Network Security Podcast

Martin Mckeay and Rich Mogull were kind enough to invite me to their network security podcast.  We had a nice discussion on Privacy, Information Centric Security and a few other topics.  You can check it out here. 

Stored Procedures and SQL Injection

There is a nice post by Michael Howard on a couple simple steps to help mitigate SQL Injection attacks over on the Security Development Lifecycle blog this morning.  Simple steps that are effective by reducing the avenues of attack or reducing the assumptions of trust between the application and the database. However wanted to add a couple of comments onto this subject that I believe add some value to the suggestions he made. Specifically:

-Don't allow create/modify procedure permissions

-Use a dedicated, non-admin database user account

-Don't use external stored procedures

The first comment I wanted to make is on “Use SQL Execute Only Permissions” and “Use Stored Procedures”. This is absolutely correct. Not only is there typically a performance benefit, there is some built in parameter screening in the RDBMS that checks consistency and type.  The use of stored procedures is to combat injection of ad-hoc SQL statements. And the additional suggestion of using ‘execute only’ permissions on procedures is because I want to make sure that the stored procedures that I have cannot be replaced or altered by the SQL Injection attack. I do not want an attacker using SQL Injection to read my existing code, but this is a secondary consideration. The attacks I see could usually care less what logic you have, but really want to introduce their own functionality, either by introducing an ad-hoc query or by introducing a stored procedure. Use of stored procedures mitigates the first issue, and ‘execute only’ stops the alteration of the code. I am adding that you want to periodically check that the database user does not have create procedures permissions in their role in addition to the existing stored procedures being execute only. This combats the ‘Injection’ of new stored procedures to launch additional attacks.

There is another angle on this story that I would like to point out. I love the introduction to this post when Michael states “If you have a Web server (doesn't matter what type), and it's hooked up to a database (doesn't matter what type) you need to go in and review your code that performs the database work”. Absolutely! They go hand in hand. But the remainder of the post goes on to discuss deterrence and security from the web application developer’s perspective. That’s not a criticism, but I want to help illustrate that SQL Injection is a database attack made through a web application. 

But database administration and database platform security is oft left out of the conversation, and it should not be, as there are other simple tips that have similar benefits to helping reduce the possibility of SQL Injection. I have made some comments to several of the OWASP & WASC members here in San Jose, and that given the symbiotic relationship between database platforms and web application, may want to include some additional database platform security discussions with the application security discussions that they have today. For example, I had commented in a previous post that the entire attack could be negated by running the database administered under a different user account than the web application administrator. That is a very simple step to address a common abuse of trust relationships to carry out an attack.  So my second suggestion is use a dedicated database user for the web application account that does not have administrative rights.

My final suggestion on the topic of stored procedures has to do with external stored procedures. Most relational databases have the option of using external links and stored procedures to reference OS level code. This is in essence a program outside the database that can either run OS level functions, and often can use database functionality as well. I do not want to go into a long discussion here about the types of attacks that can be conducted through external code, or the dozens of issues pertaining to permissions, but simply comment that in using stored procedures for web applications, resist the urge to use external stored procedures or links. They can be very dangerous, and I typically advocate checking that the user rights do not include use of these external resources.

Most web developers look at a document like this one and tend to tune out.  So thanks to Michael for posting simple and effective SQL Injection prevention/mitigation steps for web applications. 

RIAA and Music Piracy

 

I ran across this article on RIAA this morning attempting to police piracy. Once again I am left shaking my head at the stupidity of this entire piracy circus.

Most industries have competition, which forces down prices and promotes innovation. The music industry clearly has no such drivers, and innovation is someone we absolutely do not see. If organizations like RIAA put half as much time into considering a business model that works with the Internet rather than trying to punish the people interested in their product they would be growing rather than being in decline.

And while I am on the topic, this cartoon video completely captures my feeling on the subject. Yes, RIAA, you need to heed this advice.

What does this have to do with security? Plenty.

