The Hogg Blog

Envisaging the Future by Reflecting on the Past
Translate This Page
Common Tasks
Search Form
  • Advanced search options...
Tag Cloud
Monthly Archives
Archives

RSA Conference 2006

MSDN Blogs > The Hogg Blog > RSA Conference 2006

RSA Conference 2006

6 Mar 2006 4:12 PM
  • Comments 2

RSA Conference 2006 - Summary

 

Sorry for the late post, but I flew straight from RSA in San Jose to Sydney Australia for the patterns & practices summit. I wanted to include a brief summary of the sessions that I was interested in…

 

Keynote: Bill Gates

Anyway, the conference opened with my boss Bill stating how pleased he was to be there… and not to have been out shooting with Dick Chaney. He then went on to summarize key factors of our Trustworthy Computing initiative. These were broken into four categories:

  1. Trust ecosystem – In addition to the obvious chains of trust / levels of indirection / requirements for federation there was some interesting discussion about reputations as the basis for authorization decisions. Reputations are a tough one that online communities like EBay and Amazon have tried to establish over time.
  2. Engineering for security – Secure by design, secure by default, secure by deployment…
  3. Simplicity – For end users, developers and IT professionals…
  4. Fundamentally secure platforms – the foundation for the other three categories.

 

Bill also described Microsoft’s vision for the Identity Meta system allowing systems running on diverse platforms, communicating across organizational boundaries to work together based on a trust ecosystem. Supporting initiatives such as Infocard, High assurance SSL certificates to reduce the risk of phishing attacks and lots more.

 

Plus the one really cool thing that I wasn’t aware of – the announcement for the new Microsoft CLAM! Actually, the Certificate Lifecycle Manager is a product that sits on top of Windows Server’s Certificate Services and appears to make the issuance, renewal and revocation of X.509 certificates much simpler – making multi-factor / smart card security much more accessible to all organizations.

 

Keynote 2: Art Coviello (RSA)

 

Art opened his keynote by explaining that in the trip between his house and arriving at the RSA conference he was authenticated no less than 12 times! From withdrawing money from an ATM, to using an automatic toll booth to checking in at the airport… he then went on to paint a picture of the Internet as a crime ridden neighborhood – similar to the opening scenes of most recent Batman movies.

 

Anyway – the key takeaways included the importance of mutual authentication (instill confidence in consumers), use of RSA’s electronic fraud repository for tracking fraudulent activities through to the use of active and passive authentication mechanisms….

 

I also think his reference to the multiple occurrences of authentication is especially relevant to the Identity meta system and trust ecosystem that Bill mentioned.

 

Microsoft Identity and Access Strategy

Kim Cameron (www.identityblog.com) provided an overview of the “power of identity” – including key concepts such as

-          Knowing who you are interacting with

-          Granting appropriate people access

-          Persisting a record of interaction

-          Protecting confidential information

 

A couple of ideas that I really liked:

- The Identity catastrophe – relating to the number of different repositories that peoples identity information is currently stored in

- The idea that a user is just a device – albeit with poor crypto capabilities.

 

He went on to describe characteristics of an identity system including topics like:

-          Negotiation driven - relying party and identity provider

-          Encapsulation  -technology agnostic way to exchange policies and claims b/w IP and relying party

-          Claims transformation - trusted way to change one set of claimms into another

-          User experience - consisten UI across multiple systems and technologies

 

And in more concrete terms (what should I buy?) the Identity Metasystem will be supported in upcoming product releases

    • Developers – Visual Studio 2005, WinFx
    • It organizations – Active Directory, Certificate Lifecycle management
    • Users - Vista, IE7, Infocard

 

Most important takeaway for everyone from this presentation is to read Kim’s work on the laws of identity. Foundational stuff…

 

Model Driven Security Architecture

Nataraj Nagaratnam, Anthony Nadalin (aka Dr Security), IBM

 

I know Tony from the WS-I work that we do, so I was excited to see how IBM is thinking about approaching tooling for securing Web services.

 

IBM is building on their investment in Rational and as such is extending its UML to support custom stereotypes such as “ServiceSpecification” and “MessageProtection” – in addition to supporting declaration of authorization policy. Other goals that were stated included:

-          Allowing security requirements to be specified according to the user’s role

-          Supporting use (generation?) of policy to support loose coupled applications

-          Support project teams to be considered customers of the security team

 

The prototypes demonstrated appeared to be early thinking but will definitely excite hardcore UML fans. I look forward to seeing how this initiative progresses.

 

Microsoft’s WS-Federation Implementation

Patrick Hanrion, MCS, Microsoft Corporation

 

Patrick provided an introduction to Federation and some of the challenges that arise whilst federating identities. He also provided an overview of the ADFS architecture along with a description of scenarios such as:

-          Federation service

-          Federation proxy

-          Web server SSO agent

-          B2B: ADFS Federated Web SSO

-          B2E: ADFS Extranet Web SSO

-          B2C: ADFS “Online” Web SSO

-          Federated Web SSO with a portal

 

I am actually hoping that our team will extend our Web service security patterns guidance to include federation scenarios… so if this is an area that you are interested in please ping me at jahogg at Microsoft.com.

 

 

Baking Security into the Lifecycle

Herbert Thomson (Security Innovation), Michael Howard (Microsoft)

 

Lots of great discussion including war stories from the field. Key topics included:

-          Importance of threat modeling

-          If you can’t manage the app – don’t deploy it. Think about how you will deploy hot fixes, secure by design etc… before you deploy the application!

-          Get actual skin in the game from executives about the importance of security. If you need any help here take a look at http://blogs.msdn.com/thehoggblog/archive/2006/03/01/541777.aspx

-          Use threat models to scope / prioritize development – if the risks are too high – think twice about developing the feature! Saves downstream costs…

-          Importance of testing “unplanned” features – as they are the likely areas for security vulnerabilities

 

For more information on security and the security development lifecycle take a look at:

-          http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp

-          http://msdn.microsoft.com/practices/Topics/security/default.aspx

Inspiration for new Security Patterns

I still need help with the naming of the anti-pattern described in http://blogs.msdn.com/thehoggblog/archive/2006/02/15/532993.aspx so let me know what your thoughts are... or share your war stories wrt security overkill...

 

 

Leave a Comment
  • Please add 5 and 1 and type the answer here:
  • Post
Comments
  • The Hogg Blog
    6 Mar 2006 4:22 PM
    I have put some notes together from the sessions that I went to at RSA. Feel free to take a look / comment...
  • kbkqo4y@altavista.com
    1 Sep 2006 6:10 AM
    ringtones free
Page 1 of 1 (2 items)