Mark O'Neill's Radio Weblog

Blogging RSA 2: Craig Mundie from Microsoft namechecks SecPal

Tue, 08 Apr 2008 18:34:35 GMT

A couple of years ago i spoke alongside Andy Gordon and Cedric Fournet from Microsoft Research (Cambridge, UK) at a conference in France. At that time, they were working on validation of WS-Policy policies, detecting logical faults and inconsistencies, but they were also looking at mechanisms to express authorization and RBAC information in general.

It is good to see their work mentioned this morning by Craig Mundie in his RSA Conference Keynote. He mentioned in a framework called SecPAL ( read: http://research.microsoft.com/~moritzb/docs/beckerfournetgordon_authorizationlanguage.pdf ).

I have some questions about SecPAL though. It overlaps with XACML, but it is designed in a more "natural language" way than XACML (anyone who has read XACML will know what i mean about that). But, nobody in their right mind would create or edit policies by manually editing XACML. XACML import and export (and policy import and export in general) is important in large networks. Policy silos are just as bad as identity silos. It would be possible to map from SecPAL to XACML, i can see, but right now nothing does that (right?). That is a gap right now.

One great thing about SecPAL is that it is built on top of research into developing policies which are logical and useful. Policy languages often give you "enough rope to hang yourself", and they have thought about this in advance. That's all good. But i remain worried about the overlap with XACML. Maybe it was telling that teh example used by Craig Mundie, doctor access to healthcare, was very similar to the example used in the XACML Specification.

Looking forward to seeing where Microsoft goes with SecPAL.

Blogging RSA: The "Identity Router" - a neat concept

Tue, 08 Apr 2008 18:19:21 GMT

Identity Management is plagued by analogies which are not quite correct, resulting in tremendous confusion. For example, a digital certificate is a little bit like a passport, but not quite...

Once in a while, though, a good analogy crops up. One such example was used by Andre Durand yesterday, the "Identity Router". This phrase neatly gets across the ability to join identity information from two domains together. "Identity Bridge" might also apply.

XML Gateways are natural "identity routers". They can take one token, used in one domain, and map it to a token used in a differnet domain. It is best to use standards for to achieve this. Key standards here include SAML (to encapsulate the identity information sent between domains) and WS-Trust (to exchange one form of security token to another).

In the Vordel XML Gateway we provide the building blocks to do this mapping, to create "identity routing" nodes. In the example below, the Gateway is using a policy which makes use of WS-Trust to convert from a WS-Security UsernameToken (used in one domain) to a SAML token (which can be sent across the network to another domain). At the other domain, a local XML Gateway can use the SAML token to map the user to their local identity there. The beauty of using the standards is that customers are not locked into proprietary methods of doing this mapping.

Speaking on Banking Web Services at RSA Conference this week

Sun, 06 Apr 2008 20:47:17 GMT

I'm speaking on Tuesday at the RSA Conference in San Francisco, the details are below.

It's nice to see the little star in the catalog beside my name means "Top Rated Speaker" :-)

Full catalog is here: https://cm.rsaconference.com/US08/catalog/controller/catalog

If anyone out there is going to be at RSA, let me know since I have tickets to a drinks reception after my talk which I can give out.

-------------------------------------------

HT2-107	Case Notes from a Vulnerability Assessment of a Bank's Web Services	Intermediate Technical	Track Session	Tuesday, April 08 04:10 PM	Mark O'Neill CTO, Vordel

HT2-107

Case Notes from a Vulnerability Assessment of a Bank's Web Services

Intermediate Technical

Track Session

Tuesday, April 08 04:10 PM

Mark O'Neill

CTO,

Vordel

"What slow aspects of XML do you speed up?"

Mon, 18 Feb 2008 18:17:56 GMT

At a meeting near Washington recently I was asked "What slow aspects of XML do you speed up?". The answer is in our XML Offload White Paper . I'd encourage everyone to check it out.

As well as offloading XML validation, XML Signature, and XML transformation, we also provide "XML Enrichment" on the network. What is "XML Enrichement"? It is the name given to the practice of looking up contextual information which is then embedded into the XML message. For example, one of our mobile telecoms customers uses our XML Gateways to look up subscriber information in databases and directories and then to insert it into XML messages on the fly on the network. Then, the task of looking up this information is offloaded from the application server. It is another example of XML Offload.

Network Computing - CA Gets a Gateway to SOA

Tue, 20 Nov 2007 18:42:43 GMT

It's official - read all about it at NWC blog:

http://www.networkcomputing.com/blog/dailyblog/archives/2007/11/vordel_gives_ca.html

Skating, scarves, and snow - Winter in Boston

Tue, 20 Nov 2007 18:41:09 GMT

Securent and Cisco

Mon, 19 Nov 2007 23:36:00 GMT

When Cisco acquired Securent, the first question of course was "after Securant and Securent, who owns Securint.com?" Well, that is a joke, sort of [if you're wondering, LexisNexis owns Securint.com].

But, hey, there are five vowels and the other two variations are available:

[BTW - ever thought about phoning up the Register.com "Web Services Consultant" and asking "Where do you stand on SOAP and REST?"]

But the second question was "If Cisco owns both Securent and Reactivity, i.e. both the PEP and the PDP, will they not be tempted to forget about standards and connect the two in a proprietary way?". i.e. At the moment, any XML Gateway can act as a PEP for Securent (Vordel, Datapower, Layer 7, or the Cisco ACE Gateway as they call the Reactivity product now). Would they be tempted to add some functionality which would make the Reactivity product "more equal than others" when it comes to talking to Securent.

