OASIS Members Demonstrate Interoperability of XACML Access Control Standard in HITSP Health Care Scenario

Axiomatics, BEA, Cisco, IBM, Oracle, Red Hat, Sun Microsystems, the U.S. Department of Veterans Affairs, and Others Collaborate at RSA 2008

San Francisco, CA, USA; 7 April 2008 — At the RSA Conference today, members of the OASIS open standards consortium, in cooperation with the Health Information Technologies Standards Panel (HITSP), demonstrated interoperability of the eXtensible Access Control Markup Language (XACML) version 2.0. Simulating a real world scenario provided by the U.S. Department of Veterans Affairs, the demo showed how XACML ensures successful authorization decision requests and the exchange of authorization policies.

"XACML is widely regarded as the standard for solving complex access control problems in the enterprise," noted James Bryce Clark, director of standards development at OASIS. "Today's demo shows that XACML can play a key role in health care. By successfully enforcing fine-grained access control decisions to protected health information, XACML meets HITSP's requirements for security and privacy."

"We're pleased to work with OASIS on addressing the very sensitive issues related to the access of patient information," said John (Mike) Davis, standards architect with the VHA Office of Information in the Department of Veterans Affairs, and a member of the HITSP Security, Privacy and Infrastructure Technical Committee. "XACML helps ensure that patients, physicians, hospitals, public health agencies and other authorized users share critical information appropriately and securely."

The XACML Interop at the RSA 2008 conference utilizes requirements from Health Level Seven (HL7), ASTM International, and the American National Standards Institute (ANSI). The demo features role-based access control (RBAC), privacy protections, structured and functional roles, consent codes, emergency overrides and filtering of sensitive data. Vendors show how XACML obligations can provide capabilities in the policy decision making process. The use of XACML obligations and identity providers using the Security Assertion Markup Language (SAML) are also highlighted.

XAMCL Interop Participants:

Axiomatics
"The XACML Interop demonstrates the power, speed, and flexibility which XACML delivers to application developers and IT users. XACML is the technology which will deliver efficient and future-proof authorization management for the service oriented world," said Erik Rissanen, CTO, Axiomatics AB.

BEA
"The XACML Interop at the RSA conference illustrates BEA's continuing commitment to the latest version of the XACML standard in AquaLogic Enterprise Security. Centralized access control policy that uses a standards-based framework is critically important to the success of SOA initiatives," said Geoff Charron, VP & Unit Executive.

Cisco
"As a company that believes in open standards, Cisco is pleased to participate in the XACML Interop at RSA and excited by the increasing adoption of XACML across all segments of the industry," said Rajiv Gupta, vice president, policy management business unit, Cisco. "The Cisco Enterprise Policy Manager—formerly Securent Entitlement Management Solution—was one of the first commercial products to support XACML, and we remain committed to the standard."

IBM
"This Interop session supports IBM's approach to interoperability, in that significant customer value is possible when industry leaders work together. OASIS and these vendors that support XACML are moving towards improved levels of interoperability through our collaboration as demonstrated this week with the health care industry," said Anthony Nadalin, IBM Distinguished Engineer and chief security architect for IBM Tivoli Software.

Red Hat
"XACML has proven to be a strong candidate in building complex access control infrastructures, not only in verticals such as the health care and financial industries, but also in the extension of access control for the various containers of an Enterprise Application Server such as the JBoss Application Server. Health care poses immense challenges in establishment of access control policies and enforcement. Patient privacy is an important issue that needs immediate focus, and its access control use cases have been driven by XACML in this interoperability. Emergency overrides of the privacy controls has been given prominence in this demo, along with the modeling of roles and privileges. XACML has the flexibility of extensions to solve similar complex use cases in other verticals," said Anil Saldhana, Leader and Chief Security Architect, JBoss Security and Identity Management, Red Hat Inc.

Oracle
"XACML 2.0 can provide an authorization model for complex policies required by enterprise-scale applications and administrators. Through our support of XACML and participation in the OASIS InterOp event at the RSA conference, Oracle will demonstrate key authorization concepts important to our customers. These include role-based access control and access to medical records based on patient consent," said Prateek Mishra, director, Security Standards, Oracle.

Sun
"Sun is committed to the industry's collaborative efforts to develop and promote interoperability standards that facilitate the creation of dynamic federated identity networks," said Mark Herring, vice president of marketing, Software Infrastructure, Sun Microsystems. "Support for XACML allows our customers to share access control policies across corporate boundaries and offers more dynamic standards-based tools for creating federated mashups. As a result, our customers can continue to expand their business reach while using open-standards to enforce security decisions and minimize security risk."

Additional information:
XACML 2.0 OASIS Standard
http://www.oasis-open.org/specs/index.php#xacmlv2.0
OASIS XACML Technical Committee
http://www.oasis-open.org/committees/xacml/
XACML FAQ
http://www.oasis-open.org/committees/xacml/faq.php

About OASIS:
OASIS (Organization for the Advancement of Structured Information Standards), drives the development, convergence, and adoption of open standards for the global information society. A not-for-profit consortium, OASIS advances standards for SOA, security, Web services, documents, e-commerce, government and law, localisation, supply chains, XML processing, and other areas of need identified by its members. OASIS open standards offer the potential to lower cost, stimulate innovation, grow global markets, and protect the right of free choice of technology. The consortium has more than 5,000 participants representing over 600 organizations and individual members in 100 countries. http://www.oasis-open.org

Press contact:
Carol Geyer
OASIS Director of Communications
carol.geyer@oasis-open.org
+1.978.667.5115 x209 (office)
+1.941.284.0403 (mobile)