Boeing eyes authorization standard to harden access to intellectual property

Boeing eyes authorization standard to harden access to intellectual property

Summary: Aerospace giant Boeing is piloting standards-based access controls built on the Extensible Access Control Markup language in order to dial-in authorization capabilities and help protect its intellectual property.

SHARE:

Updated 4:35pm PST

Aerospace giant Boeing is testing emerging authorization technology as part of a first-ever plan to deploy standardized policy and attribute-based access controls to protect intellectual property it shares with partners and customers.

At this week's RSA Conference, the company is talking about its work with the Extensible Access Control Markup Language (XACML) 3.0 and an extension called the Intellectual Property Control (IPC) profile.

The profile defines attributes and attribute details used to control access. Boeing plans to adopt both XACML and the IPC profile once standardization is finalized, which is imminent.

"What we are getting is a common vocabulary for intellectual property," says Richard Hill, an information security specialist at Boeing. IPC supports seven attributes including copyright, patent, IP-owner, and license.

The Fortune 50 company estimates that a small percentage of its document access events require sophisticated "fine-grained" authorization controls. And it is demanding standards in order to ease adoption across its extended enterprise, partner/customer networks, aerospace and other industries.

The Transglobal Secure Collaboration Project (TSCP), an aerospace and defense consortium that includes the U.S. Department of Defense and the UK Ministry of Defense, also plans to build XACML's IPC profiles into its information and labeling program.

XACML provides "fine-grained" authorization, allowing for exacting access controls. In contrast, authentication, proving who someone is, is a poor substitute for authorization, determining what that someone can access, when sensitive data or transactions are involved.

Authorization is one area of identity that is experiencing growing pains as identity and access controls are adapted to distributed networks.

"XACML profiles for intellectual property and export control protection make the authorization standard more readily applicable to many industry scenarios," said Gerry Gebel, president, Axiomatics Americas. "It is great to have Boeing participating in and contributing to the XACML standardization process."

Boeing's intent is to increase protection of intellectual property and other information as it shares documents with suppliers and partners. The XACML demo at RSA focuses on Microsoft's Word, Excel and PowerPoint formats.

"This is the first time [in the industry] anyone is using XACML-based resource attributes and meta-data for marking documents with properties," said John Tolbert, associate technical fellow and information security strategist at Boeing. "Now we can match up subject attributes and resource attributes, and cover it all with policy. So we can limit people to certain documents based on properties of those documents and on the user's attributes. That's what makes this new and exciting."

Boeing pulls the user attributes directly from its directory. And they are the same attributes it uses to support federated single sign-on authentication. Boeing plans to put an XACML policy engine in front of a document management store and use the engine as a policy enforcement point.

The company is using a proprietary tool it developed and licenses called Cipher to analyze documents and images, search out keywords and phrases, and insert meta-data before the documents are stored.  XACML tools let Boeing use that meta-data to produce standards-based document properties .

"Any company that develops IP can use this - health care, drug companies," says Tolbert. "What we're doing is taking fine-grained authorization down to the data level."

In addition, the meta-tagging and tracking of data use gives Boeing compliance benefits.

Crystal Hayes, Boeing's internal compliance specialist says Boeing hopes that customers and suppliers will adopt XACML-based software. "If we are speaking the same language we are better able to control the movement and release of IP."

In addition to Boeing, the RSA Conference demonstration of XACML, which was developed by the Organization for the Advancement of Structured Information Standards (OASIS), also included Quest/Bitkoo, Axiomatics, Oracle and Next Labs.

Topics: Legal, Enterprise Software

About

John Fontana is a journalist focusing in identity, privacy and security issues. Currently, he is the Identity Evangelist for cloud identity security vendor Ping Identity, where he blogs about relevant issues related to digital identity.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • sounds oppressive

    Do the permission parameters include options that would support Creative Commons standard licenses? Otherwise it seems like more of a censorship gate than a path back to the creator(s).
    Htalk