The Authorization Challenge

Making Access Control Interoperable

When security architectures or access control protocols are incompatible, the authentication of users and authorization to access or exchange information between them presents a challenge. For example, one system may be utilizing a different security standard or protocol from that of another system and may not be readily interoperable or able to enforce access control policies. This creates systematic challenges when an access request to data needs to be authorized and enforced by different security architectures, or across different security systems using different access control protocols, be they in the healthcare, financial or intelligence domains.

When two separate security architectures exist, the problem of implementing access control policies requires the ability to consume requests to access resources and enforce policies compliant with the trust framework.   A solution is needed to support security interoperability, for example one security domain that uses both SAML/XACML and REST/OAuth protocols, among others.

Automating Authorization Decisions

Further, organizations largely rely on the thoroughness of security administrators to give users access to information. Recent technology allows these decisions to be made with electronic policy rules but the enforcement of this methodology requires significant change to existing products.  It is not currently possible to make automated or semi-automated (computable) authorization decisions that are enforced through the existing product mechanisms – either Access Control Lists or Access Tokens.

These and other problems lead to a need for a solution which automates access control decisions to provide interoperability between incompatible security architectures or access control protocols, and integrates the enforcement of access control policies across incompatible security architectures or protocols.