I wonder if RIAA employees get spam? Have you seen how many ways they are to spell (or mis-spell) Viagra? How many ways and how easily I can convey the meaning without actually saying it? 'Massive Pole', 'Make Her Happy', 'Top Rated Enlarger', '4 free pills' and 'Vi-Ag-Rah' got through one spam filter just in the last four hours.  So if RIAA is looking for common file names of songs, it will only take a matter of minutes until all this content is relabeled and reformatted and become invisible to ‘Media Sentry’. This is a joke. I can only assume that this is a PR exercised to waste money and further blame the consumer for the music industry’s lack of commercial success.  It will not stop piracy. It will not detect most piracy.

Why would I want to buy CD full of schlock if I all want is the one song? In this day and age where bands are seldom the organic garage band that creates something special and unique, but rather a ‘package’ of faces and sounds out of mind of recording executives, one good song is all we get. So why am I going to pay 8, 12, 20 or more dollars for garbage? And on top of that I have to deal with what I call ‘the packaging penalty’, or trying to get the CD or DVD out of its packaging without damaging the cover art or media. It’s just easier for me to record it off the radio. Or as most people do, pull a copy from the Internet and create a low-rez copy that they will listen to a couple times and delete.

A friend of mine has been going through a process of acquiring a complete catalog of a couple of female jazz singers that we both like. You would think that this is a simple process of ordering the recordings on CDs, DVD, SACD, .WAV or whatever medium is your preference. Not so fast. It turns out that not all of the distributions are created equally. We have found some cases where the media itself varies greatly in recording quality, but even more troubling is the song lists are different!  The DVD-A may contain three unique songs, the DVD a song and a video, and the SACD a different song appended yet again. We have even found cases where the CDs sold to some of the big box retailers differ from chain to chain.

Sure, they would like me to buy the same copy of music on the same medium as many times as I could afford to, and even better, buy it on every medium they can think of creating just so I can get the last song or two. This model does not work for the consumer and demonstrates how some companies have lost perspective of their value. Rather than looking to provide a product people want to buy, they are looking at news ways to mine value from intellectual property. Two very different concepts.

The last point I wanted to make is the use of the word ‘customers’, as everyone I have ever met who rips albums is also a collector. They buy when they can, and the rip when it makes economic sense to do so. I do not know anyone who is so cash-poor that they are unable to purchase songs that they really want. They are in fact customers, but they are not simply going to throw money away. As is a recurring theme in many of Bruce Schneier’s articles, economy is often a much larger factor in security than technology.

The recording industry has created a disposable medium and disposable content. They have now trained their customers to treat it as throw away background music, with the concepts of High Fidelity and cover art becoming all but extinct. Yes, I am saying that piracy is to a very large extent a byproduct of recording industry business practices. If they want to see increased revenue, they need to price, package and distribute it such that it is easier to buy than copy, or provide a higher perceived value for the packaged product. If they continue to punish customers, the recording industry will quite literally dis-intermediate itself and will succumb to a more efficient and more cost effective delivery of music.   

 

Data Security: Threats and Objectives.

I was on a rant today because I was having a discussion about Information Centric Security, and someone has said that the implementation I was proposing promoted viruses and malicious code. The assertion is the packetized implementation of ICS I endorsed hid the contents from the user who received it, and therefore all sorts of malware could be hidden within the packets and ‘jump out’ at unsuspecting users. That is a great point, I do concede; completely wrong in two assumptions, but a good point that enforces my point for the need of two-way (or more) trust establishment. It also underlines the issue of what we should and should not do with the data we receive. The data we receive, who sent it and what their intentions were are assumed, and assumed to be good intentioned. Information Centric Security is meant to help assess not only Identity and proper use, but also help address the grotesque lack of trust establishment. We are far too trusting of other people, web sites, downloads, and in general, any free stuff that comes our way. And after spending the last few days with an infected DNS server, I don't even trust our infrastructure. Data needs to protect itself, and the users need  to protect themselves.

I have been making several assertions in recent posts that an Information Centric Security inherently addresses several problems we typically face with today’s security products simply by the nature of this security model. I realize I should back these statements up with some specific examples to further elucidate what the heck it is I am talking about. So this is this the first of several posts on that subject.  I want to start with an outline of some of the typical attacks and the associated objectives of the attackers to provide an overview of the ‘threatscape’. I will talk about how to apply the Information Centric model to one or two common tasks, and then talk about what value an ICS model provides in those contexts. I will also make mention to some of the things that ICS does not help with or problems that it does not solve.

