Updating the Traditional Security Model
On the Firewall Wizards mailing list last year, Dave Piscitello made a fascinating observation. Commenting on the traditional four-step security model:
Authentication (who are you)
Authorization (what are you allowed to do)
Availability (is the data accessible)
Authenticity (is the data intact)
Piscitello said:
This model is no longer sufficient because it does not include asserting the trustworthiness of the endpoint device from which a (remote) user will authenticate and subsequently access data. Network admission and endpoint control are needed to determine that the device is free of malware (esp. key loggers) before you even accept a keystroke from a user. So let’s prepend “admissibility” to your list, and come up with a 5-legged stool, or call it the Pentagon of Trust.
He’s 100% right.
Gnu Tzu • August 1, 2006 2:39 PM
The seemed like a perfect opurtunity to take a poke at you know what. But, thoughts of what the correct approach would be brought to mind the complexity of the subject. It seems that this fifth leg faces a similar level of complexity that exists for the other legs. That is, different enironments will need to approach this fifth leg in different ways. The solution to fixing “you know what” is to stop using “you know what” in every situation.
Also, the suggested name for this, “admissability” isn’t all that intuitive, and security terminology is daughnting enough. Could we possibly find a better name before this gets set in stone (or written about on the Wikipedia)?