Time to move the discussion past authentication

A couple of notes I read last week seemed to go together so nicely that I thought I'd share hem with you in hopes of stimulating your own thought processes. One came from a discussion of the LinkedIn cloud computing group while the other was a blog post by old friend Martin Kuppinger.

In a discussion of use cases for IdM by cloud computing developers, one member wrote: "…it's significant when discussing IdM to differentiate authentication and authorization. When introducing federation, the complexity involved with the two aspects increases significantly. If that federation extends beyond my organizational bounds (pure cloud-based resources or hyrbid) then the complexity increases again. For instance, my cloud-based dashboard aggregating my corp. sponsored 401k, personal bank accounts, IRA, and investments. "

It is time to move the discussion past authentication. We seem to have been stuck there for the best 10 to 12 years. In that regard, Kuppinger's posting seems a good place to jump start the discussion. He writes: "XACML (eXtensible Access Control Markup Language) gains an increasing attention as one of the core standards in the field of information security and thus IT security. Whilst standards like SAML (Security Assertion Markup Language) address the problem of authentication, XACML is about authorization -- the more complex threat."

A couple of years ago ("Are we bogged down in authentication discussions?,") I advocated moving away from authentication discussions slowly, that until we were sure who was logging in discussions of what they could access was merely academic. Now it's time to move on. I may, in fact, have denigrated the possibilities of XACML. I'm still not sure it's the best we could do but -- similar to my thoughts on PKI -- it's the best we can do right now.

XACML is all about rule-based access control. Couple that with role-based and context-based access control and we might be on to something. XACML isn't ready for total authorization control, though. As Kuppinger notes there are some things still needed. He mentions:

* "[T]he use of XACML requires not only the right tools but well-thought concepts for policy creation and management.

* XACML is just a foundation to express policies. Within a use case, policy concepts have to be defined."

Authorization, better access control -- that's what we need to talk about. OK, now it's your turn.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.