We Can Stop Looking For That Panacea Now
It seems every year there’s a new protocol for handling security. I was first sucked down into this black hole in the ’90’s. Few standards back then. Now, so many years and protocols have passed…
https auth, x.509 auth, CSIv2, spnego, liberty, saml, ws-*, xacml, openid, oauth, uma
All said to hold great promise. Once we switched to use it, the security problems will be solved. Great. So which is the right one?
The answer is there can never be just one. Applying security requires care and ingenuity. But most of all depth into all processing layers and tiers. Favor micro-services? Maybe oauth 2.0 will be sufficient?
No, it will not. We still require authorization controls beyond the web tier entry points, down into the data and enterprise tiers, or whatever our target platform chooses to call them now… Containers anyone?
This means we need more than an oauth 2.0 web api (for example). We need an authorization engine with the granularity to control who may access which objects for what operations served at a massive scale. A perimeter access control system will never be able to do it all. Neither will our ActiveDirectory servers (azure or no).
So we can stop looking for that panacea now. It doesn’t exist, nor will it ever. Instead, let’s take the time to understand the architecture of the target system and apply appropriate security controls as needed. In other words understand the problem before searching for a solution. There are numerous examples to follow, contact me for details.