« (SEM + SIM) and (Security Metrics + Security Analytics) | Main | WS-* and REST Security Interop »

Comments

ekivemark

This seems like Deja Vu all over again...

I was on a project for a major federal initiative a few years ago and had daily debates with fellow consultants.

We were defining a multi-tier storage and presentation architecture with need for tight security. The two sides of the debate were: 1) Apply perimeter-based security. 2) Build security in to each layer of the architecture.

My argument was that since the scale of the resulting system was going to be so large and expansive a dependence upon perimiter-based security would be prone to failure.

I advocated the latter approach and recommended defining a directory-based architecture that would enable people, applications, processes and devices to be provided with identities. This would provide good granularity in defining security rules and would allow security access rules to be defined without necessarily requiring visibility in to all layers.

For example, users could be given access to applications or services, applications could independently be given access to pools of data.

My mind is flooded with the many different aspects of the identity debate. In the Deperimeterization debate I believe in a model that does not depend upon perimeter-based access control.

In a professional context our identity is comprised of many roles. We are granted access to information and services based upon the confluence of these roles. The Identity metasystem has to recognize the identity aggregation and separation that is at work here. Much of this is familiar territory for enterprise access control systems. The complexity has emerged as business has evolved and our roles and the services we consume spread far beyond the organization we may be employed by.

The comments to this entry are closed.