering implementing XACML? I wonder if David Heinemeier Hannson is thinking out loud about security?
- I would love to understand how SmallTalk supports or doesn't support XACML. Maybe James Robertson knows the answer?
- Is anyone from Cisco noodling the notion of putting XACML support into switches? Wouldn't it be intriguing to be able to manage not only applications I have access to but to also do the same for say VLANs?
- Are XML firewall vendors such as reactivity and vordel considering making their products XACML PEPs?
- Should David Lithicum's company also embed XACML into their SOA integration appliance?
- How come industry analysts aren't talking about entitlements yet they seem to be all over Sarbanes Oxley and HiPPA. I know folks from the Burton Group are digging into this, but what about other security-oriented analysts from Gartner, Forrester, IDC and so on?
- I need some really hard test cases and will send a copy of the bestselling book: Enterprise Service Oriented Architectures to whomever provides the most intriguing test case...
