Juggling Identity in the Brave New World
As we speed through the security industry’s gala ball—this week’s RSA Conference in San Jose—it’s clear that privacy and identity management are getting more attention than ever.
Over a period of ten years employed by RSA Security, I worked with authentication, access control, authorization, cryptography, Public Key Infrastructure (please buy my book on the subject, my retirement fund needs help), smart cards, and biometrics—all of those underlying technologies that in aggregate we refer to as Identity and Access Management.
With the rise of SOA and Web services, more and more valuable information is network accessible. XML is quietly invading our networks and applications. Guaranteeing the security, privacy and appropriate access to that information presents a significant challenge, so it has been a natural progression for me to engage in addressing solutions in this area.
Many enterprises have invested in Identity and Access Management. Today they are juggling multiple identity systems and are currently working hard to make Federated Identities effective. Much more than traditional applications, Web Services require leveraging identities, access control and privacy mechanisms effectively. The loosely coupled, reusable value propositions of SOA have significant implications for security policies as granular access to business services cross many trust boundaries.
Consistent and verifiable enforcement of policies must be maintained in the face of different authentication schemes, each with different identities and unique credential formats, different trust models, unique regulatory requirements and a selection of options within standards on particular platform implementations. And then you have to cope with changes in versions of everything. SOA requires a virtualization mechanism that reduces complexity, supports and simplifies change and provides enforcement and monitoring points for verifiable policy application.
Doing security right is expensive in a Web Services world. Mitigation of message-based attacks may require multiple credentials identifying intermediate services, as well as principals in the transaction. Integration with legacy systems may require aggregation of identity attributes and additional authentication credentials, whilst ensuring that the information is not revealed to intermediate systems. Privacy curtains may be required to guarantee that sensitive information sets are transformed, obfuscated, or removed as particular trust boundaries are crossed.
It is already clear that application platforms are grinding away progressively more slowly and the more of these security features we add, the worse the performance becomes. Acceleration and fast processing techniques are helping, but caching, reuse and system-wide optimization of security processing are essential in the brave new world of networked application systems.
Trackback URL for this post: http://www.webservices.org/trackback/id/72663





