Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


A Good, Unified Theory

Don't wait for identity management's grand schemes to get aligned before diving into the maw

Albert Einstein spent the last decades of his life working to discover the unified theory to pull together classical and quantum physics. In doing so, he wrestled with some of the concepts that vex security experts today: While it seems necessary that good security practices are uniform no matter the organization to which they apply, in practice there are things that work well for very small units but not for large, and vice versa.

Among the things that have to be worked out for all groups is the question of identity. Microsoft has developed CardSpace, a single identity and payment information store that's implemented in Vista. (See Microsoft Vision Raises Questions.) It's an interesting implementation that promises to securely store a whole bunch of private information, and then securely transmit that information to systems requiring it.

The same promises are at the heart of the Higgins Project. The differences in the two are that the Higgins Project is open source (while Microsoft isn't), and CardSpace is unique to the Windows platform while Higgins wants to be a cross-platform standard.

The Higgins Project team and Microsoft seem to be in the process of working things out so that Higgins data and CardSpace data can be shared between systems. (See Open-Source Projects Team on Identity Management.) If it works out, it will be a major step forward in unique, verifiable online identity management.

While you're waiting for the development teams to finish their versions of the Unified Theory, you might do some thinking of your own. For example, just as individual particles aren't static, but move in probabilistic fashion, users tend to move in their own orbits, vibrating here and there inside (and outside) the organization.

How well do you keep up with their movements? Permission creep is a real concern in today's network directory structure, but as we add more information to the data store, keeping it current -- and knowing when and how to securely purge user records (or portions of records) -- becomes absolutely critical.

Other related issues to ponder:

  • What triggers a change in the user record?
  • How is information verified?
  • At what intervals are all records examined to make sure nothing has slipped through the cracks?

In short, what is the process ensuring that all the information securely stored and transmitted is correct? Your organization will be much happier if you know the answer to that question before you begin implementing the Great Identity Management System.

Physicists have taught us that you don't have to wait for the Grand Theory of Everything to be published before you can do valuable work. While you're waiting for the earth to shake with the brilliance of the Products Yet to Come, make sure your security processes (you know, the ones that keep the planets spinning happily in their orbits) are ready for any technology that comes along.

— Curt Franklin is an enthusiastic security geek who used to be one of the Power Rangers (the red one, we think). His checkered past includes stints as a security consultant, an IT staffer at the University of Florida, security editor at Network Computing, chief podcaster for CMP Technology, and various editorial positions at places like InternetWeek, Byte, and Hog Monthly. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-28
An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.
PUBLISHED: 2020-05-28
In Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links. This has been fixed in 1.2.1.
PUBLISHED: 2020-05-28
Dell Dock Firmware Update Utilities for Dell Client Consumer and Commercial docking stations contain an Arbitrary File Overwrite vulnerability. The vulnerability is limited to the Dell Dock Firmware Update Utilities during the time window while being executed by an administrator. During this time wi...
PUBLISHED: 2020-05-28
CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name.
PUBLISHED: 2020-05-28
node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1.