This article can also be found in the Premium Editorial Download "Information Security magazine: Nine tips to guarding your intellectual property."
Download it now to read this article plus other related content.
Gears Don't Mesh
Where access control needs to become more granular, access control products need to become more flexible, less proprietary and more standardized.
But there's still a lot of work to do, because products that work at the enterprise identity management and access control level are proprietary, for the most part. This means that implementation is expensive because of the customized programming required to integrate the necessary components such as HR database, access control enforcer, identity stores, databases, directories and workflow. This would also mean a forklift replacement if a company decides to change products. (Some companies have decided to develop in-house customized and stove-piped access control solutions. This usually amounts to a never-ending, expensive software development project.)
We should learn from the bind that companies got themselves into when implementing proprietary electronic data interchange (EDI) solutions. Implementa-tion, upgrading and maintenance are all extremely expensive under this approach, and extending functionality or flexibility is cost-prohibitive.
Experience has taught us the benefits of a standard framework that allows for loose coupling of modular components that communicate using standardized protocols and provide standardized APIs.
While some access control products are moving toward the use of standards such as SOAP, XACML, SAML and Web services, as customers, we need to understand
This was first published in May 2007