Security-Identity-Logistics

Many Identity Management efforts –including large programmes– are severely limited by the way organisations perceive their requirements. Demand for change and technology upgrades drive the IAM projects while Security and Business benefits are left in the background or even ignored.

It is evident that IAM is still seen primarily as a “technology” to improve user experience or resolve provisioning issues, but not as part of overall transformation or as enabler of the Digital Agenda. To address these issues it is necessary to explain the multiple areas where IAM is relevant, in particular contributing to Risk Mitigation and business transformation.

When working on IAM or more generally Security programmes, a Risk and Trust management perspective is essential. It is important to cover all aspects of the problems we want to resolve so that organisations move beyond their initial focus on technology and user management. To do this, I propose an “expanded frame” where Risk and Trust are correlated and where Identity management objectives can be seen in the context of business strategy. The attached slides present this approach, based on previous work which you can find in this website.

The following slides summarise the expanded Risk and Trust Management Frame.

risk-and-trust-perspectives-in-iam-1

Slide 1

Slide2

Slide2

Slide3

Slide3

 

{ Comments on this entry are closed }

Microeconomics of I&AM: Identity Management in three slides

December 22, 2015

If I were asked to summarise my views on Identity and Access Management –what it is and what it will be– I would first point to the complexity involved in delivering I&AM programmes. This complexity is rooted in the normal (conventional) operations of business management of the IT support functions. Given that IT is largely […]

Read the full article →

Security Lost and Recovered (and 4)

May 7, 2014

A transition to “complete” Security (in the sense described in the previous sections) requires a rediscovery of the context, this complex mesh of relationships through which we live and operate. This change must leverage a recognition of the personal, psychological, organisational and technical aspects. In following this path we need to base the IT disciplines […]

Read the full article →

Security Lost and Recovered (3)

April 29, 2014

A “complete Security” approach –in the sense I introduced in the previous article (http://carlos-trigoso.com/2014/04/28/security-lost-and-recovered-2/ ) applies a modal logic to grasp the fundamental aspects of any Security arrangement. This is a “deontic logic,” i.e. a logic of obligation, prohibition, interdiction and permission, which is able to represent the various moments of a Security model. In […]

Read the full article →

Security Lost and Recovered (2)

April 28, 2014

A “complete” security strategy can be understood if we adopt an “information-theoretical” point of view. To do so, it is useful to describe the approach in the same way as we would consider a business model. A high level model of a business architecture shows the relationships between the participants, and the different functions and […]

Read the full article →

Security Lost and Recovered (1)

April 26, 2014

What have I learned in the 15 years I have been active in the Security profession? One thing, centrally: that Security must be complete or it will be meaningless. I need to explain what the term “complete” means in this context, first to avoid misunderstandings, but also to introduce a qualitative approach to Security. In […]

Read the full article →

Duality of the IT Function

April 24, 2014

Many times in conversation or debate it is useful to “step back” from the immediate matters at hand and look at the context. Having written that, I am even inclined to say that this is always the case, especially when addressing technology strategy. If we do so we will notice there are obvious problems with […]

Read the full article →

“A less trusting Erlang”

March 12, 2014

Searching for Erlang Security topics you necessarily find the work done by Lawrie Brown, Dan Sahlins and others in the late 90’s, and their proposed changes to the Erlang implementation. This work was to some extent parallel and closely related to academic research by Gustaf Naeser, Rickard Green and Bertil Karlsson on the SafeErlang project […]

Read the full article →

On the Limits of the “Possible”

March 11, 2014

A look at Erlang-OTP quickly reveals the limits it has in terms of Security principles and concerns. A brilliantly conceived platform is diminished by the exclusive focus on performance and availability goals. In the same way, important applications like the innovative CouchDB and the standards-based RabbitMQ are boxed-in by the flaws in the platform. As […]

Read the full article →

“Using Erlang in a Web Start-up”

March 6, 2014

  In “Using Erlang In A Web Start-Up,” Gordon Guthrie (hypernumbers.com) summarises the structural problem that Erlang environments bring to the Solution and the Security Architect: “Security is the  Achilles heel of Erlang. Due to the trusted nature of telephony networks (at least compared to the internet)Erlang has no security.  All nodes in an Erlang […]

Read the full article →

Fault-Tolerance without Security?

