« The He Got Game Rule | Main | Risk Reification - Generational Differences »


Rob Lewis

Another quality post. I have read your comments on TAO etc., about the need for more authorization, but you don't mention it here. If we are to re-design, do you think that an authorization component is needed post-authentication, such as granular access controls, and that this is the place to get the stakeholders involved? I'll go further and say that that authorization component should utilize the business rules and the language of business operations to be truly effective.


Rob - the post is more about when than what. Authorization is a very good example of a service security should help to deliver. Yet because authZ requires mapping subjects and objects infosec has no shot at delivering unless they are involved early on. Developing authZ later on requires lots of design changes, system testing and so on, so its a non-starter. This is why the products, like access mgmt, that dazzle people on the RSA floor are sold for seven figures, because they can do authN, authZ and more. But then when people try to deploy they wind using them for perimeter authN and *maybe* coarse grained perimeter authZ and thats it, fine as an idea, except they pay 10x more than they should have. The issue used to be that infosec complained that the developers wouldn't let them join in their reindeer games, but with the amount of money spent on toys and shenanigans, infosec can and should buy a seat at the grown up table.

Rob Lewis

I realize that your post is about comprehensive process to affect fundamental design change.

In your "The He Got Game Rule" post, Andre comments "most people forget about called "data owners" aka "customers". if only their voices could be heard."

Part of hearing those business stakeholders is dealing in the language of business operations, which are often based on relative trust relationships which effect information release and flows, as opposed to risk and object-centric labelling. This language supports collaboration and networking, even after the fact, and its omission will hamper identity management.

FTI, you may think that developing authZ later on is a non-starter, but that is what we do, with a security sub-system that converts select (or all) network nodes into reference monitors that communicate with each other using the language of the business operations to govern information flows.

Roland Dobbins

And again, the perennial elephant in the room that nobody in the infosec world will spare a thought for - DDoS (i.e., the 'Availability' leg of the canonical C-I-A triad).

Rogan Dawes

Great post, Gunnar!

@Roland Dobbins: The problem with DDoS is that there is often not a whole lot that folks can do about it. It's only really when you are large enough to be able to get control over an upstream router/device at your ISP that you can start *trying* to deflect the bogus traffic before it hits your own pipe.

Even then, it is difficult to separate legitimate traffic from DDoS traffic.

The comments to this entry are closed.