There’s a little bit of a kerfuffle going on in XACML-land. A non-Gartner analyst made the claim that XACML is dead. Such a claim doesn’t go unnoticed; so Gerry, Anil, Danny, and Remon have all responded that no, XACML isn’t dead. It is not pining for the fjords. It isn’t even zombified.
Anyone can declare a protocol dead. Last year it was SAML. This year, apparently, it’s XACML. Now as someone who killed off the entire IAM industry, I think I’m in a position to comment about this.
It’s easy to say X is dead. SAML, SPML, DSML – doesn’t matter – you declare it dead, write your blog post, and call it a day. But what’s hard to do, and what is necessary to do, is, if you kill something off, you have to offer an alternative. In the case of IAM, I believe we are seeing the hazy outline of what it will become reborn as start to emerge: something more nimble, developer-friendly, and more indistinguishable from business services. In the case of XAMCL, no alternative was provided.
Just a few things to keep in perspective when thinking about XACML. First, separate externalized authorization management (EAM) from XACML. Enterprises have been doing EAM for decades. The pattern of using something like RACF as a decision-as-a-service facility is a well established practice. Although enterprises may not be using XACML, they are doing EAM and that will only continue.
Second, EAM vendors recognize that they need to increase the number of places where they can provide authorization enforcement. To this end, we see more out-of-the-box PEPs than ever. More importantly, we see EAM vendors team with federation and WAM vendors to offer the rich policy capabilities of XACML paired with traditional, already deployed, enforcement points. That is a huge deal. In fact, my colleague Gregg, predicts that by 2016 80% of fine-grained access control requirements will be met in this manner.
Third, XACML as a system-neutral policy language is an important concept. The ability to translate XACML into local policy languages and thus enable applications that aren’t EAM-aware is key to EAM and XACML’s future. We are seeing this begin to happen in more meaningful ways – such as some vendors’ abilities to translate XACML into SDDL for Windows Dynamic Access Control.
Finally, the standards community has been active too – work on JSON bindings for XACML as well as RESTful bindings will further XACML’s adoption. In addition to this, the OpenAZ project continues to move forward providing a vendor-independent PEP API that anyone can use.
Speaking of standards. Come to Catalyst this year. Hear representatives of the standards themselves why they are relevant and how they can be best put to use doing real work. I’ve arranges a standards smackdown. Come here some industry luminaries represent popular identity standards:
- SAML – represented by Pat Patterson
- OAuth – represented by Paul Madsen
- SCIM – represented by Kelly Grizzle
- XACML – represented by David Brossard
- OpenID Connect – represented by Pam Dingle
Also, I’ll be picking up the ‘Killing IAM’ theme and talking about more about how we as an industry move IAM into the modern era. See you in San Diego.