Securitys Language

The fax that I found in my machine's output tray included all the details needed to confirm the credit card transaction.

The fax that I found in my machines output tray included all the details needed to confirm the credit card transaction: name, address, card number and expiration date. The only problem was that none of that information was any of my business.

It turned out that a vendors sales representative had accidentally combined the first three digits of a customers voice phone number with the last four digits of that same customers fax line and wound up with the number of my fax machine. I called the intended fax recipient, and we figured out what had happened—but the episode left me thinking about the imbalance between our growing ability to send our data anywhere and the problem of controlling where it goes.

The problem is bad enough with a misdirected fax, which typically goes to just one person who isnt intended to see it. Things are much worse with e-mail, when a simple input error, such as accidentally clicking "Reply All," can incorrectly send a message to every employee of a worldwide enterprise. Companies such as AirZip are attacking the latter problem with products like AirZip Document Secure, which retains control of privileges such as forwarding, printing and saving of e-mail after its sent (see more at

At least our fax and e-mail errors have the saving grace of having human judgment in the loop. If I get an e-mail telling me there are brownies in the break room, and the break rooms three time zones away, its really not a problem. Even if a hundred thousand people have to click "delete" one extra time or if someone gets embarrassed because an inappropriate message is too widely read, thats a price most of us are willing to pay for convenience.

What happens, though, when messages are passing among devices or software processes? If theres one thing that computers do well, its to make the same mistake uncountable times at inhuman speed. And Web services emphasize application-to-application communication; the essence of the future Internet is transparent connectivity among devices that discover one anothers presence and engage one anothers services without a users aid or opportunity to intervene.

How do we propose to prevent our mindless robots from carelessly talking to strangers? Like children whove been taught to be helpful to people in need, our systems can be too nice. Vendors have been driven, its been observed, "to develop products with very generalized functionality so that they can be used in the widest possible range of situations." Those words come from the February announcement of OASIS Open Standard ratification of XACML (Extensible Access Control Markup Language). The announcement warns that "Out of the box, these products have the maximum possible privilege for accessing data and executing software." We can all cite examples of that syndrome.

The result, continues that announcement, is that "the security policy of a large enterprise has many elements and many points of enforcement. ... The current practice is to manage the configuration of each point of enforcement independently in order to implement the security policy as accurately as possible. Consequently, it is an expensive and unreliable proposition to modify the security policy. And, it is virtually impossible to obtain a consolidated view of the safeguards in effect throughout the enterprise."

That about sums it up, and thats why theres a need for a unified language that describes security policies in a uniform manner.

With a language such as XACML, it becomes possible to combine, algorithmically, all the policies that affect a particular request into a consolidated policy statement that controls the requested interactions. Policy writers can be appropriately isolated from details of implementation; actions involved in approving an interaction can be clearly identified and can be executed at minimum cost.

Im certainly not saying that XACML is all we need, any more than a standard nomenclature for paint colors will guarantee color-coordinated rooms. XACML does give us a tool for making our mistakes more obvious and for making it easier for tested algorithms to do more—so people can focus on defining the problems to be solved.