An important use of computers in modern times is the dissemination of information across a wide area network. Currently, the largest wide area computer network in existence is the Internet, although additional world-wide networks similar to the Internet are presently under development and deployment. The Internet is a complex interconnection of computers and networks that communicate using a common protocol, TCP/IP, originating in the 1960s by the U.S. Defense Department. For a long time, the Internet was used by researchers in universities and national laboratories to share data and information. Today, hundreds of millions of computers, from personal computers (PCs) to high performance super computers are connected to the Internet. It is estimated that over 700 million of the 1 billion computers worldwide are connected to the Internet.
Many individuals, businesses, organizations and governments utilize the Internet to exchange such information either internally or with other parties. Despite the vast exchange of information capable of occurring on the Internet, there is a problem with “content islands”—documents and media files that cannot be easily exchanged. The U.S. government's 9/11 Report identifies the problem as catastrophic and threatening national security. Fortunately the technologies of interchange standards like Extensible Markup Language (XML) provide important pieces for solving much of the problem. Unfortunately markup technologies alone cannot solve the problem. Scalable solutions for the large organization and workplace require diligent and aggressive attention to workflow and work cultures. Major content exchange initiatives—for the intelligence community, among military components, and between agencies of the U.S. government—invariably seek to apply XML technologies in an effective manner. The problem is that applying the technologies means to introduce them into everyday workflow and business practice. Emerging exchange technologies of themselves cannot simply modify best practices. The technologies are in fact generating wholly new protocols and practices.
Even if the information can be exchanged, certain information is not intended to be disclosed to everyone. Certain access policies and controls must be implemented to ensure the security of sensitive or private information. The notion of an access policy is simple. Is a given individual, group or computer allowed to access a particular resource or piece of information, or not? In actual practice an access policy for server-based content must account for many aspects of the individual—identification, title, security clearance, role within the organization, need to know, and perhaps current location and type of computer (e.g. hand-held, laptop, mobile).
In addition, a sophisticated policy may spell out security details of the content: its overall level of sensitivity or confidentiality, specific segments that are more sensitive than others, segments requiring specific consent by the owner (a patient record, for example), plus other security-related characteristics. An access policy must therefore be smart, far more refined than simple username-password approaches. A Windows (or Unix) approach of restricting entire files and folders is entirely too blunt to be practical.
In order to provide consistent, universal access policies for the Internet or other wide area networks, a consortium of vendors formulated the Extensible Access Control Language (XACML) standard. XACML can be utilized on practically any network server. XACML allows certain policy authors to have control over who can read, write, or modify components of their records. It is noted that XACML is now a required information access standard across the entire U.S. Department of Defense. The XACML standard is mature and is becoming ever more pervasive.
The downside of XACML—even though it is plain-text XML—is that it still requires programmers to create and modify it. XACML is verbose, highly dependent upon proper syntax, and difficult even for skilled humans to read. Complex syntax or formatting is not a problem for a computer, but remains a major barrier to humans and thus limits a stronger adoption. The result is that a XACML-aware information system requires skilled programming throughout its life cycle.
Given the above, it is currently challenging, if not impossible, to define, manage and deploy policies for secure information access in an agile and consistent manner. Moreover, there is no robust rules-based method for cross-domain message filtering (higher-security to lower-security transfers). Without the ability to enact and deploy XML-based security policy (rule sets or XACML code) quickly, easily, and with a minimum of humanly written computer program code, security authors and administrators cannot hope to achieve the secure exchange of information across the Internet or other networks. In that regard, it would be highly advantageous to eliminate the technical programmer—who does not contribute to the substantive security decisions—which would be a significant breakthrough in the access control area.
Thus, what is needed is a new approach for development of information exchange, access policies and access control. Preferably, such an approach would achieve this by allowing the user to formulate access policy as near natural language without any knowledge of XACML. Once the access policy is formulated, the new approach would also preferably automatically check and convert the near natural language to XACML, with full auditing features and reverse de-compiling to ensure that the XACML created can be converted back to the exact near natural language originally used to create the XACML policy. The present invention, therefore, endeavors to fulfill one or more of the needs addressed above, as will be understood from the following description and accompanying drawings.