Directories Learn Sharing Is Good

As e-businesses use directory technology to give parners access to its systems, authorization -- the assigning of user privileges and rights -- becomes vital.

Authorization is impossible without sharing of entitlement information. The problem is simple: There is no standard approach for partners' access management systems to do such sharing.

That could change. Netegrity and Securant plan to submit separate specifications based on the Extensible Markup Language (XML) to standards bodies such as the World Wide Web Consortium (W3) and the Internet Engineering Task Force (IETF). Netegrity will be promoting XML-based middleware software for user authorization while Securant will push its AuthXML specification.

"A set of rules and methods -- or schema -- based on XML would enable an online stock trading firm, for example, to seamlessly share user privilege information with a partnering financial services firm that offers 401K investments, even if the companies use different server and access control systems," said Eric Olden, Securant's chief technology officer.

But not all vendors are endorsing XML as a common platform to maintain consistent security policies across different access management systems, however, and some of the naysayers are big names. Hewlett-Packard is looking to support both XML and Java. Tivoli, an IBM company, is supporting the Open Group's AznAPI authorization API.

"While there is some benefit to standardize around XML templates for seamless data exchange, JAVA 2 Enterprise Edition may be better suited to secure transactions from the browser to the back end systems," said HP's Tony Wong, manager of R&D for DomainGuard, the company's authorization product.

Java 2 Enterprise Edition contains security modules that let developers write policies into applications, Wong said. Authorization systems that support Java would then be able to exchange data seamlessly. "We're looking at both XML and Java," Wong said. "The question is do you enable authorization in an object [within an application] or with XML templates [performing] message passing?" Wong asked.

Tivoli also will support XML where it is practical for customers, said Bob Kalka, a product line manager for the Tivoli SecureWay unit. Kalka said that AznAPI supports both Web and legacy systems while products from Netegrity and Securant are Web-only solutions.

AznAPI can plug into the SecureWay Policy Director to determine authorization rights for a messaging application such as IBM's MQSeries, without requiring code rewrites, he noted.

"If other vendors adopt the AznAPI, entitlement information can be seamlessly exchanged," Kalka said. "But so far Tivoli appears to be the only vendor to implement the API in a product," said Burton Group analyst Phil Schacter.

While vendor-specific deployment of XML-based systems will give users some added value, user would prefer suppliers to work together on a standard.

The vendors are "headed in the right direction with XML," said Mike Hager, vice president of security at Oppenheimer Funds. Currently, if Oppenheimer is doing business with a partner it will connect through an extranet and give the partnering bank its authorization model he noted.

But with the emergence of e-marketplaces, which could links hundreds of partners, a more standardized way of exchanging user profile information is needed, Schacter noted.