« Harvard Stupid | Main | Interview on Healthcare IT Security »



Your post focuses mostly on Identity and Access Control Services. My experience is mostly on the Defensive Services side of security.

I see the main blocking factors to putting into practice what we already know related to who knows it and when.

The time it takes for new best practices to permeate through infosec teams and their management is much longer than it takes for new motives and methods to spread among bad actors.

This is because:
1. It's much easier to prove a positive (efficacy of a new offensive method) than a negative (efficacy of a new defensive measure or process).

2. It's much more expensive for organizations to effectively implement new defensive measures than it is for small teams of bad actors to implement new offensive measures.

These asymmetries are fundamental to the defensive nature of the aforementioned eponymous Defensive Services.

Andrew van der Stock

I'd hesitate to say that SAML won. It's a committee designed camel that requires significant investment and knowledge to get working properly.

However, I think it "won" (for some values of "won") based upon actual business needs.

Too many security geegaws and protocols serve no useful purpose, and worse still, fail to understand the black box nature of most enterprises. You simply aren't going to get something folks actually use like Skype to hook into your "enterprise directory" without significant revision from Microsoft. And until MS decides to revise it to use AD or your UAG repository, you're stuck with a highly popular tool sitting outside of good access control governance.

I do like Dan's approach to research topics though. In my personal opinion for the last five or so years, we really should have been investing in secure frameworks, and ensuring the major app frameworks used by the < 20% of apps that have 80% of the users are secure.

Developers might do it by themselves if you're very very lucky. Integrators / system admins / security folks definitely can't do it by themselves.

We have to stop thinking about the end point, and move upwards.

The comments to this entry are closed.