Layer 8

Security is fundamentally about people, and everything we know about people is relevant to security. -- B. Schneier

These slippery people.

For me, it’s all about identity and access management these days.

How to disambiguate users without relying too heavily on the classic “identity theft” data. 

How to handle ad hoc registration and secure communication with hundreds of thousands of transient users.

How to make sense of business rules to build them into approval chains in user provisioning.  (This is the sticky part.  There are always unwritten rules that bubble to the surface.  “All users have to be approved for access to that data, so that data owner needs to sign off on it.“  “What about the developer writing the application?  Does he have to get approval too?“  “Oh no, he can create as many test accounts as he wants.“)

How to consolidate management of access to ALL the platforms, and no, I don’t just mean single sign-on through Citrix.  Is a system administrator going to go through Citrix to log in to the console of a misbehaving Linux box?  I don’t think so.  Are you going to get your third-party financial application to log in to a local system account through Citrix?  Nuh-uh.  Please don’t tell me there’s a silver-bullet single-signon solution out there that handles ALL access control, because it’s still only modeled on the Windows-using non-IT employee.

I’m probably going to be spending the next two years solving this problem, and some of my choices are going to be made for me midstream, because I’m dealing with an imminent outsourcing as well.

All in all, I think I’d rather be doing my taxes.

 

Posted by shrdlu on Sunday, November 05, 2006
(2) CommentsPermalink blogmarks Favicon del.icio.us Favicon Digg Favicon Fark Favicon Furl Favicon Google Bookmarks Favicon StumbleUpon Favicon Technorati Favicon TailRank Favicon

Next entry: Not only does it go all the way to 11, but it does so EXPONENTIALLY!

Previous entry: Intel Igence.

Comments

LonerVamp United States on 11/06  at  09:45 AM:

Single sign-on is one of those things I hear about a lot, but I have yet to see how it works in reality other than feel-good case studies or just piggy-backing on AD/LDAP. There’s always something that is a one-off or two-off such as an internal web app to track employee learning that requires its own login, or non-Windows boxes that should rather be managed out of band via SSH. Heck, one of my coworkers (a network analyst) just last week complained that it takes too much of his time to log into our ticketing system every morning because it is not tied into AD. I sat there kinda wondering why sysadmin types would ever complain about that; I always expect non-technical people to have the least tolerance to more accounts and logins…

I dunno. I like the feel-good qualities of single sign-on, but I don’t get how they will be effectively realized in anything but a small company. This may just be my ignorance showing through, however, and it might be easier than I am aware. smile

LonerVamp United States on 11/06  at  10:01 AM:

I was just reading a post by Bruce Schneier about that national database we can’t see or correct but will judge us by various governmental levels and beyond. In reading the comments, I was wondering why we couldn’t see that data. Perhaps it is because we don’t have a reliable means to identify people. I mean, we already have identity theft and if you have the stones, it is not really that hard to start stealing identities. What if someone impersonated me to get a mailing of my information in that super secret database? I’d be a little annoyed.

I think it is not just you who will be dedicated to identity management and access control for the near future. Everything happening this year and moving forward is going to be swirling around this topic because it is an underlying issue in computing, information, and now in our very electronic, connected world. Not many people outside of CISSP types (and others in similar roles) really understand distinctly that identity is a foundation of our society right now, in computers and beyond.

Then again, as a highly-connected, information-sharing society (hello Internet), we’ve become very skewed in dealing with risk and security. Some things, like elections, really should be held to a very high level of integrity (otherwise our faith in our democracy is undermined), and as such all the “underground” sources (read: blogs) that “out” Diebold and our flawed election process are necessary. But sometimes we “out” technologies that solve problems that will never really ever be 100% foolproof (RFID, perhaps). We expect perfection when it shouldn’t be a criteria. And because we’re getting to be so dependent on amateur media (blogs again) with such efficient information disemination, that we’re going to wind up paralyzed with indecision and lack of perfect answers. :(

I better stop rambling while I’m still ahead. smile

Page 1 of 1 pages

Add a comment

Name:

Email:

Location:

URL:

Smileys

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: