My blog has moved and can now be found at

No action is needed on your part if you are already subscribed to this blog via e-mail or its syndication feed.

Sunday, June 19, 2011
« Update on Federal ICAM Profiles for Back... | Main |

The desire to externalize authorization and to drive access control via standardized policy has been one of the major contributors to the success of XACML. Typically, this has been focused almost exclusively on Logical Access Control Systems (LACS). But, what if you could define and manage your access control policies for both Logical Access Control Systems (LACS) and Physical Access Control Systems (PACS) from a single pane of glass?

PACS_PEP Over the last number of years, in my role as the Technical Lead for DHS S&T's IdM Testbed, I've been working with companies that participate in the DHS Science & Technology Directorate's Small Business Innovation Research (SBIR) Program. One of the interesting projects that I've provided technical advice and guidance to has been with an SBIR Awardee (Queralt, Inc) that has developed a PACS Policy Enforcement Point (PEP) that conforms to the XACML 2.0 and 3.0 standard.

Moving out on this, we fully realized that the perspectives of the physical security folks are often different than the IT folks who typically run LACS systems. As such it is important to make sure those concerns are addressed up front. Those concerns include:

  • The access control policies for the PACS system must remain under the control of the physical security officers
  • The PACS system must continue to operate even if this additional functionality is disabled for some reason
  • This is an additional functionality built on top of existing capabilities and must easily integrate with existing infrastructure

As an aside, when we speak of Attribute Based Access Control (ABAC), the input to a decision includes identity attributes, authority attributes, actions to be performed and environmental attributes as well. One of those environmental attributes could be location information. The key with location information is that in order for it to be relevant, it must come from a trusted infrastructure i.e. I can easily trust location information from a turnstile that is owned and managed by my organization but I would have a harder time trusting location information from a computer or mobile device coming from a wireless network that can more easily be spoofed. This capability allows for the incorporation of location information from a trusted infrastructure.

As always, a completely standards based interface between the PACS PEP and a PDP is critical to the success and adoption of this type of technology. As such Queralt is currently in the process of finishing up testing against the multiple XACML PDPs we have made available to them from our Testbed.  So far everything looks good.

We have also connected them with multiple leading XACML PDP vendors, who are very interested in this technology that will help them expand their reach into the PACS realm. Queralt, which has a focus on location based technologies and RFID, already has excellent relationships with multiple PACS vendors as well.  All in all, to paraphrase a physical security officer who received a briefing on this effort last week, this is a game changer that many folks have been looking for and really need.

Just as a disclaimer, other than my involvement noted above, I personally have no vested interest in Queralt as a company. I do think that this is very cool tech and it is something that will add greater value to policy driven access control decisioning capabilities.  As such, if you are a PDP or PACS vendor and would like to be connected to the folks at Queralt, please do drop me a line and I would be glad to make that happen.

6/19/2011 4:38 PM Eastern Daylight Time  |  Comments [0]  |  Disclaimer  |  Permalink