top of page
  • Shawn McKinney

We Can Stop Looking For That Panacea Now

It seems every year there’s a new protocol for handling security. I was first sucked down into this black hole in the ’90’s. Few standards back then. Now, so many years and protocols have passed…

https auth, x.509 auth, CSIv2, spnego, liberty, saml, ws-*, xacml, openid, oauth, uma

All said to hold great promise. Once we switched to use it, the security problems will be solved. Great. So which is the right one?

The answer is there can never be just one. Applying security requires care and ingenuity. But most of all depth into all processing layers and tiers. Favor micro-services? Maybe oauth 2.0 will be sufficient?

No, it will not. We still require authorization controls beyond the web tier entry points, down into the data and enterprise tiers, or whatever our target platform chooses to call them now… Containers anyone?

This means we need more than an oauth 2.0 web api (for example). We need an authorization engine with the granularity to control who may access which objects for what operations served at a massive scale. A perimeter access control system will never be able to do it all. Neither will our ActiveDirectory servers (azure or no).

So we can stop looking for that panacea now. It doesn’t exist, nor will it ever. Instead, let’s take the time to understand the architecture of the target system and apply appropriate security controls as needed. In other words understand the problem before searching for a solution. There are numerous examples to follow, contact me for details.

120 views0 comments

Recent Posts

See All

OpenLDAP & LMDB Sizing Guide

Jan 17, 2022 Introduction Symas OpenLDAP configured with LMDB has been extensively tested and its performance characteristics are well understood. Both OpenLDAP and LMDB’s scaling characteristics are

Implementing LDAPS in Symas OpenLDAP 2.5+

Please note that the certificates must be in a pem format (.pem or .crt). You will need three certificates: Root CA certificate, server certificate (with the fqdn of server in subject line or in the s


bottom of page