• United States

Calling for a policy access protocol

Aug 18, 20043 mins
Access ControlEnterprise Applications

* Why policy datastores would benefit from a protocol for accessing policies

John Guare’s play “Six Degrees of Separation” posits that we are all connected by six or fewer stages of circumstance or acquaintance. As one writer explains:

Last time, I mentioned that I recently spent time talking to MaXware Director of Worldwide Marketing Ira Horowitz about the company’s identity management and directory services products. I talked about the newest – Dynamic Identity Store – last month in the roundup of Catalyst announcements, and Horowitz wanted to be sure I understood exactly how it worked.

He showed lots of what looked like modern day Venn diagrams ( explaining the interconnecting and overlapping nature of the various parts of identity management. But he really wanted to talk about the other new release from MaXware, Virtual Policy Server (VPS).

I mentioned VPS last month ( as a proposed engine that does for policies what the original MaXware product – Virtual Directory Server – did for identities. Namely, it consolidates policies not into a central repository but through pointers to the original policies used to read the up-to-the-minute policy when it is needed.

What I neglected to mention at that time was that using VPS – which would make network, service, application and user management much easier – was going to require some changes in the way applications are written. Specifically, in order to use VPS, applications and services will need to be aware of it and use the freely available API from MaXware to take advantage of it.

Now when Microsoft publishes a new API (such as, for example, the .Net initiative for Web services), everyone  – independent software vendors, corporate programmers and others – immediately take notice and try to, first, accommodate the new interface and then leverage it. But MaXware is no Microsoft in terms of clout, not even in the small pond of identity management vendors, which is, of course, a pond full of piranhas waiting to savage each other. As I suggested to Horowitz, and I’m now suggesting to you, what’s needed is a policy access protocol.

Just as Lightweight Directory Access Protocol (LDAP) energized the use of directory services as ubiquitous repositories of identity data, so too would policy datastores benefit from a public standardized protocol for accessing policies.

The eXtensible Access Control Markup Language (XACML) Technical Committee of the Organization for the Advancement of Structured Information Standards (OASIS) makes a great place to start. MaXware’s VPS already supports that standard and I’m contending that XACML doesn’t, in its current implementation, go far enough. All policies, not just access control policies, need to have a standardized way of being created, maintained, reviewed and enforced by second- and third-party vendors.

Just as MaXware’s Virtual Directory can transparently access directory services from Microsoft, Novell, Sun, IBM, Critical Path, Computer Associates and others, so too should VPS be able to transparently access policies stored in directories, file systems, registries, routers and switches, relational databases – in short, everywhere a policy can be stored. I don’t know if anyone is working on such a protocol yet, but I’d like to hear about any initiatives.