News Stay informed about the latest enterprise technology news and product updates.

OASIS advances security standards

OASIS took big strides with its security standards last week, ratifying XACML 2.0 and reaching several milestones with SAML 2.0.

OASIS has made significant progress in its security standards department in recent weeks, ratifying the Extensible Access Control Markup Language (XACML) 2.0 and making strong gains with the Security Assertion Markup Language (SAML) 2.0.

XACML, which defines an XML schema for representing authorization and entitlement policies, is part of a growing portfolio of OASIS standards for security, which also include the Application Vulnerability Description Language, SAML, Service Provisioning Markup Language, Web Services (WS) Security, and the XML Common Biometric Format.

XACML 2.0 can be of particular interest to those deploying SAML, looking for a practical way to implement RBAC or protecting hierarchical resources, such as portions of XML documents.
Hal Lockhart
Senior Engineering Technologist Principal BEA

Meanwhile, SAML 2.0 made considerable strides toward standardization as it passed a series of interoperability tests and was approved as a formal committee draft.

Although many of these standards are mutually exclusive, there are certain synergies between SAML and XACML. SAML enables the secure exchange of authentication, attribute, and authorization information across security boundaries. XACML, on the other hand, leverages this information to determine access to resources.

"There's a domain model that's shared by SAML and XACML," said Hal Lockhart, senior engineering technologist principal for BEA and co-chair of the OASIS XACML technical committee. "From XACML's point of view, there are two important entities, which are architecturally distinct: the Policy Enforcement Point (PEP) and the Policy Decision Point (PDP)."

Whereas the PEP is responsible for allowing or disallowing requests to various resources, the PDP processes the applicable policies and decides whether to grant access to the resource in question, according to Lockhart.

"The PEP makes available all the information about the request, such as who made it, when it was made, from where in the network, the resource being accessed, and potentially other kinds of information," Lockhart said. "The PDP locates the policies that apply for this particular decision and figures out the answer which the PEP then enforces."

To support users from a wide range of security environments, XACML 2.0 incorporates new profiles for Role Based Access Control (RBAC), Privacy, and Lightweight Directory Access Protocol.

"XACML 2.0 can be of particular interest to those deploying SAML, looking for a practical way to implement RBAC or protecting hierarchical resources, such as portions of XML documents," Lockhart said.

Related information

Expert advice on protecting the network from Web-based attacks

XML complexity introduces security risks

One of the powerful features of XACML is how, like SAML, it is designed to work in a federated environment consisting of disparate security systems and security policies.

"In the SAML-Liberty context you often hear about federated identity," Lockhart said. "This is what I called federated policy."

XACML is agnostic as to where a policy is obtained, according to Lockhart. In a federated environment, he said, one might get policy information from several places and may need to combine, for instance, an organizational policy with a policy that applies to a particular resource.

A standard access control policy language such as XACML will not only eliminate the need for multiple, application-specific policy languages, but will also facilitate the development of tools for writing and managing XACML policies.

In a statement, San Jose, Calif.-based BEA Systems Inc., said it is working to incorporate support for XACML in future releases of its products. Lockhart said XACML 2.0 support will be provided in BEA's WebLogic Enterprise Security.

This news article originally appeared on the SearchWebServices site.

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.