Diversity as a form of Defense in Depth

I was thinking about David Maynor’s post on Cisco’s latest security updates. His feelings are quite clear on the danger of a homogenous network:

Again let me state for the record how I feel about this: do not buy a single vendor solution for something as important as the very basis for how your network operates. I know you may get volume discounts or sales reps might take you to nice lunches but eventually something like this will happen.

A homogenous network is a weak network. Yes, all products from every vendor have bugs and vulnerabilities. In a homogenous network, all of those bugs and vulnerabilities are arranged like a row of billiard balls. One good smack on one end will travel clear to the end of the row. In a heterogenous network, the bugs and vulnerabilities don’t line up so neatly. In fact, the heterogenous network looks more like a set off balls randomly dispersed on the table. A bump on one side is far less likely to make it all the way across – that is a form of defense in depth.

Thoughts on Relational Continuity Sockets Layer

Mike has clearly been doing some heavy thinking and his recent post on his Law of Relational Risk is evidence of that. Mike’s last idea in the piece caught my attention, the notion of Relational Continuity Sockets Layer. The idea is that:

It would allow multiple participants to interact on a channel that is secure for the duration of the relationship or at least one risk cycle (this means longer-lived sessions than SSL) and allows for relation IDs (similar to session IDs).

For such a connection to be created a myriad of problems have to be solved. Just a couple off the top of my head:

  • A method for describing a risk-based relationship in terms more meaningful to humans than what kind of authentication you prefer. Said another way, my selection in authentication type and method is not a good indicator of the level of risk I am prepared to accept.
  • A way to describe the longevity of the relational connection and context. I, as a participant, need a way to say, “This relationship is over.” I can do that in a variety of ways in the real world, and need an analogous way to do that in the virtual world. Further, if my SSL connection is closed, but I am still connected to the RCSL by a tendril of a relationship, what does that mean?

Privacy statements and data retention policies become even more “interesting” in this proposed environment. At the bottom of a relationship is an agreement, either explicit or implicit. In an on-line world, these agreements are usually the things that an end-user doesn’t read and checks the box saying, “Yup, I agree.” I wonder what all the terms and conditions would look like for businesses establishing an RCSL-based relationship.

As identity management systems become part of the core infrastructure of business, policy management becomes a harder and harder job. We’re going to have to tackle it someday…

Identity Literature

During his talk to day, Jim mentioned that as he began to write his book, his surveyed the existing identity literature and theory and found them extremely lacking. Fair enough. There really isn’t a lot out there on credentialing and identification.

This triggered a thought/memory/realization. I’ve never quite understood why I like working in the identity space. The people are interesting, sure. The concepts are approachable and visceral… after all, identity management is about me: my stuff, what am I allowed to do, who is allowed to know what about me, etc. At the bottom of it, the problems of identity are fascinating to me.

And in the instant I pondered Jim’s point that there was little identity literature, I realized that he might not have been looking in the right place. He probably didn’t expect that one of the greatest bodies of writing on identity lives in Scottish Literature.

Years ago, I spent my junior year abroad at the University of Edinburgh. Scottish lit was part of my course work. Ian Campbell, Cairns Craig, and Alieen Christianson were my guides through everything from Redgaunlet to Mary Queen of Scots Got Her Head Chopped Off. Scottish writers have a strong tradition of approaching identity and duality issues. Three that books I read and highly recommend:
The Private Memoirs and Confessions of a Justified Sinner by James Hogg
Strange Case of Dr. Jekyll and Mr. Hyde by Robert Louis Stevenson
Lanark: A Life in Four Books by Alasdair Gray

Each one is packed with identity fun. Identity fraud, identity theft (the real, metaphysical kind… wait, can something be real and metaphysical?), self-asserted credentials, and more.

Ok, I grant you that none of those titles cover strong multi-factor identification, federation, URL-based identity and the like, but they do make for a great read. And if it ever gets cold around here again, I’ll definitely be picking one of them back up for some fireside reading.