A couple of years ago i spoke alongside Andy Gordon and Cedric Fournet from Microsoft Research (Cambridge, UK) at a conference in France. At that time, they were working on validation of WS-Policy policies, detecting logical faults and inconsistencies, but they were also looking at mechanisms to express authorization and RBAC information in general.
It is good to see their work mentioned this morning by Craig Mundie in his RSA Conference Keynote. He mentioned in a framework called SecPAL ( read: http://research.microsoft.com/~moritzb/docs/beckerfournetgordon_authorizationlanguage.pdf ).
I have some questions about SecPAL though. It overlaps with XACML, but it is designed in a more "natural language" way than XACML (anyone who has read XACML will know what i mean about that). But, nobody in their right mind would create or edit policies by manually editing XACML. XACML import and export (and policy import and export in general) is important in large networks. Policy silos are just as bad as identity silos. It would be possible to map from SecPAL to XACML, i can see, but right now nothing does that (right?). That is a gap right now.
One great thing about SecPAL is that it is built on top of research into developing policies which are logical and useful. Policy languages often give you "enough rope to hang yourself", and they have thought about this in advance. That's all good. But i remain worried about the overlap with XACML. Maybe it was telling that teh example used by Craig Mundie, doctor access to healthcare, was very similar to the example used in the XACML Specification.
Looking forward to seeing where Microsoft goes with SecPAL.
11:34:35 AM
|