So what are we trying to do? Secure data. That begs the question ‘secure it from what’, which becomes a much longer and more difficult discussion, but I will attempt to tackle some of the major points here. This is an overview list of the types of threats that I will be considering as this will help frame the attacks to be considered.  I have broken objectives and attacks into two separate lists I broke this into two lists to better illustrate a many to many relationship of attacks and threats, as well as the complexity of information security challenges.

So what are some of the hacker’s objectives when it comes to data security?

Theft of data.

Alteration of data.

Pretty much, that is it. I am making the assumption that if data can be viewed, it can be copied. We have been working hard for the last two decades to make data available, and pretty much every medium I can convey data on has a way for me to siphon it off. And I also assume that these two goals can be accomplished by subversion of the processing infrastructure or machine for the purpose of:

Alter an event or processing

Altering the functionality of a machine

Theft of activity

Use infrastructure to attack another machine

This is not an exhaustive list, but the major ones that popped into my mind. Feel free to add more and I will attempt to discuss in future posts.  I will note that there are many other objectives for hackers, for example denial of service attacks, but my intention is to limit this discussion to data security and not general infrastructure security challenges.  For Information Centric Security, these first two items are the challenges we are trying to address. Each of the above objectives they can accomplished in a number of different ways. Given these objectives, how might a hacker go about it?

Insider attacks: Use of the approved platforms, applications and credentials to either steal or alter data.

Network attacks or theft of data in motion: Network monitoring or ‘sniffing’, ‘man in the middle’ attacks and the like.

Data at Rest: gaining access to a file server, console or backup media and other forms of direct access to data at rest.

Quasi Data at Rest:  Databases. These repositories have a unique set of challenges given the myriad of ways to execute functions on data, and typically require some degree of inspection of the data to perform reporting and analysis functions.  And there are a myriad of attacks such as bypassed credential checks, SQL Injection, Buffer Overflows, exercising external code inks, data leakage and more. 

Data in process:  Applications. As with databases, web applications and large footprint enterprise applications like SAP offer a myriad of exploits.

Platform: Use of remote sessions, viruses or other code that provides a gateway onto the system, OS or application that houses/processes the data.

Physical attacks: This could run the gamut from looking over someone’s shoulder, Tempest attacks (quasi-physical), stealing a computer  to holding a gun to someone’s head. I am going to ignore this as section to discuss as a) it is somewhat outside the topic of computer security and is more of a traditional security problem, and  as well as b) this typically devolves into an insider attack.

My intention is not to create a definitive list, but rather cover the bulk of objectives and threats, and discuss how Information Centricity addresses some of the problems. This is a long enough list that it is going to take some time to address.  In the next post, I am going to discuss two examples of how someone might choose to implement ICS, and then follow that up with a discussion of how ICS deals with some of the threats brought up in this post. 

Blog Monitoring and Analytics.

Ran into a firm called "Collective Intellect" during RSA week over at the Ziff-Davis briefing. Their product, mediaintellect, was different enough of an offering that I thought I would make a comment on this concept. While not security oriented, they are Blog oriented. They advertise "Real-time actionable insight from social media monitoring and analysis"€.  Basically they monitor blog traffic and content for market research and feedback. Good product? Bad Product? I have no idea.   The people I met from the company were nice enough, but there is something about 'predictive marketing intelligence' for social media that makes me uneasy.

A Rothman-esque 'So What?' is in order here. What are they going to do for you? Are they going to tell you if your corporate blog sucks? Or they can tell you your marketing campaign sucked because some bloggers they read said so? Is there really a way to do this based upon traffic and key words? Can you really quantify brand influencer's? And you want this service why? I got to wonder if this an angle for PR & Analysts to re-insert themselves into the process now that their opinions are not interesting enough to generate their own readership. Blogs Analysts: can they provide value or are they simply parasitic?

