|
XML and Web Services In The News - 29 November 2006
Provided by OASIS |
Edited by Robin Cover
This issue of XML Daily Newslink is sponsored by IBM Corporation
HEADLINES:
Oracle Announces Identity Governance Framework (IGF)
Darryl K. Taft, eWEEK
In cooperation with CA, Layer 7 Technologies, Novell, Ping Identity,
Securent, and Sun Microsystems, Oracle has announced the formation of
an initiative to help organizations better govern and protect sensitive
identity-related employee, customer and partner information as it flows
across heterogeneous applications. The new Identity Governance Framework
(IGF) is an open initiative to address governance of identity related
information across enterprise IT systems. This initiative includes key
initial draft specifications contributed by Oracle to the community.
These specifications provide a common framework for defining usage
policies, attribute requirements, and developer APIs pertaining to the
use of identity related information. These enable businesses to ensure
full documentation, control, and auditing regarding the use, storage,
and propagation of identity-related data across systems and applications.
Sensitive identity-related data such as addresses, social security
numbers, bank account numbers and employment details are increasingly
the target of legal, regulatory and enterprise policy. These include,
but are not limited to: the European Data Protection Initiative,
Sarbanes-Oxley, and Gramm-Leach-Bliley as examples. Two initial draft
publications include markup language specfications for CARML and AAPML.
Client Attribute Requirements Markup Language (CARML) is a specification
that allows applications to define their attribute requirements as it
relates to identity. CARML can be used to automate configuration of
identity attribute services and to expose the set of identity-related
data consumed by a specific application or groups of applications.
Attribute Authority Policy Markup Language (AAPML) is a XACML profile
designed to allow attribute authorities to specify conditions under
which information under management may be used (and possibly modified)
by other applications.
See also: the Identity Governance Framework
Oracle Launches Identity Governance Project
Paul F. Roberts
The Identity Governance Framework is an [Oracle-led] initiative to
develop specifications for sharing identity data across heterogeneous
applications. The project has the support of identity and access
management (IAM) vendors Ping Identity, Sun Microsystems and Securent,
as well as CA and Novell. The framework and will eventually be turned
over to a standards-setting body, according to Amit Jasuja, vice
president of product development for Oracle's security and identity
management products. The Identity Governance Framework (IGF) grew out
of Oracle's efforts to integrate identity and access management
technology it acquired from Thor Technologies, OctetString and other
companies. Problems such as lost data on laptops and identity theft
point to the need for overarching standards that govern all the
sensitive data squirreled away in data repositories across an
enterprise, such as human resources, customer relationship management
and custom-built internal applications. Oracle estimates that between
60 and 80 percent of sensitive data reside in these kinds of
repositories, rather than in better protected enterprise databases.
IGF addresses that problem by establishing a governance model that
allows organizations to create "contracts" between applications and
repositories of identity data. The model would cover how data flows
within an enterprise and outside the enterprise to supply chain or
business partners. Open source and standards groups, including
Eclipse.org and OASIS, are also working on the problem of federating
identity information, but OASIS' SPML (Service Provisioning Markup
Language) and Eclipse's Higgins Trust Framework are more about
creating consistent user identities that work between systems, rather
than managing sensitive data, he said. "Nobody's asking whether I can
propagate a social security number outside my country boundary and put
it into system somewhere else," he said. Still, Oracle believes that
IGF properly belongs under the umbrella of some standards setting
organization, [Amit Jasuja] said. The company plans to reach a deal
to hand off its API, as well as AAPML and CARML work to such a group
within the next 90 days or so. While Jasuja wouldn't say which group
Oracle was considering. However, he acknowledged that a top concern
is the speed with which the group can shepherd the IGF specifications
through to standards.
Shielding Web Services From Attack
Dan Goodin, InfoWorld
Web services are almost irresistible. Every popular IDE makes them
easy to build — to unlock the data and business logic in legacy
systems, to provision common functions that can be shared across
multiple platforms, or to provide partner organizations direct access
to information or applications. And by their nature, Web services
helpfully describe themselves, allowing one system to find and
interact with another with little or no human intervention. Yet the
very virtues that make Web services compelling — their use of trusted
ports and protocols, their ease in exposing back-end systems, their
eagerness to describe exactly what services are offered and how to get
at them, and their use of multiple intermediaries — also make them a
potential windfall for criminals crossing an enterprise's perimeter.
A high percentage of Web services interact with databases. SOAP and XML
make it easy to disguise malicious payloads, opening new avenues for
buffer-overflow attacks, SQL-injection exploits, and other misdeeds
targeting an enterprise's most vital systems. Compounding matters,
some of the machines exposed using Web services are legacy systems —
old Windows NT boxes, for example — that are much more susceptible to
attack than newer systems. Meanwhile, new classes of exploits
targeting Web services have been developed. They include SOAP array
overflows, a new variation on buffer-overflow intrusions in which an
attacker sends an XML request with an array length that exceeds what
has been specified. Like conventional buffer overflows and SQL
injections, SOAP array attacks are among the most serious because they
can expose confidential data or allow code execution on an
organization's back end. Other common Web service exploits include XML
parser attacks, in which an infinite string leads to a denial of
service, and XML external entity attacks, in which a request points
to an invalid file, resulting in an error that may cause the Web
service to give out information it shouldn't disclose.
