Updated 4:35pm PST
Aerospace giant Boeing is testing emerging authorization technology as part of a first-ever plan to deploy standardized policy and attribute-based access controls to protect intellectual property it shares with partners and customers.
At this week's RSA Conference, the company is talking about its work with the Extensible Access Control Markup Language (XACML) 3.0 and an extension called the Intellectual Property Control (IPC) profile.
The profile defines attributes and attribute details used to control access. Boeing plans to adopt both XACML and the IPC profile once standardization is finalized, which is imminent.
"What we are getting is a common vocabulary for intellectual property," says Richard Hill, an information security specialist at Boeing. IPC supports seven attributes including copyright, patent, IP-owner, and license.
The Fortune 50 company estimates that a small percentage of its document access events require sophisticated "fine-grained" authorization controls. And it is demanding standards in order to ease adoption across its extended enterprise, partner/customer networks, aerospace and other industries.
The Transglobal Secure Collaboration Project (TSCP), an aerospace and defense consortium that includes the U.S. Department of Defense and the UK Ministry of Defense, also plans to build XACML's IPC profiles into its information and labeling program.
XACML provides "fine-grained" authorization, allowing for exacting access controls. In contrast, authentication, proving who someone is, is a poor substitute for authorization, determining what that someone can access, when sensitive data or transactions are involved.
Authorization is one area of identity that is experiencing growing pains as identity and access controls are adapted to distributed networks.
"XACML profiles for intellectual property and export control protection make the authorization standard more readily applicable to many industry scenarios," said Gerry Gebel, president, Axiomatics Americas. "It is great to have Boeing participating in and contributing to the XACML standardization process."
Boeing's intent is to increase protection of intellectual property and other information as it shares documents with suppliers and partners. The XACML demo at RSA focuses on Microsoft's Word, Excel and PowerPoint formats.
"This is the first time [in the industry] anyone is using XACML-based resource attributes and meta-data for marking documents with properties," said John Tolbert, associate technical fellow and information security strategist at Boeing. "Now we can match up subject attributes and resource attributes, and cover it all with policy. So we can limit people to certain documents based on properties of those documents and on the user's attributes. That's what makes this new and exciting."
Boeing pulls the user attributes directly from its directory. And they are the same attributes it uses to support federated single sign-on authentication. Boeing plans to put an XACML policy engine in front of a document management store and use the engine as a policy enforcement point.
The company is using a proprietary tool it developed and licenses called Cipher to analyze documents and images, search out keywords and phrases, and insert meta-data before the documents are stored. XACML tools let Boeing use that meta-data to produce standards-based document properties .
"Any company that develops IP can use this - health care, drug companies," says Tolbert. "What we're doing is taking fine-grained authorization down to the data level."
In addition, the meta-tagging and tracking of data use gives Boeing compliance benefits.
Crystal Hayes, Boeing's internal compliance specialist says Boeing hopes that customers and suppliers will adopt XACML-based software. "If we are speaking the same language we are better able to control the movement and release of IP."
In addition to Boeing, the RSA Conference demonstration of XACML, which was developed by the Organization for the Advancement of Structured Information Standards (OASIS), also included Quest/Bitkoo, Axiomatics, Oracle and Next Labs.