Thursday Apr 12, 2007

2007-13--04 Security Link Of The Day

Dave Walker is on of Sun's clearest thinkers on matters related to identity and access to data; about a year ago he posted this observation which didn't really get the attention it deserved.

The issue of identity has been bothering me for a while. While identity can clearly be applied to human consumers of services - and expressed as a subset of information held about them in various places - I've started wondering how the concept of identity could be used for various other entities, and indeed how the properties of identity as applied to humans could potentially be mapped onto them.

Hence the table below, which is my rather crude first shot at this mapping for files, running processes, OS instances, zones, hardware domains and services. Cells with question marks in them are areas where I currently don't see a mapping - this could mean that a mapping is not appropriate, or that an appropriate technology does not exist today, and could point the way for a bit of fundamental research.

I suspect I'm heading down a path which has been well-trodden already, but you might find some parts of this amusing. I'd be happy to bounce ideas around, or become clueful on what current thinking in this area actually is.


I'm hoping to get Dave blogging here more directly, soon, so keep an eye open.

Treating processes (ie: computer programs, live and running on a CPU) as if they were people, is not necessarily as easy as you might think - but then given how easily some people can be socially engineered maybe it's not so bad an analogy after all.

Tuesday Apr 10, 2007

2007-04-11 Security Post Of The Day

Something a little different for today; my boss wrote to me regards some slideware:

Alec, I'd like to identify some aspects to trends in Security. Have you observed particular security trends for web computing?

...and this is my response. I'll be mailing him the URL. You get to see it first. :-)

So, have I observed particular security trends in Web Computing?

Not really, for reasons which I partially explain in a recent posting on my home blog - the short version being that I believe there are no new security bugs, ever, and from this it's a pretty easy step to declaring security to be a "solved problem", although that carries the proviso: "if and only if you bother to hire people who understand security".

So if we want to write about the state of the art of "security and web computing" then I feel we should do it in terms of the "maturation" of Web Computing technologies.

Twenty years of geekery has taught me all technologies go though a wild-and-insecure phase until the implementational goofs instilled by the visionaries get hammered out by the embarrassment of exploits, and the needs of business. How often do you see websites which still use plaintext password cookies in anger? Yes, some people still goof in implementation, but at least a large body of people now recognise that such design and implementation artifacts are goofs.

For the people who don't know this, there are always consultants who can help. :-)

So my thesis would be: people are getting used to the idea that perhaps mashups need a little more thought than "we'll just glue it together and it will work OK"; also people are finally getting to understand that the concept of "security" is bogus, being as it is actually an umbrella term for a bunch of qualities, including but not restricted to:

  • integrity
  • availability
  • privacy and secrecy
  • trustworthiness
  • privilege separation and enforcement, leveraging all of
    • authentication,
    • authorization and
    • identity
    • and all of the other stuff above, plus finally and most important of all...
  • wisdom regarding the creation of security policy, and consequent design and implementation

So as we move into an age of maturation of web technologies, attitudes and received wisdom are starting to shift; people are now less scared of letting just anyone write all over their website so long as you know who it is that is doing it, and people are beginning to realise that by replacing barriers-to-creation with knowledge-of-authorship (ie: identity, authentication, authorization) - plus the additional ability to 'roll back' so you can circumvent the expected but surviable inevitable vandalism - people realise you can now invite the world to create content with you.

Sufficient technologies to solve all extant security problems now exist - modulo the chest-beating efforts of vendors to pitch new solutions to problems which they hope people will encounter - but from my perspective it's the shift in peoples' attitudes to security which is most interesting.

"Forget prior restraint and access control, build trust, identity and integrity instead."

I find that exciting; it's always been possible, but twenty years ago had you stated it was your goal, people would say you were nuts.


This blog provides security vulnerability fix notifications relevant to third party software components distributed and supported as part of Oracle Products.
Summarized version of this blog is available as a mapping of CVEs and solutions.


« July 2016