At JPMorgan Chase, application security and semantic web technology are teaming up. David C. Laurance, who works in the former area at the financial services giant, is pursuing an initiative with semantic technology vendor Clark & Parsia, and its CTO Evren Sirin, that’s focused on authorization policy management. The primary goal is to ensure that a given access control policy – enabled by the XACML (eXtensible Access Control Markup Language) Oasis standard that provides a high-level XML-based language to describe access control policies for distributed resources – covers the actual business requirements for the application it protects.
It’s critical in the financial sector, with its trove of customer records and accounts and its requirements to separate duties around actions such as placing and settling trades, to have robust access control capabilities in place. Other verticals – think of health care and its rules and regulations around patient privacy – also take advantage of the XACML standard to describe control policies, to say in a declarative way which kinds of subjects can perform what kinds of actions on which resources.
But XACML on its own doesn’t catch those things that might be wrong in a policy – the door may be left open to contradictory permissions because of the combination of different user characteristics embedded in a policy, for example.
“This is a matter of what kind of analysis do I have to do for critical policies to make sure that they’re right,” Laurance explains. “When you have two different permissions, that’s where you can get into mischief.” That mischief might be the purposeful actions of a rogue trader out to defraud a bank, or it might be the accidental result of not ensuring that the right oversight and authorizations are maintained. Either way, it’s a potential problem.