« Price is What You Pay, Value is What You Get | Main | Software Security - Putting Hippies and Nerds to Work in the Right Places »

Standards Are Half the Battle

I have a paper at IANS that's on Cloud Identity Management Standards. One of the main points is to communicate the need to understand the limitations of standards. Standards like SAML, Oauth, OpenIDConnect have helped enterprises make a lot of progress on security issues in recent years, but there are no silver bullets and this is just another example of that. CSA and other industry guidance is replete with pointers to interesting standards that can help enterprises on the journey to the Cloud, but its equally important to know the gaps of what the standard is not doing for you.

Photo31

I like the scene in The Untouchables when they are preparing the ambush Al Capone's gang at the Canadian border. The Canadian Mountie (1) says: 

 

When they're on the road and have given the signal, we will engage from the Canadian side of the bridge. Thus taking them by surprise from the rear. And surprise, as you very well know, Mr Ness, is half the battle.

Ness: Surprise is half the battle. Many things are half the battle. Losing is half the battle. Let's think about what is all the battle.

The cocktail napkin for Cloud Identity usually starts with something like this

P2p

And standards give us a good start at half the battle but if we zoom out a bit further, gaps start to emerge

Gaps

And its these gaps that enterprises need to focus on, including

  • Governing the security protocols and standards - how policies are developed, where are they enforced, and how are they updated and managed?
  • How is the protocol integrated into authZ code and processes?
  • What level of visibility does the logging and monitoring have?
  • How is the client storage and sandbox protected?
  • How is the token scoped and what limits are in place around replay and theft?

This isn't a complete set obviously, but its showing that looking at the wider view - how the standard fits into the system as a whole - beyond just the standard is critical at the system level

**

1. Robin- You guys are the world's leader in hand gun violence;your health care system is bankrupt and your country is deeply divided on almost every important issue.

 
[pause] 

Ted - Your cops are called 'mounties'.

 

June 28, 2012 in Security |

Comments

Jamie Clark

Enjoyed the paper, thanks. Tweeted the link out, as follows:

@JamieXML: Gunnar Peterson makes some good points about #cloud #security #standards gaps and limits here: http://j.mp/LUqCef HT @JacksonShaw ... Gunnar's take is a little different from mine and others, but deserves a close read, and a special award for the word "Thingfrastructure".

Regards, Jamie Clark, OASIS

Posted by: Jamie Clark | June 28, 2012 at 09:29 PM

The comments to this entry are closed.