Jon’s Radio Comments

November 17, 2006

A conversation with Rajiv Gupta about fine-grained access control

Filed under: Uncategorized — jonsradiocomments @ 11:21 pm

The original item is here.



  1. I had a startup in the late 90s that did what Securent is doing, plus dynamic programmable security policies and a slew of other technologies that provided fine grained, policy-oriented control of inforation. Unfortunately the startup disappeared as collateral damage from the dot com implosion.

    I do think the market “gets it” more now than it did in 1998 through 2002. Back then explaining fine grained control on data (or information, more accurately) was something foreign. But I feel it’s probably still an uphill battle. There’s an understanding in security community that “it’s the information, stupid” but it’ll still take two to five years until everyone “gets it”. Everyone is still depending on their perimeter for protection. As security officers start to collapse the perimeter around their data fine-grained controls will come into vogue.

    The biggest problem is actually ensuring the rules/policies applied to the information/data are more flexible than what XACML can offer. Access control lists are all well and good, but the problem lies in the cooperation between companies, agencies, and government bodies. They don’t have the same view on how information should be protected. This leads to conflicting policies at a higher, more abstract level. We ended up creating a complete policy language to handle the vagaries associated with these interactions — the trust associations can become hideously complex.

    I wish Rajiv Gupta luck. I, however, will stick to IT security research.

    Comment by Eugen Bacic — November 19, 2006 @ 12:53 am | Reply

  2. As the co-chair of the XACML Technical Committee at OASIS, I am intrigued by Eugen Bacic’s assertion that rules/policies are required that have more flexibility than XACML can offer. The committee would be eager to hear what those use case are.

    XACML has been designed to allow the creation of policies which take into account virtually every sort of information which is available at access decision time. We have seen XACML applied to a wide variety of access control problems without difficulty.

    I do agree with his comments on market uptake. However there are organizations like the Jericho Forum who are committed to deperimeterization.

    I also agree that when policies get too complex, people can no longer manage them.

    Comment by Hal Lockhart — November 22, 2006 @ 8:06 pm | Reply

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Create a free website or blog at

%d bloggers like this: