Security Deployment Models

I did a SOA Security roundtable Webinar today, one of the more interesting threads was around deployment. We got in to the different models for deploying security. Starting with every mainframers' favorite - the centralized model

Unfortunately, this model makes many assumptions from which technical reality diverges. In an enterprise today, you cannot expect to own both the subject and the object, as well as the session and data in one technology.

The next logical step is high assurance endpoints, the Jericho dream

Problem here is that when you have a 100,000 of anything, it is difficult to manage. You simply don't have enough security gurus to comprehensively address all the distributed endpoints on an ongoing basis.

Next we go to a hybrid model (remembering that hybrids are the most resilient plants in nature)

Now we place various high assurance intermediaries that can provide some security services to the endpoints. The intermediaries are tuned for their specific services say XML Encryption/Decryption, and environment, say B2C or B2B. This model is predicated on how successful and scalable enterprise security mechanisms have worked in the past, think Active Directory, LDAP, and Federation, which all leverage multiple centers that provide services to a wide variety of endpoints.

**

Gunnar Peterson teaching Web Services Security training, NYC, March 10-11

Web services security training in NYC

If your company is doing SOAP, Web services, SOA, Rest or XML, and you are looking for ideas on how build security into the system, come to NYC in March. I am teaching Web services security in NYC on March 10, 11, all the details are here. This is a public version of the training session that I do for companies and conferences, and you can read reviews here. Some more information on the tools we use. Registration and more information here

Rogan Dawes at FOSDEM 2008

Most security people seem to have at least heard of OWASP, but a lot of developers have not. This by itself is a little scary, but it is also too bad, because one of the singular great things about OWASP is that it is a very developer friendly project that produces lots of tools, code and code level guidance (rather than just policy statements). So it is a great playground for developers to learn about building more secure web apps.

There is a great summary here by Christian Scholz on Rogan Dawes' talk at FOSDEM 2008, where he summarizes a lot of what OWASP is about and what some of the more interesting project are. If you are just learning about OWASP it is a great place to start. The author concludes

Everybody interested should have a look at WebGoat and WebScarab themselves.

Could not agree more. It is great to see OWASP getting out of the security community and into the wider developer communities. The security people can only take it so far, developers have to be on board.

**

Gunnar Peterson teaching Web Services Security training, NYC, March 10-11

Digital Natives and Digital Assets

Bruce Schneier on Credentica

Cryptographer Stefan Brands has a new company, Credentica, that allows people to disclose personal information while maintaining privacy and minimizing the threat of identity theft.

I know Stefan; he's good. The cryptography behind this system is almost certainly impeccable. I like systems like this, and I want them to succeed. I just don't see a viable business model.

I'd like to be proven wrong.

My take is that every day the barriers get smaller, the people coming into the work place now, so called digital natives, understand the utility of information assets and have a far greater understanding of threats - Paul Madsen:

My 5-yr old daughter, on the burden of remote identity management (trying to access her Webkinz account from a friend's house)

I couldn't get on because I didnt have my username but I had my secret code so I was able to get my password changed.

I don't think we need be concerned about the abilities of her generation to adapt to new identity models - they'll do just fine.

Perhaps then we should stop worrying about 'My Mother' as the average user for which we design identity systems and skip to the grandchildren - far less constraining.

Could not agree more with Paul's sentiments, not saying that we let go of usability or anything, but things are changing pretty quickly. Security protocols have a long lifespan, we really only have two working security mechanisms - the reference monitor and crypto, we should not be afraid of adding a third, or making the aforemention faster/better/cheaper to implement. Speaking of which, anybody looked at Vidoop?

**

Gunnar Peterson teaching Web Services Security training, NYC, March 10-11

Humanity's Todo List

From the BBC:

Challenges facing Humanity:

Make solar energy affordable
Provide energy from fusion
Develop carbon sequestration
Manage the nitrogen cycle
Provide access to clean water
Reverse engineer the brain
Prevent nuclear terror
*Secure cyberspace*
Enhance virtual reality
Improve urban infrastructure
Advance health informatics
Engineer better medicines
Advance personalised learning
Explore natural frontiers

David Allen of GTD fame, teaches us that we need to define "next actions" for each item on the todo list, so the next action for realizing secure cyberspace is best expressed here in the Laws of Identity.

The Internet was built without a way to know who and what you are connecting to. This limits what we can do with it and exposes us to growing dangers. If we do nothing, we will face rapidly proliferating episodes of theft and deception that will cumulatively erode public trust in the Internet.

We have undertaken a project to develop a formal understanding of the dynamics causing digital identity systems to succeed or fail in various contexts, expressed as the Laws of Identity. Taken together, these laws define a unifying identity metasystem that can offer the Internet the identity layer it so obviously requires. They also provide a way for people new to the identity discussion to understand its central issues. This lets them actively join in, rather than everyone having to restart the whole discussion from scratch.

Those of us who work on or with identity systems need to obey the Laws of Identity. Otherwise, we create a wake of reinforcing side-effects that eventually undermine all resulting technology. The result is similar to what would happen if civil engineers were to flaunt the law of gravity. By following them we can build a unifying identity metasystem that is widely accepted and enduring.

**

Web Services Security training, NYC, March 10-11

SOA Security Roundtable Webinar

Next Wednesday on February 27 at 12 (Eastern), I am doing a Webinar roundtable hosted by Mike Rothman on SOA Security. Mike listed these topics for the discussion

* New attack vectors introduced by SOA
* The best place to implement SOA Security
* Strategies to build secure SOA applications
* Leverage with existing identity and access management

Should be fun.

**

Web Services Security training, NYC, March 10-11

Are Newspapers Information Age Infrastructure Companies?

Everywhere you look, newspapers are in trouble. For one example a study from last fall showed that every major US paper was shrinking readership except WSJ and USA Today. There is a neverending series of disturbing stories about the financial viability of newspapers. Yet newspapers in general have some valuable content, it just gets created, distributed, and monetized differently now, and the industry has obviously failed to adapt.

It reminds me a lot of legacy architectures. Newspapers have a lot of fixed expenses due to legacy concerns, but times are changing - you need reporters everywhere, but if there were nobody paying Tom Friedman's room service all those years, then we don't get "Lexus and the Olive Tree."

Obviously they are adding some value despite their lack of agility. There are parallels I think with airlines, which have been huge destroyers of investor capital for decades. Warren Buffett famously said that while airlines have greatly improved human's quality of life that any real capitalist would have shot down Wilbur and Orville at Kittyhawk.

Interestingly, some airlines do run effective businesses, low cost operators and those focused on specific routes, as well as Buffett's own Netjets. Similarly, highly focused newspapers are probably here to stay. The question is if the rest of the herd will figure out how to create value and have an effective (read- profitable) distribution model. Newspapers still have a lot of content (which is an infrastructure component in the information age), but no idea how to efficiently and profitably distribute it.

Security in SOA - It's the Car, Not the Garage

I have an article on SOA Security in the latest issue of Thomas Erl's SOA Magazine. The article is called Security in SOA - It's the Car, Not the Garage, abstract:

Interoperable software architecture requires interoperable security mechanisms. Security is frequently looked at as a black art, but in reality the core concepts of security - knowing your assets and designing for failure - are just good engineering practices. This article focuses on applying those practices to service-oriented solution design with an emphasis on considerations raised by authentication, authorization, auditing, and assurance.

The introduction:

When I park my car in the garage, I lock it. Why? Well, although I would hate for someone to steal my snow shovel and hockey sticks, my car is much more valuable to me. Security is about managing risk, specifically protecting valuable assets like my car. I have a higher level of protection on my car than on my garage. In dollar terms, the contents of my garage are orders of magnitude less valuable than my car. I could spend a lot of money fortifying my garage, and that would add some security to my car while it is parked there, but it is not a cost-effective investment. First, my car is the asset of value, and second the garage - no matter how well protected it is - doesn't move.

Car manufacturers know this, insurance companies know this, consumers know this. Even media publishers know, yet in the common enterprise, programmers and architects seem to roam in ignorance. Your average download of a Michael Bolton song carries a far higher level of security than valuable user data, like passwords, social security numbers, and credit card details. Why do we keep protecting critical data with point-to-point security solutions (like SSL) that protect the transmission channel, but leave the valuable assets being transported wide open everywhere else? This is a critical question that needs to be answered in order to successfully add an effective layer of security to an SOA.

The article looks at security architecture considerations for authentication, authorization, auditing and assurance in SOA.

**

Web Services Security training, NYC, March 10-11

Power Point and its limitations

Mitt Romney pulled out of the election, apparently Power Point can win you a Nobel Prize, but not a presidential election

Deploy Security In

Andy Steingruebl pounds home the "it don't mean a thing, if it ain't in the build dist" theme:

For the most part we fail to treat the delivery/creation of software as a science. We do lots of research on languages, we do lots of work on theories of security, and then it all breaks down because we have people implementing the processes, and we don't spend any time on that. Well, at least not in measure to how much we spend on all sorts of other efforts that we don't measure, we aren't sure achieve results, etc.

We know lots about how to theoretically secure things, but we don't know a whole lot about how to get large software development organizations to produce consistently high quality/"secure" software. Heck, we don't even know how to do it if we aren't budget constrained, much less if we are.

Merriam-Webster actually captures the main issues related to security deployment (emphasis added):

Deploy 1 a: to extend (a military unit) especially in width b: to place in battle formation or appropriate positions

2: to spread out, utilize, or arrange for a deliberate purpose

As I have said before, depth is a given with security mechanisms, and it gets almost all the focus, but you have to be wide too.
**

Web Services Security training, NYC, March 10-11