[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <871080DEC5874D41B4E3AFC5C400611E06B476FA@UTDEVS02.campus.ad.utdallas.edu>
From: pauls at utdallas.edu (Schmehl, Paul L)
Subject: Soft-Chewy insides
> -----Original Message-----
> From: George Capehart [mailto:capegeo@...ngroup.org]
> Sent: Monday, September 29, 2003 6:52 AM
> To: Curt Purdy; Schmehl, Paul L; 'Full Disclosure'
> Subject: Re: [Full-Disclosure] Soft-Chewy insides (was:
> CyberInsecurity: The cost of Monopoly)
>
> Paul Schmehl's lament was that "we as a 'security community'
> have [not]
> even begun to tackle this problem." I would submit that, as a
> community, we *have*. All one has to do is to look at the ISO/IEC
> standards, the ANSI standards, the NIST Special Publications, the
> Common Criteria, DITSCAP, COBIT, etc., etc., etc. the WS* standards
> coming out of the W3C and OASIS, the IATFF, etc. to see that we
> understand the problem and have documented almost ad nauseum how to
> deal with it. The military and intelligence community have been
> practicing "good security" for years. Even the government is
> beginning
> to catch on. IMHO, the problem is *not* with the security community,
> but with the "governance community."
>
I'm not going to disagree with this at all, however I would point out
that standards are one thing, implementation entirely another. It's
nice to have standards that provide guidance in security structuring,
but without the tools to implement those guidelines, they're guidelines
and not much more. Only in the past couple of years have we seen any
really useful tools in this area, and the prices are out of reach of
many organizations. (Like other things in technology, it would be nice
if those prices would come down over time.)
Here's just one example. How do I integrate groups in a heterogeneous
environment? If I want to create a group that has certain access with
certain rights, and I want that group to have access to both Unix and
Windows resources, how do I do that? Right now it takes a lot of manual
work (scripting, etc.) Where are the tools to make this easy? Or
worse. How do I monitor who are members of those groups? How do I know
which people to remove based on resignations/terminations/etc.? How do
I verify that the user has been removed from both Windows and Unix
groups? (Because you can't create a global group that is authoritative
for both platforms - well, you sort of can using LDAP.)
Furthermore, Unix and Windows don't even agree on what a group is. Or
how the rights for that group should be configured. (Homogeneous
environments are fairly easy in comparison but still not without their
problems.) If, for example, I have a resource which I want to offer to
some users at a read only level, to others at a read/write level and to
a few at a full control level, how do I do that in Unix? Unix only
understands u-g-a. In Windows I can "attach" as many groups to a
resource as I want, each with its own level of access. And I have
multiple types of access, not just read, write and execute. How do I
integrate these two disparate implentations? If I want security to be
granular, how do I do that when heterogeneous resources force me into a
"least common denominator" scenario?
That's what I'm referring to when I say "we, as a security community"
have only begun to try addressing these issues. Right now,
organizations pretty much have to "roll their own" - not a very
efficient way of solving a universal problem.
WRT your rant about C-level, I totally agree.
Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/
Powered by blists - more mailing lists