Entitlement Management Solution (EMS) Uses OASIS XACML Standard
Staff, Securent Announcement
Securent has announced the industry's "first standards-based product"
to solve the pain of Entitlement Management by providing the ability
to manage, enforce, review and audit policies for context-dependent
access to resources across the IT stack (portals, applications, data,
and networks). Securent's Entitlement Management Solution (EMS) has
already achieved early industry acceptance by analysts and customers,
and has been selected by multiple Fortune 500 companies including
QUALCOMM and Credit Suisse. By delivering its technology as an XACML-
compliant (Extensible Access Control Markup Language) solution,
Securent is setting the standard in Entitlement Management and fast
becoming the product of choice for securing mission-critical
environments. Entitlement Management is a new, distinct category
within the overall Identity and Access Management market, which to
date has focused on addressing the need to determine "who" is making
a request. However, this class of products has not yet addressed the
second half of the security problem, namely, determining and enforcing
"whether" the person or application is entitled to access the
particular request. Since enterprises are commonly required to provide
differentiated levels of access, developers and IT departments have
had little choice but to address the need for context- dependent or
fine-grained access control by custom coding security policies into
each individual application, data source, and communication channel.
Given the heightened security requirements of today's distributed
enterprise, entitlements are becoming a fundamental component of most
corporate security initiatives. For example, entitlements control
access to sensitive information by ensuring that every employee should
not be allowed to access every financial report and every employee
record. Entitlements are also critical in regulated environments where
organizations are required by law to ensure that requesters of a
transaction should not be allowed to also approve the transaction,
and that analysts should not be allowed to communicate with brokers.
StAX'ing up XML, Part 1: An Introduction to Streaming API for XML (StAX)
Peter Nehrer, IBM developerWorks
Since its inception, the Java API for XML Processing (JAXP) provided two
methods for processing XML — the Document Object Model (DOM) method,
which uses a standard object model to represent XML documents, and the
Simple API for XML (SAX) method, which uses application-supplied event
handlers to process XML. A streaming alternative to these approaches was
proposed in JSR-173: Streaming API for XML (StAX). Its final release was
published in March 2004 and it became part of JAXP 1.4, to be included
in the upcoming Java 6 release. As its name reveals, StAX places emphasis
on streaming. In fact, what distinguishes StAX from other approaches is
the application's ability to process XML as a stream of events. The idea
of handling XML as a set of events is not entirely new (in fact, it is
already present in SAX); however, the difference is that StAX allows
the application code to pull these events one after another, rather
than having to provide a handler that receives events from the parser
at the parser's convenience. StAX actually consists of two sets of XML
processing API, each providing a different level of abstraction. The
cursor-based API allows the application to work with XML as a stream of
tokens (or events); the application can examine the parser's state and
obtain information about the last parsed token, then advance to the next
token, and so on. This is a rather low-level API; while considerably
efficient, it does not provide an abstraction of the underlying XML
structure. The higher-level iterator-based API allows the application
to process XML as a series of event objects, each of which communicates
a piece of the XML structure to the application. All the application
needs to do is determine the type of the parsed event, cast it to the
corresponding concrete type, and use its methods to get information
pertaining to the event.
See also: XML Pull Parsing
Corel to Support Microsoft Office, ODF Formats
Martin LaMonica, CNET News.com
Corel, the maker of the WordPerfect word processor, said that it intends
to support Microsoft's latest Office document formats and its rival,
OpenDocument. The company intends to add both formats to its WordPerfect
Office suite in the middle of next year. On Thursday, Microsoft is set
to release to businesses Office 2007, an upgrade of its productivity
suite which introduces an XML-based file format called Office Open XML.
Because so many more documents will be created in that format, Corel
has decided to make opening and editing those document types an option
in the WordPerfect word processor as well as in the company's
presentation application and Quattro Pro spreadsheet, said Richard
Carriere, general manager of office productivity for Corel. In addition,
Corel in the middle of next year will allow people to open and view
word processor documents stored in the OpenDocument format, or ODF.
The decision to support ODF is based on demand, notably from government
customers, Carriere said. Corel has 11 million active users worldwide
with the majority of them in North America, he said. Carriere said that
Corel's decision to adopt ODF contrasts with that of other ODF backers.
In ODF standards meetings, it is clear that Microsoft rivals are backing
the format in an attempt to unseat Microsoft's desktop hegemony.
Carriere said that Corel expects to ultimately support the ODF
spreadsheet and presentation formats if there is customer demand.
See also: eWEEK
XML.org is an OASIS Information Channel
sponsored by BEA Systems, Inc., IBM Corporation, Innodata Isogen, SAP AG and Sun
Microsystems, Inc.
Use http://www.oasis-open.org/mlmanage
to unsubscribe or change an email address. See http://xml.org/xml/news_market.shtml
for the list archives. |
