« March 11, 2004 | Main | March 15, 2004 »
March 12, 2004
The Castle-and-Moat Era of Information Security is Over
CSO Magazine declares that the castle-and-moat era of information security is over. Acknowledging that this trend is not going to reverse itself, the article asks "But what defensive model comes next for information security if the perimeter goes away?"
Another part of the shift promoted by several experts involves a complete change in how security organizations view their efforts. "You cannot protect every house in the nation, so you create a border to the country," says Elad Baron, CEO at security provider Whale Communications. "The problem [with information security] is that you need lots of access, not just minimal access through those borders. There is still a perimeter, but you need to switch the paradigm from preventing everything to allowing secure access from anywhere."From The World Is Your Perimeter - CSO Magazine - February 2004
Referenced Fri Mar 12 2004 14:45:07 GMT-0700
But actually, that's not quite true, is it? We do protect every house in the nation. The security blanket around my house is multi-layered and complex. It starts at the national border and goes down to the locks on my doors and personal alarm system. I was talking to someone last week about this and the idea that came up was that city walls became a thing of the past when technology for breaching them became widespread. That made securing things more complex, but it also enabled commerce in brand new ways. That's true of the current shift in how we think about information security as well.
New security paradigms demand that we turn the old model inside out and instead of viewing identity as a subtopic in security, start to view identity as the foundation for security. To do this, you have to think about identity first and independently and build an identity infrastructure that supports the business, including its security needs. My upcoming book addresses the topic of digital identity and focuses on how an enterprise can build an identity management architecture (IMA). An IMA doesn't describe how to implement an identity infrastructure, but rather defines a context within which the identity infrastructure is deployed. The IMA captures the security requirements of the business, along with the primary requirements of the business (such as partner relationships), so that the identity infrastructure can be built to meet those needs.
02:55 PM | Recommend This | Print This
Public Sector Identity Management
Way last November, I was interviewed on the subject of identity management by Linda Formichelli. The article finally showed up in Public CIO magazine. This paragraph contains a fairly significant mistake, see if you can spot it:
In documents created by SAML, which is based on extensible markup language (XML), a user's information comes nested with internal statements about that user's authentication, authorization and attributes. The receiver of that information then automatically determines whether the user should receive the requested information. "CIOs need to be aware of all the work going on in the federal identification space," said Windley. "If people are paying attention to things like SAML, cross-organization identity will be easy to do once everything's in place. If not, they'll find their cross-agency and interstate efforts will be hampered by a lack of identity structure."From Government Technology's Public CIO Magazine
Referenced Fri Mar 12 2004 14:17:56 GMT-0700
Yes, its not the "federal identity space" but the "federated identity space." Oh well, I guess when you're talking about government systems, federated sounds a lot like federal.
02:22 PM | Recommend This | Print This
RSS vs. Atom
There have been some interesting questions and discussions on the Ask Phil forum. For example, Nathan Stocks said:
It often seems like once I hear about something new it suddenly appears everywhere. RSS is apparently one of these.
I read up on RSS today, and it's essentially an agreed-upon XML format to publish web content, especially blogs.
Then I run across a feature article about RSS vs. Atom on c|net (news.com).
Atom was developed by an IBM Software Engineer and is backed by Google and Six Apart (makers of moveable type), while just about all of the rest of the big players are currently backing RSS.
Anyway, the article is about a proposed merging of the two formats. ÊHas anyone out there had a lot of experience with Atom? ÊIs it better or worse than RSS, or just different? ÊWould merging the two formats be a good thing?
From Forums for Windley's Enterprise Computing Weblog - RSS vs Atom
Referenced Fri Mar 12 2004 09:59:19 GMT-0700
Ray Matthews, who runs the RSS in Government weblog and probably knows as much about the uses of RSS as anyone replied:
There were informative discussion sessions about Atom (http://www.atomenabled.org) at both the recent SDForum Web Services SIG meeting (see Brian Cantoni's notes at http://www.cantoni.org/2004/02/25/sdforum) and at RSS Winterfest (see http://www.socialtext.net/rss-winterfest/index.cgi?rss_and_atom). ÊMuch of the debate seems to center on which is better, RSS or Atom, and which will prevail?
RSS has taken off because of it's simplicity. The Atom backers, a group of critics largely put off by Dave Winer's perceived godfather influence, say that Atom is simpler even than RSS 2.0 and that it offers additional capabilities. ÊFor example, you can differentiate between content in an original posting and its replication thereafter through the blogosphere. ÊI think that many developers have been genuinely stoked. Ê
There has been a mixture of reactions amongst those developing aggregators. For the most part they've enthusiastically embraced it. ÊOf course they're going to jump in and support any new "standard"; they need to so to keep their market share. ÊMany, though, realize that Atom is still an unborn child that may or may not make it in the real world. ÊGoogle has gone so far as to support it exclusively with their free Blogger service, forcing the hand of aggregator developers who would have preferred to wait and see. ÊI think that was a premature decision. Ê
All the ruckus about burying the hatchet and merging RSS 2.0 and Atom into a backward compatible RSS/Atom may be a sideshow. ÊAre content syndicators rushing to embrace Atom? No. Most new business users of RSS are generating feeds using barebones RSS 0.91. ÊMany using syndication for higher-end needs and opting for RSS 1.0 or NewsML are similarly unimpressed with the hullabaloo. Ê
Two things are certain. It's a good idea to bring RSS and Atom under the umbrella of a standards organization such as the IETF, and the RSS spec will continue to evolve, hopefully keeping its simplicity and continuing to support extensionability. ÊAs for me, I'll continue to generate my content in every conceivable format (let the subscriber choose), and use parsers liberal enough to accommodate all.
From Forums for Windley's Enterprise Computing Weblog - RSS vs Atom
Referenced Fri Mar 12 2004 10:01:05 GMT-0700
The debate over RSS 2.0 vs. RSS 1.0 vs Atom generates a lot of smoke, but in reality, unless you build aggregator software, its not all that germane right now. ÊEventually, it will be because there will be a lot of other programs that read and generate RSS (which is the term I use generically). This will happen faster if there's a common format. I think there's reason for optimism that either the market or the proponents of the different versions will decide on a common format soon. Ê Dave Winer's offer is an excellent beginning.