XACML is Growing Up

By Andy Han.

I have been following the blog debate over the death of XACML spurred by Andres Cser at Forrester.  The conversation reminded me of a similar debate we had here at NextLabs over eight years ago.   In 2004, XACML was dead.  I think there was one commercial product.   But the security market was starting to shift its focus from securing the network and applications to securing the data (for example the early DLP companies were getting traction).  It was clear that the model companies used to secure their data was so manual and inflexible that it would never scale to meet the demands of future regulations, mobility, cloud, and hyper collaboration.  So the big idea: “What if you could write a policy about how your information should be protected and it would be enforced universally?”   An obvious good idea and a hard problem – Sign me up!

So we needed a policy language and it needed to have a couple of key characteristics:

  1. Application and Vendor Independent
    There are hundreds of examples of products that have great policy management, but all of these only work for a single product or vendor.  When data exists in many applications, this same data moves from one application to another.  Today, these applications may be in your data center, in the cloud, or on any number of mobile devices.  So, it is critical that the policy be flexible enough to be application independent.
  2. Attribute Based
    The number of data resources within an organization is massive (think data warehouse), it is constantly increasing (think email), and its growth is accelerating (think collaboration).  The only scalable way to apply policy to data resources across applications is to describe the data, using attributes.  Attribute Based Access Control (ABAC) is a model that has been around for a while and it is required to apply policy to data.
  3. A Standard
    The average large organization has thousands of applications from a hundreds of vendors.  To achieve the universal dimension of our vision, we needed a standard based policy language so that over time the market might move to a model, where application vendors would support the standard, just like we did for LDAP and SQL before that.

Based on these requirements we chose XACML, and when I compare it to 2004 it would be hard to argue that XACML is dead today.  Not only are there dozens of products and ever new products coming to market, I have six enterprise wide deployments going live this week and our business grew 300% last year.  XACML continues to get more compelling.

I will concede this.   The strategy of selling XACML as a generic policy engine doesn’t work.  Most of the products have matured to hide the complexity of XACML and the marketing now communicates a business-level value proposition.  I can see how this might look like the death of a market, since a company using one of the XACML-based products out there today may not even know or care that it is based on XACML.  To me that is proof that XACML has grown up.  Today we are solving real business problems, delivering real applications, and articulating out-of-the box business value.


Andy Han is the VP of Products at NextLabs and is responsible for Product Development and Product Marketing at NextLabs.

Leave a Reply

Your email address will not be published. Required fields are marked *