The answer seems to be "No", as reported by Anil John and Phil Schacter. Cisco apparently are not putting the Reactivity and Securent products into the same business group.

SAML, XACML, PEPs and PDPs are subjects close to Vordel's heart. I explain here about part of how we provide his XACML and SAML support. We've support them for a long time and we have one of the earliest live XACML PEP/PDP implementations live up in Canada, and it's been in production for over 2 years now. All of the IAM vendors support SAML and XACML to some degree. It will be interesting to see how the Securent acquisition plays out for Cisco.

Drizzly Dublin or Drizzly Boston

Mon, 19 Nov 2007 22:54:42 GMT

I missed Jon Udell who visited our Dublin office today. I was at home in drizzly Boston instead, having swapped one drizzly place for another.

Jon chatted with our VP Engineering about SOAP vs REST (where better than Ireland for a discussion about religious wars, don't get us started on Emacs vs vi).

Dave pointed out that within the enterprise, especially in Message Queue environments, SOAP and WS-* are very much alive. After all, they are transport neutral. But, if you want to maximize your client reach, REST is the way to go.

Vendors have to be neutral like Switzerland (or, um, Ireland) in this matter. With our XML Gateways you can support SOAP and REST with the same Web Services, and apply the same policy umbrella to both: http://radio.weblogs.com/0111797/2007/10/05.html.

OWASP San Jose

Mon, 19 Nov 2007 22:42:51 GMT

Last week I was at the OWASP Conference at San Jose in Ebay. Because of an IBM cancellation, I ended up giving two presentations - the one I was scheduled for, and a presentation in the IBM Datapower timeslot. For the second slot, I talked about 8 of our customer case studies and the problems which our products addressed for these customers. I find that it's a lot more useful to talk about concrete things like this, rather than "here is a vulnerabilty which may or may not apply to Web Services". In the case studies, you can see how we provided real benefit by offloading XML heavy lifting off application servers, and providing centralized policy-based control of SOA, from edge to endpoint.

The conference itself was really great. Apart from a trip to Oracle OpenWorld, I was there for two days and saw some great talks. The highlight for me was Sami Kamkar - what a great talk about his experience writing the MySpace Sami worm and suffering the consequences. Hilarious (the first person to access his adjusted profile was the girlfriend of a friend: "She was totally checking me out!") and informative (step-by-step walkthrough of the code) at the same time.

My two presentations should be up on the OWASP site anytime soon.

CA's new Identity and Access Management (IAM) suite

Mon, 19 Nov 2007 22:31:15 GMT

CA's new Identity and Access Management suite is particularly strong, although I guess I am biased :-) [see below].

By combining an XML Gateway with SiteMinder, a directory, and mainframe security, it really is a full stack. Integration is provided on a plate to the customer, rather than leaving the customer to think "how do i get all these security pieces to work together".

Included in the first wave of releases will be CA SiteMinder, the single-sign on product for web access; SOA Security Manager, the successor to CA's TransactionMinder; SOA Security gateway appliance, which is OEM'ed from Vordel; CA Directory; plus a batch of mainframe security products.
http://www.computerbusinessreview.com/article_news.asp?guid=8FBCA9C5-D605-4E3D-9DF9-021EB6282299

SOA Plumbing delivering power and water usage info

Tue, 23 Oct 2007 20:49:36 GMT

Joanne Cummings has an interesting story in Network World today about an electricity utility in the US Pacific Northwest which is using SOA.

The story reminded me of another user of SOA in the utility space: EPAL in Portugal. EPAL is the Portugese state water board. They use SOA to provide customer-facing information about water usage, and they use XML networking infrastructure and an event-driven model.

Utilities are widespread users of Real World SOA , though the goal here is not competitive advantage: The intriguing thing about the two case studies is that the goal in both cases is to cause their customers to use less of their products. By providing real-time insight into their rates and usage, they can do this (the customer thinks "it costs *that* much????").

There is no comparable EPAL case study online, but here is a snippit from one of our press releases:

Empresa Portuguesa de Aguas Livres (EPAL), the largest water supplier in Portugal, selected Vordel to provide security for its XML-based online services. "We are delighted with the way that VordelSecure is able to communicate with all the systems we currently have running," said Dr. Luis Novaes dos Reis, CIO at EPAL. "It can handle existing security methods, talk to the legacy systems, as well as run in tandem with the new application servers. VordelSecure was also fast to implement, and, because of its ability to leverage the existing architecture and reduce security maintenance costs, will deliver significant savings to EPAL."

What is Web 2.0, anyway?

Mon, 22 Oct 2007 21:50:21 GMT

This presentation by John Breslin of DERI and boards.ie is the best explanation of the social networking aspects of Web 2.0 as I have seen anywhere.

John builds the argument that connections between people are not just about the connections ("Hey, I have 100 LinkedIn connections") but they are about connections around objects. In this respect, Wired's already widely-criticised story on "The Six Lamest Social Networks" actually has it backwards: by organizing networks centrifugally around objects, Social Networking sites have meaning, even when they do not have 200 milllion users and even when they are centered around minority interests (like Thomas Kinkade paintings!). The point is that they are centered on objects which are in common.

Normally I gag on any presentation which includes the Semantic Web, usually preceeded by words like "ontology" (I agree with Sean McGrath's sentiments: "I'll cheer from the rooftops if anything great comes out of this gargantuan effort around the Semantic Web but gee, I'm just not at all convinced that this stuff is going anywhere fast."). But this one is different. The presentation builds to make the case that the way in which they objects are defined for Social Networks can use Semantic Web elements, such as the widely-cited "Friend of a Friend".

Anyway, this presentation is highly recommended. View it for yourself