Chess has some lessons to teach us here. Chess has three main stages - the Opening(where vast analysis applied to the various opening strategies: the Sicilian, Ruy Lopez and so on), the Middle game (which is chaotic), and the End game (strategies to capture the opponent's King). Each stage in the game has a unique set of strategies that are related but separate from the other stage strategies.Following through the analogy - once the Opening game (authentication) has passed, then identity can survive in the chaotic Middle game by propagating verifiable identity (or attributes) in the transaction (which Gunnar covered back in 07). Then the End game is when, at the endpoint, a fine-grained authorization decision can be made based on identity and attributes. The key, like in chess, is not to only perfect the Opening game and then just hope for the best.
A Chess match is not one side dictating rules and the other side simply moving, instead its a synthesis of each side trying various gambits that result in unique permutations from match to match. The nature and structure of these permutations are not possible to calculate effective beyond a certain point so pattern recognition must be used.
Coming full circle back to infosec, the best we can hope for is a good design that facilitates a good Opening game followed by a stream of events and logs that enable effective middle and end games. I think of AAA access control technologies as Opening Game strategies - many people think of Kerberos and other ticketing systems are security, but really they just establish the initial ruleset for operations, the real game begins once they're in place, in use, and under attack. The structure used at the opening does not dictate all or maybe even most of the events that occur in the middle and end game.
Wednesday, January 27, 2010
Thursday, January 21, 2010
First, download the SunOS version of the Vordel Gateway from here (you'll need a Vordel Extranet account first. If you're a Vordel partner or customer already then you'll have one. Otherwise email firstname.lastname@example.org to ask for one).
Decompress the installation package using a command like this, substituting the downloaded file name as appropriate:
prompt# gunzip -c
You're all set then to connect up to the Gateway and start working with policies.
Here are some case studies of Vordel's XML Gateway on Sun hardware:
- The Spanish Government case study on the Vordel Website describes a case study of a Vordel XML Gateway deployed on Sun Solaris in front of Web Services which provide government services
- Mazda uses Vordel Gateways on Sun hardware for communications with car dealers and partners. The goal is to improve business efficiency at dealerships and head office by reducing the double keying of information, and to provide streamlined access to multiple sources of information via one interface. A full case study is available on the Vordel website.
As I've written before, a cloud service broker is the way option to augment security and compliance in front of the Cloud service itself. But, in order to protect the "soft underbelly of the Cloud", Cloud service providers themselves will realize in time that their corporate customers would like the broker effectively baked at the edge.
So, hope to see you at RSA! This year it's earlier than usual, at the start of March, in San Francisco's Moscone Center.
Saturday, January 16, 2010
The article is here:
Wednesday, January 13, 2010
Got your head in the clouds? Then Vordel has a job for you!
Vordel is a world leader in the design, development and delivery of enterprise products to enable leading global corporations and governments control their SOA and Cloud-based computing environments. Customers include Allianz, ASR Nederland, BNP Paribas, Ericsson, Mazda, QPass, Telefonica, Telecom Italia Mobile, the European Union, Spanish Government, UK Government, US Federal and State Governments and many others.
Join our team and help build game-changing technology for the world's leading enterprises and national governments worldwide.
We're constantly on the look-out for the right kind of people to join our team and if you are passionate, dedicated and prepared work hard to achieve your goals then we can offer you a fulfilling career path.
Currently we have vacancies in the following areas:
Senior Development Engineers - Dublin, Ireland
Support Engineers - Dublin, Ireland
QA Engineers - Dublin, Ireland
Technical Writers - Dublin, Ireland
If you believe you have what it takes to make a difference then send your resume/CV to email@example.com
Vordel is an Equal Opportunities Employer.
Tuesday, January 12, 2010
Users of individual SaaS products have generally become confident that their vendor is proficient in maintaining security, ensuring that data is backed up and carrying out other support tasks. However, venturing more broadly into “the cloud,” where many applications may be used as services, is a different matter; establishing trust with numerous third-party suppliers is a complex process.The article goes on to describe some early adopters of the Vordel Cloud Service Broker. It gives an example of an organization applying control to services used in the Amazon cloud.
To help address the problem, Vordel introduced the Vordel Cloud Service Broker in November 2009. It manages multidomain cloud services by registering them in a single repository to facilitate monitoring and policy enforcement. Cloud Service Broker also optimizes performance by providing caching, acceleration and data transformation.
It is worth contrasting the Cloud Service Broker approach with previous "SOA Governance" approaches. With "SOA Governance", an organization would apply policies to its internal services. However, a business depends on more than just its internal services. The approach of the Cloud Service Broker is to apply control to all the services which a business depends upon. So, these are not only internal services, but also services in the Cloud.
Monday, January 11, 2010
The following table shows the three different categories of XML Gateways, and their suitability for virtualization:
|Hardware only||Not suitable for virtualization|
|Software with reliance on hardware card for acceleration||Not suitable for virtualization|
|Software with no hardware dependencies||Suitable for virtualization|
Since it is available as software as well as an appliance, the Vordel XML Gateway is well-suited to running in a virtualized environment. A purely hardware-based product, or a product which depends on a third-party hardware component such as a Tarari card for its performance, can't map to a virtualization environment. By contrast, the Vordel Gateway does not include hardware dependencies which would hobble it in the virtualization arena.
Oracle VM is a great example of a Xen-based virtualization platform which is well-suited to running the Vordel XML Gateway. Setting up the Vordel XML Gateway on Oracle VM is straightforward. To run the Vordel XML Gateway on Oracle VM, I created a Vordel installation on an Oracle VM template running Oracle Enterprise Linux v5 with 1GB memory and 4GB hard drive.
I used Oracle VM Manager to spin up the template. Oracle VM Server then creates a virtual machine which (in this case) retrieves an IP address via DHCP and shows up on my network as 10.10.1.106. Now, I can access it just like any Vordel Gateway instance:
This means that I can now monitor the Vordel Gateway on Oracle VM:
I can manage its policies using Policy Studio, by connecting to the Oracle VM instance:
And I can test the Vordel Gateway on Oracle VM using SOAPbox:
To test the Vordel Gateway on Oracle VM, grab a copy of the Vordel Gateway and Oracle VM and get testing!
Wednesday, January 6, 2010
Congratulations to all at Burton, especially Richard Watson who spoke at Vordel's conference last November, Anne Thomas Manes whose views on SOA are quite literally a matter of life and death, and Phil Schacter who has been tracking Vordel since 2001.