September 16, 2003

The Insecurity of FC

Why is there no layer for Security in FC?

(Actually, I get this from time to time. "Why no X? ?!?" It takes a while to develop the answer for each one. This one is about security, but I've also been asked about Law and Economics.)

Security is all pervasive. It is not an add on. It is a requirement built in from the beginning and it infects all modules.

Thus, it is not a layer. It applies to all, although, more particularly, Security will be more present in the lower layers.

Well, perhaps that is not true. It could be said that Security divides into internal and external threats, and the lower layers are more normally about external threats. The Accounting and Governance layers are more normally concerned with the insider threat.

Superficially, security appears to be lower in the stack. But, a true security person recognises that an internal threat is more damning, more dangerous, and more frequent in reality than an external threat. In fact, real security work is often more about insider threats than outsider threats.

So, it's not even possible to be vaguely narrow about Security. Even the upper layers, Finance and Vaue, are critical, as you can't do much security until you understand the application that you are protecting and its concommitant values.

Posted by iang at September 16, 2003 11:56 AM | TrackBack
Comments

The old pardigm that security is implemented at the network layer by network engineers is no longer relevant thanks to the disappearing security perimeter. HTTP tunneling has rendered the DMZ model ineffective - firewalls are of course useful but for protocol containment and packet elision - but not security. What's needed are syntactic XML firewalls and semantic XML IDS systems. The former passes/rejects XML's based on DTD - the latter rejects/alerts based on a knowledge of business process. This requires a different type of architecture than the currently pervasive client/server systems.

Security as a process leaves network-centric security departments floundering to understand let alone meet business requirements for FC application security architecture.

Posted by: Graeme Burnett at September 18, 2003 08:28 PM

Yes But!

All the XML security strategies seem to do is shift the burden from the network to ... the network data format language?! The notion that one can do security at the XML layer is based on so many tortuous presumptions that one wouldn't know where to begin...

How much semantic content can one put into these generic tools? How many IDSs and DTDs ever get completed? Are we saying that we can only use an XML protocol if we can also buy a semantically qualified XML firewall appliance for it?

End-to-end security seems to be a given. I've not found any silver bullet that chambers my security gun.

And, XML itself doesn't seem to change the security equation any more than presenting a label to concentrate attention on, for cataloguing purposes. If anything, it makes security much harder, as building security into XML protocols becomes rapidly more complex; as seen in digsig and crypto efforts...

(Please, someone, anyone, tell me how to put a digsig on my XML-X packets... :-)

Posted by: Ian Grigg at September 19, 2003 12:19 AM