Two A's of Operational Security
by Pete Lindstrom, Director, Security Strategies
In the past, we have written about the four disciplines of security management - identity, configuration, threat, and trust management. These disciplines comprise an approach to security that is necessary to protect the enterprise and activities in these areas performed by the security and IS staff in order to enable enterprise computing. Perhaps the more immediate security requirement is to control computing activity in-between two endpoints, typically a user and a resource (host). This core security requirement operates inline and is comprised of the two A's of operational security - authentication and access control (the Four Disciplines replace all of the other A's). Here we discuss these categories.
THE HURWITZ TAKE: The authentication space is highly fragmented. The most prevalent capability is the user ID and password, available in most, if not all, enterprise applications. So we are immediately competing against native capability that can be had for free. The primary approach has been to create the concept of "strong authentication" which involves multiple factors from our stable of possibilities - what you know, what you have, and who you are. Primarily, vendors orient themselves in these spaces, either providing tokens, smartcards, or one of the many, many types of biometrics. In addition, PKI vendors have (sort of) targeted this space with their digital certificates. RSA currently owns the strong authentication space, with its SecurID token reigning supreme in the "what you have" world. But the strong authentication space is a lot like a flea market - you have to wander from booth to booth, selecting and choosing what you want. And, unlike a flea market, these components must work together seamlessly. Hurwitz Group estimates that the market could be an order of magnitude larger for anyone who can link up the following elements into a single solution:
- All authentication factors, with a "choose your own" capability. This includes any desktop hardware and software requirements.
- The single directory/user repository that contains all user attributes and credentials. The credentials must be able to be mixed and matched, so that, for example, a smart card can contain a digital certificate that is accessed with a password.
- The capability to integrate with any platform by presenting credentials that are accepted by all platforms.
It is a straightforward set of requirements with stumbling points everywhere. To date, nobody has been able to do it. It is typical to need to purchase one or more authentication solutions (and get one or more management servers), middleware software on the client side, directory servers, and middleware on the server resource side. Too complex.
Access control is the twin brother to authentication. They are often confused, and recent developments have made things more difficult. In the past, we authenticated to individual resources. With the introduction of a trusted server providing authentication services, the old "authentication" that occurred with the resource is now a negotiation process taken on by that server, rather than the traditional user. This negotiation is also often called access control. So access control has developed a two-level hierarchy - first, access to a resource, which used to be authentication, and second, to provide the level of granularity required in the past, which is our traditional access control.
User-oriented access control solutions today focus on the Web, since again, every platform or application has some native capability. SAML and XACML in the Web services world are poised to change this reliance on a huge variety of approaches. The trick is to convince every platform and application vendor to start integrating these new capabilities into their products. That will be a long-time coming.
Both authentication and access control are basic needs with highly fragmented markets. Though there is some light here, don't expect it to glow brighter than a firefly. Entrance into this market is tough, and the piecemeal approach makes it even tougher to gain traction.
Copyright 2002 Hurwitz Group Inc. This article is excerpted from TrendWatch, a weekly publication of Hurwitz Group Inc. - an analyst, research, and consulting firm. To register for a free email subscription, click here.
For More Information:
- For insightful opinion and commentary, read our Guest Commentary columns.
- Tired of technospeak? The Web Services Advisor column provides a clear understanding of Web services.
- Looking for shortcuts and helpful developer tips? Visit our Tip Exchange for time-saving XML and .NET tips.
- Visit our huge Best Web Links for Web Services for hand-picked resources by our editors.
- Discuss this article, voice your opinion or talk with your peers in our Discussion Forums.
- Visit Ask the Experts for Web services, SOAP, WSDL, XML, .NET, Java and EAI answers.