"XACML is widely regarded as the standard for solving complex access control problems in the enterprise," noted James Bryce Clark, director of standards development at OASIS. "Today's demo shows that XACML can play a key role in health care. By successfully enforcing fine-grained access control decisions to protected health information, XACML meets HITSP's requirements for security and privacy."
"We're pleased to work with OASIS on addressing the very sensitive issues related to the access of patient information," said John (Mike) Davis, standards architect with the VHA Office of Information in the Department of Veterans Affairs, and a member of the HITSP Security, Privacy and Infrastructure Technical Committee. "XACML helps ensure that patients, physicians, hospitals, public health agencies and other authorized users share critical information appropriately and securely."
The XACML Interop at the RSA 2008 conference utilizes requirements from Health Level Seven (HL7), ASTM International, and the American National Standards Institute (ANSI). The demo features role-based access control (RBAC), privacy protections, structured and functional roles, consent codes, emergency overrides and filtering of sensitive data. Vendors show how XACML obligations can provide capabilities in the policy decision making process. The use of XACML obligations and identity providers using the Security Assertion Markup Language (SAML) are also highlighted.
XAMCL Interop Participants:
Axiomatics
"The XACML Interop demonstrates the power, speed, and flexibility which
XACML delivers to application developers and IT users. XACML is the
technology which will deliver efficient and future-proof authorization
management for the service oriented world," said Erik Rissanen, CTO,
Axiomatics AB.
BEA
"The XACML Interop at the RSA conference illustrates BEA's continuing
commitment to the latest version of the XACML standard in AquaLogic
Enterprise Security. Centralized access control policy that uses a
standards-based framework is critically important to the success of SOA
initiatives," said Geoff Charron, VP & Unit Executive.
Cisco
"As a company that believes in open standards, Cisco is pleased to
participate in the XACML Interop at RSA and excited by the increasing
adoption of XACML across all segments of the industry," said Rajiv
Gupta, vice president, policy management business unit, Cisco. "The
Cisco Enterprise Policy Manager—formerly Securent Entitlement
Management Solution—was one of the first commercial products to support
XACML, and we remain committed to the standard."
IBM
"This Interop session supports IBM's approach to interoperability, in
that significant customer value is possible when industry leaders work
together. OASIS and these vendors that support XACML are moving towards
improved levels of interoperability through our collaboration as
demonstrated this week with the health care industry," said Anthony
Nadalin, IBM Distinguished Engineer and chief security architect for
IBM Tivoli Software.
Red Hat
"XACML has proven to be a strong candidate in building complex access
control infrastructures, not only in verticals such as the health care
and financial industries, but also in the extension of access control
for the various containers of an Enterprise Application Server such as
the JBoss Application Server. Health care poses immense challenges in
establishment of access control policies and enforcement. Patient
privacy is an important issue that needs immediate focus, and its
access control use cases have been driven by XACML in this
interoperability. Emergency overrides of the privacy controls has been
given prominence in this demo, along with the modeling of roles and
privileges. XACML has the flexibility of extensions to solve similar
complex use cases in other verticals," said Anil Saldhana, Leader and
Chief Security Architect, JBoss Security and Identity Management, Red
Hat Inc.
Oracle
"XACML 2.0 can provide an authorization model for complex policies
required by enterprise-scale applications and administrators. Through
our support of XACML and participation in the OASIS InterOp event at
the RSA conference, Oracle will demonstrate key authorization concepts
important to our customers. These include role-based access control and
access to medical records based on patient consent," said Prateek
Mishra, director, Security Standards, Oracle.
Sun
"Sun is committed to the industry's collaborative efforts to develop
and promote interoperability standards that facilitate the creation of
dynamic federated identity networks," said Mark Herring, vice president
of marketing, Software Infrastructure, Sun Microsystems. "Support for
XACML allows our customers to share access control policies across
corporate boundaries and offers more dynamic standards-based tools for
creating federated mashups. As a result, our customers can continue to
expand their business reach while using open-standards to enforce
security decisions and minimize security risk."
Read the complete announcement.