March 6, 2014

A key text to understand Erlang and the Erlang community “world view” is Joe Armstrong’s thesis, titled “Making reliable distributed systems in the presence of software errors,” (final version with correction updated on November 20th 2003). This is a brilliant and historic text not only for Erlang, but also for the space of programming languages […]

Read the full article →

Other Erlang References

March 6, 2014

I am sure that the following list omits many important Erlang materials. This list is here for the sake of completeness and does *not* include the books and papers that I will review in detail.  The texts listed below either are too limited in the subject they cover or else omit Security principles and requirements […]

Read the full article →

On the Road to Nowhere

March 5, 2014

The following three books are probably on the desks of every practicing Erlang specialist: – “Erlang Programming,” by Francesco Cesarini and Simon Thompson, O’Reilly, 2009 – “Erlang and OTP in Action.” by Martin Logan, Eric Marritt and Richard Carlsson, Manning, 2011 – “Building Web Applications with Erlang,” by Zachary Kessin, O’Reilly, 2012 “Erlang and OTP […]

Read the full article →

“Erlang has no locks and no keys”

March 4, 2014

There is perhaps no better source to understand and learn the Erlang language than the book “Programming Erlang” by Joe Armstrong (“Programing Erlang, Second Edition”, The Pragmatic Bookshelf, 2013). This is detailed, authoritative exposition of the language covering all aspects of it, from the design principles to the procedures to build an application. Regrettably this […]

Read the full article →

Security Taken Lightly

March 4, 2014

In “Learn You Some Erlang for Great Good” by Fred Hébert, published in January 2013 by No Starch Press, San Francisco, we have a strange mixture of apparently humoristic remarks about the Erlang Security capabilities; but –at the same time— some good information that may help the prospective (or committed) Erlang developers and architects to […]

Read the full article →

On the Actor Model and “mailboxes”

March 2, 2014

Carl Hewitt clarified the relationship between his formulation of the Actor Model and one particular version of it (Karmani & Agha, 2011). The following is a message from Hewitt sent to Lambda The Ultimate in 2013 (http://lambda-the-ultimate.org/node/4853 ). This is a good reference to better understand the Actor Model and how it can be “implemented.” […]

Read the full article →

Erlang & Application Security

March 1, 2014

“Application Security of Erlang Concurrent System” (2008) is the title of a paper written by Kenji Rikitake and Koji Nakao (the first author is associated with the Network Security Incident Response Group, Japan). This was the first paper I found with an explicit and committed focus on Security requirements and principles. Mr Rikitake is also known […]

Read the full article →

Elementary Security in Erlang-OTP

February 28, 2014

Other texts I have reviewed: – “Thinking in Erlang” – version 0.9 dated January 31st, 2007, by Robert Baruch – “OTP Design Principles” – version 5.10.4,  http://www.erlang.org/doc/design_principles/users_guide.html  – “Making reliable distributed systems in the presence of software errors” – final version updated November 2003, by Joe Armstrong, http://www.sics.se/~joe/thesis/armstrong_thesis_2003.pdf – “Concurrent Programming in ERLANG”, second edition, […]

Read the full article →

Security and “Information Flow”

February 27, 2014

From the beginning of the Information “era” the Security disciplines already had the hierarchical imprint that is now current, centring it around the protection of “informational assets.” Although not directly relevant to the subject of Erlang Security, I want to quote here a paper by Bhavani Thuraisingham (MITRE Corporation) published in 1993 by the ACM. […]

Read the full article →

Trust (Maybe)

February 27, 2014

Continuing with my research I see that Security “concerns” (although not *requirements*) may be present in the Erlang literature, but in such a way that whatever is said about Security remains in the periphery and ultimately disappears from view. This happens even in cases where (as we will see below) the subject addressed seems to […]

Read the full article →