RSS (No not that one)

Right Sized Security

What does this mean?

Security is a big FUD word we like to throw around. You need it, you want it and God only knows what will happen if you don't have it. Until of course you have to pay for it and then you might decide to take your chances.

That is what I typically see when discussing Web Services security. At first mention everyone nods their head as if to say "Of course we need security." That is usually about as close as they get to actually having it.

The issue I see is the lack of understanding or at least acknowledgment of what security means and specifically what different types of security there are and which ones are needed. Security is an umbrella term that covers several different concepts:

• Authentication
• Authorization
• Confidentiality
• Integrity
• Non-Repudiation

Each one of these is a topic in of itself and you can readily find entire books, articles and products targeted for each one. So simply saying "We gotta get us some security" is really the beginning of a much larger discussion.

The idea behind Right Sized Security is to apply only those aspects of security that you need or want and to do so in a way that does not completely overwhelm your environment. Let me give you an example:

Suppose you are going to offer a simple identity service that will retrieves names, titles, managers etc from your corporate LDAP. The service will only be available within the company's local network and the data that will be passing back and forth is available to everyone who wants to see it. However, you would like to know who uses the service so you can track your dependencies and analyze the value added by this service.

• No data is being updated so there is no need to worry about non-repudiation
• The data is available to everyone so there is no need to provide confidentiality
• The data is informational only so the threat of alteration in transit is low and thus the need for integrity is very low
• There are not different access levels for the data so authorization is not needed
• Everyone is allowed to use the service but you want to know who and how many times each person or application is using it so some sort of access control or authentication is needed

From this analysis, it is easy to see that a solution involving encryption or digital signature or some other advanced technology is far too complicated.

You need to be willing to utilize several different security models based on need and not get sucked into a one-size-fits-all approach. Most importantly, take the time to add a security analysis to your process and address each security concern individually. Combine this with a matrix of best practices and apply the "right sized" security model. This will make adoption easier and may actually result in you having some of that much desired security.