No App Is An Island
by Deborah Volk on September 17th, 2009

...but perhaps it should be. A properly fortified island with double moats, crocodiles (or cheerleaders), molten lead showers, Spartan warriors and of course artillery straight from Guns of Navarone . (I don't know why you need artillery if you have crocodiles but I wanted to add it just in case. As the ancient Finnish proverb says, "backups never hurt").
In many an enterprise you'll find a network architecture where a lot of effort has been spent on protecting the perimeter, separating nice, shiny, internal TCP packets from mean, dirty and virus-laden external packets. (UDP packets are always lost and confused, no need to filter them out). As Gunnar Peterson writes in his "There Are No Firewalls" blog entry, imagine that there's no firewall separating inside from the outside. What would be the potential damage to the business assets previously thought safe? This is an excellent Gedankenexperiment for any enterprise architect but it's particularly interesting to examine in the identity and access context.

Firewalls are breached because the attacks evolve faster than perimeter security products. Even if the product has adequate protection against some very sophisticated threat, it's far from certain that it's configured and installed (and patched!) correctly to contain the threat. Thus, the conservative assumption is to assume that the firewall doesn't exist. Once the perimeter curtain drops, it can be quickly shown that identity and access management infrastructure can make a large difference in both keeping the bad guys at bay and at creating value by enabling collaboration between customers, partners and the company at the center.
If the application owners assume that they're all inside a fortress, the applications typically have an anemic authentication and authorization model. At best, authentication relies on a single factor, usually a username/password combo. At worst, there's no authentication and it's either derived from the fact that you're on the internal network with your credentials lifted from the desktop or the application doesn't even bother to authenticate you. The latter is common for content-based apps (hey, wer're on Intranet, whee).
Authentication is a binary state - you're either in or you're out. Authorization, on the other hand, is a much more fluid phenomena. You can be inside the fortress walls, even inside the building because the front door was poorly locked but you won't be able to do much after that if you need 50 different keys (privileges, permissions, broadly - entitlements) to open one more door leading to treasure. The role of entitlements and their place in an authorization model suddenly becomes crucial to reflecting the attack. Deploy adaptive access control on the front-end where transactions as benign as a page retrieval or a form submittal could be considered in a real-time risk score and deploy fine-grained entitlement attestation on the back-end to catch deviations and you've got a credible defense mechanism. (If you open the gates to the world and remove the firewall, what do you do about dirty packets, be they viruses or denial of service attacks? Gartner's Neil MacDonald says you virtualize and proxy everything).
Fortifying each app is expensive so why do it? Think about the parties you do business with, typically your customers and your partners. Your large customers and most valued partners will want to participate in your business processes, be they sales, order fulfillment, distrubution or garbage collection. How do you let them into your shop? Easy solution - require them to play nice with your perimeter, e.g. require them to use VPN or secure tunnel. Harder solution - deploy an app, usually a web app (e.g. a portal) that exposes relevant chunks of a business process. Hardest solution - don't do anything, your CRM, ERP, SFA and other apps already have your business processes implemented on top of them. All you need is for the process to extend beyond the perimeter, easy and secure collaboration. Why waste money on building yet another app or reinventing the wheel by changing the current process when you can take a few important apps, make them into islands and open the gates.

Posted in Access Management    Tagged with entitlements


K. Brian Kelley - September 18th, 2009 at 10:20 AM
Why do you need artillery? Defense in depth. With enough cheerleaders, your crocs are toast:

Deborah Volk - September 18th, 2009 at 11:38 AM
Point well taken. I've updated the blog!
Leave a Comment

2012 (1)
2011 (2)
2010 (2)
2009 (64)
March (11)
April (18)
May (18)
June (4)
July (1)
August (1)
September (5)
October (5)
December (1)