Sponsored Content
Full Discussion: SOA Security (Part 4)
Special Forums News, Links, Events and Announcements Complex Event Processing RSS News SOA Security (Part 4) Post 302141142 by Linux Bot on Thursday 18th of October 2007 12:10:09 AM
Old 10-18-2007
SOA Security (Part 4)

Tim Bass
Thu, 18 Oct 2007 03:44:41 +0000
My apologies for dropping off the blogosphere! We just landed at the Sheraton Royal Orchid in Bangkok after weeks of packing, moving, plus time with friends and family.
Eventually, I plan to get to the topic of event processing in SOA security and blog about how CEP can help reduce the risk in security issues related to distributed computing environments. First, kindly permit me to elaborate on why defense-in-depth is an important concept for SOA security.
The core security triad for information systems is often called the AIC triad by IT security professionals (CISSPs, for example): authentication, integrity and confidentiality. We can go a bit farther and talk about authorization, availability and non-repudiation; but starting with AIC is both prudent and expediant.
When you think about AIC for SOA you should always look to the security services that are provided by the network layer (and other layers) in the context of your (administrative) domain architecture. In other words, there is a big difference between creating federated, cross-domain AIC controls and AIC controls in a single organization with one security domain. In addition, there are huge differences between multi-domain organizations under an umbrella governance policy versus a federated approach, where each domain is nearly, if not totally, independent from the other.
Most SOA implementations are state-0f-the-art versions of organizational EAI implementations, in a single administrative domain, that start small and (hopefully) grow over time, adding other administrative domains that are under the same corporate flag. Additionally, most of the complex SOA security standards are designed for the “utopian view” of SOA, envisioned to operate in complex federated, multi-organizational environment.
When you examine your AIC requirements for “the new SOA”, modular distributed computing, don’t forget that you can go back to basics and get your projects off the ground much quicker than striving for nirvana. For example, much of your AIC requirements for SOA can be met with a good VPN and in tunnel model with combination of host-based and user-based authentication.
Time and time again, over a long career of operational IT experience, we have seen the same implmentation pitfalls, which are often summarized, “The Enemy of Good is Great.”
If you are working on grass roots SOA EAI implementations, don’t let your projects come to a grinding slowdown trying to build a utopian infrastructure for SOA security with immature and unnecessary SOA standards when your AIC requirements can be met using other compensating controls (either logical, physical or administrative).
Keep in mind that most SOA implementations are simply organizational EAI that can benefit from AIC basics, so don’t rush into vendor snake oil SOA security tools that promise more than they can deliver.
In my next post, I will begin to discuss how CEP and event processing can serve as a control infrastructure in more complex SOA federations. If you would like for me to elaborate on AIC for SOA or defense-in-depth, please don’t hesitate to comment or ask!
Sawatdee Krap Pom!



Source...
 
GIT-WHATCHANGED(1)                                                  Git Manual                                                  GIT-WHATCHANGED(1)

NAME
git-whatchanged - Show logs with difference each commit introduces SYNOPSIS
git whatchanged <option>... DESCRIPTION
Shows commit logs and diff output each commit introduces. New users are encouraged to use git-log(1) instead. The whatchanged command is essentially the same as git-log(1) but defaults to show the raw format diff output and to skip merges. The command is kept primarily for historical reasons; fingers of many people who learned Git long before git log was invented by reading Linux kernel mailing list are trained to type it. EXAMPLES
git whatchanged -p v2.6.12.. include/scsi drivers/scsi Show as patches the commits since version v2.6.12 that changed any file in the include/scsi or drivers/scsi subdirectories git whatchanged --since="2 weeks ago" -- gitk Show the changes during the last two weeks to the file gitk. The "--" is necessary to avoid confusion with the branch named gitk GIT
Part of the git(1) suite Git 2.17.1 10/05/2018 GIT-WHATCHANGED(1)
All times are GMT -4. The time now is 03:11 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy