Gervas Thanks for instigating a great chain of notes. I'll focus on two things that were stated in the chain below. I know they came from different sources - apologies for the mix and match!
1) "I would say the current failure to implement dynamic RBAC [role-based access control] is because modern business processes are inherently decentralized. Hence you need a "platform" that is also inherently decentralized - i.e., client-side." I really don't understand the connection between "dynamic RBAC" and whether data is centralized or not. The reason that J2EE doesn't implement RBAC control is because it wasn't designed to. Its really that simple. Very few platforms have been designed with a dynamic RBAC in mind. To implement a decentralised dynamic role-based access control system requires a hugely sophisticated security infrastructure. You need an exceptionally strong federated identity system. To give an example from real life, we all take part in a federated decentralised RBAC. We receive email and we have to decide if its from who it says it is. And the fact there is no successful Internet-wide federated identity system is proven by how successful phishing has been. 2) "If an attacker can figure out your Ajax data request layout, which depends on factors such as the type of data being requested and the permissions needed to access data, they can figure out how to access data without having the authorization to do so," says Basirico, who spent two years as a programmer with Microsoft." This is just bandwagoning. If I'm a security expert and here is a new technology, I'll write a piece on how there are security flaws in that technology because its in the press and I'll get printed. AJAX systems are conceptually easier to control access that traditional web applications. Because the XML services are well-defined, its actually easier to identify the data access points in the system and easier to provide control over them. Its taken a long time to get to a point where web apps are widely secure because the mixing of data access and logic often ended up in convoluted systems. The AJAX model builds a very clean line between logic and data access, and so makes it easier to control access. I don't like to make generalizations, but the fact that Basirico used to work for Microsoft isn't surprising. Microsoft has argued for a long time that "open" systems are less secure than secret systems - in particular comparing Windows vs Linux. Microsoft have also argued that vulnerabilities shouldn't be publicised. AJAX systems are inherently more open - the customer can see more source code (the JS) and can see the data formats (the XML streams). It is a common mistake to associate "open" with "insecure" and "closed" with "secure". Open systems are often more secure because its easier to spot where the security holes will be. So while AJAX systems can be vulnerable, in many ways its simpler to understand the vulnerabilities involved when you make a specific data service available. Paul On 6/11/06, Gervas Douglas <[EMAIL PROTECTED]> wrote: > --- In [email protected], Keith > Harrison-Broninski <[EMAIL PROTECTED]> wrote: > > > > Here's a thought to provoke discussion. What if the root of this > > (massive) security problem is that organizational apps (and data) are > > mostly located on servers? > > > > Many organizations over the last 10 years have set out deliberately to > > remove all client-side "User-Developed Applications" (UDAs) in the > > belief that this would reduce overheads. So this scenario covers > nearly > > all cases at present (including of course all "Web 2.0" apps, in which > > only the UI is run locally) - and once a hacker gets in to such a > > server-side system, they've won the lottery. > > > > Whether or not this approach has actually reduced overheads is another > > question, of course, especially when you balance maintenance overheads > > against the increased productivity many users experienced from their > own > > hacked-up spreadsheets and databases. But that's a side issue. > > > > By contrast to the current approach, let's suppose enterprises were to > > switch to a truly decentralized model, in which all data, services, etc > > are supplied by clients, with servers being used only for > > non-interactive archiving/monitoring/analysis purposes. The hacker has > > a much harder problem - not only finding a target to attack (since > > properly built client software could be run from anywhere), but in > > making use of any access gained (since they will only ever see a small > > part of the complete picture). This supposes standardized, > > interoperable clients, of course, not a return to the mess of > standalone > > UDAs. > > > > Further, it is commonly believed in the security community that > security > > policies based on "Role-Based Access Control" (RBAC) are the most > > promising approach. However, to date no-one has created a server-side > > operating platform that implements RBAC in a dynamic enough fashion to > > support the kind of adaptive business processes typical of modern human > > working practice - witness, for example, the J2EE authentication model, > > which is useless for such purposes. I would say the current failure to > > implement dynamic RBAC is because modern business processes are > > inherently decentralized. Hence you need a "platform" that is also > > inherently decentralized - i.e., client-side. > > > > [Declaration of interest: part of my work is building client > software to > > implement organizational work processes <http://humanedj.com>] > > > > -- > > > > All the best > > Keith > > > > http://keith.harrison-broninski.info > > > > PS: I might write something about this in my blog, so if anyone has > > relevant references they would like quoted, let me know. > > > > One of the phenomena that I have noticed since VLSI made distributed > processing a natural development, is the way fashions flow and ebb > (and flow and ebb and flow etc.) with regards to centralisation and > decentralisation of control in computing. > > Back in 1995 I was Citrix's only man in Europe. The US parent > company's approach to marketing the product was to flog it as a neat > remote access solution, which indeed it was. Our visionary chairmen, > Ed Iacobucci, could see beyond this, but the marketing and sales > people wanted to keep the message simple for the American market. > Yes, they were probably right under the circumstances, particularly as > Citrix lacked any direct competition to define the market. > > However, some of our serious prospects in Britain (NatWest Bank and > Royal Bank of Scotland [the latter now coincidentally owns the > former]) had seen way beyond this. As a result of their vision and of > the thinking that we had done at Novell in the late 80s/early 90s on > notional application servers, I put together a presentation of a > 3-tier client-server model with a Citrix AppServer sitting in the > middle, depicted as a large spider called Brucey. Brucey's legs were > connected to database and other servers at the back, and to thin > clients at the front. This was a significant advance beyond the > 2-tier PC-based model punted by the likes of Microsoft. One of > Brucey's many advantages was the way he made it easier for the IT > department to maintain data and system integrity and security! > > Ever since the PC devolved processing power to the user, IT > departments have viewed intelligent user devices as being a potential > security headache. The problem gets worse - my mobile phone has a > memory card with the same capacity (250 MB) as the hard disc of a > workgroup server of the late 80s. > > As Keith points out, concentrating all resources in a central server > cluster presents a well defined target. On the other hand users wandering > around with laptops, memory sticks, iPods, mobile phones, cameras etc., all > with substantial storage capacity are in themselves a security nightmare. I > suspect that there is no simple solution to this problem. Further thoughts, > please! > > Gervas > > > > > > > > > > > Yahoo! Groups Links > > > > > > > -- Paul Fremantle VP/Technology, WSO2 and OASIS WS-RX TC Co-chair http://bloglines.com/blog/paulfremantle [EMAIL PROTECTED] "Oxygenating the Web Service Platform", www.wso2.com ------------------------ Yahoo! Groups Sponsor --------------------~--> Get to your groups with one click. Know instantly when new email arrives http://us.click.yahoo.com/.7bhrC/MGxNAA/yQLSAA/NhFolB/TM --------------------------------------------------------------------~-> Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/service-orientated-architecture/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