Clearly Blogs have upset the PR apple-cart.  And I can see how mediaintellect would to fill a need for PR and Marketing departments to make some sense of Blogs and use them to their benefit.  But I read Blogs that are decidedly non-corporate for the reason that I don't want to wade through the endless controlled-sanitized-non-informative-corporate-attorney-approved marketing spin that most companies pump out. It is marketing influence I am trying to get away from, and this tool/service provides those organizations a way to monitor and affect the very medium I use to avoid their influence.  ~Shiver~  Maybe I am overly sensitive and this is simply a natural evolutionary step based upon the fundamental change in media and broadening of audience, such as Black Hat changing to look more and more like the RSA conference with each passing year.

Thompson's RSA keynote.

I finally got around to watching John Thompson’s RSA keynote address this morning. I was hopeful that there would be something interesting here. There was. He was speaking on the topic of Information Centric Security. This is surprising to me. Partially because this is a concept that a lot of people in security have trouble getting their head around. So if the leaders in security still have trouble conceptually, mass acceptance is probably a long way off. Even more so, Information Centricity would require a metamorphic change to the products Symantec produces today. A decidedly non-perimeter, non-network, non-packet model that requires bi-directional establishment of trust does not fit with what they offer today. I am unaware of any company CEO that really follows through with changes that would adversely affect the usefulness of their core revenue generating products.  Still, his advocacy is encouraging.

There is a link for the presentation here if you did not see it during RSA.

The quote “The battleground for security no longer revolves around the infrastructure, it revolves around data” gives me a warm fuzzy feeling, being a non-network security guy.  Sure, a statement taken unto itself is rather generic. Just because you perceive a need to move away from a perimeter or network based model for security does not necessarily mean you endorse an information centric model.  But when put in context to the remainder of the presentation and the other quotes about the need for an information centric approach to security, digital rights management, security as a business enabler, white listing, linking security with data management, it appeared to me that he really ‘gets’ it. I am not trying to be condescending, rather my point is this does not appear to be marketing speak, but genuine understanding. Cool. I will be interested to see what the strategic product roadmap looks like to get there.

 

p.s. Does anyone know where the statistics came from about reaching the ‘inflection point’ that the lines of malicious code has grown equal to the lines of ‘legitimate’ code produced on a daily basis?

Oracle Critical Patch Update for April 2008

Comments on database security notice.

 

I just received my notification for the April 2008 security update from Oracle. Some information can be found here, and scroll down to the ‘Oracle Database Risk Matrix’. Unlike some of my peers in the industry, I have usually been pretty happy with the patches that come from Oracle for security. What is more, they tend to release security patches on a very regular schedule, so the DBA in me appreciates this consistency both because Oracle has trained me to look for it, and subsequently can plan the deployment of the patch into my normal workflow.

What bugs me is the lack of information pertaining to the threat, or what the real issue is, when looking at the contents of the security patches. Why the lack of details? I am not too sure if this is because they have the mindset that they do not want to reveal too much information to would-be hackers, which is a laughable assumption, or if this is some legal mumbo-jumbo to reduce liability. Regardless, it’s annoying. I want to understand the threat so I can take appropriate action; for example I may not agree with Oracle’s threat assessment and desire an interim workaround prior to deploying a patch. Or I might alter my normal deployment schedule if I deem the risk too great to delay. But you cannot assess the urgency of the patch, or take appropriate action if you have no clue as to the nature of the threat, so in fact the customer has little information that is helpful.   ‘Critical Patch’ is only marginally more informative than ‘Threat Level: Orange’.

More important to this discussion: Oracle does not assign risk for your business. You do. Even if Oracle could produce a satisfactory definition for “Base Scores”, (here is a blog post that does a better job than the official Oracle documents) it is irrelevant to understanding the threat to your business. A database is not a standalone entity; rather it can have multiple audiences, applications, processes and users. If you’re going to provide a ‘Risk Matrix’, you need to include some information that is pertinent to the risk, not a list of code areas affected. Two completely different concepts that they have merged together as if they were equivalent. 

I don't think you need to jump out and install this ASAP, despite what some of the sensationalistic journalism based this patch release. The Oracle advisory states “1 of these database vulnerabilities may be remotely exploitable without authentication, i.e. may be exploited over a network without the need for a username and password.” But the ‘Risk Matrix’ lists Oracle 11.1.6 as the version affected. Even if the Oracle Base Score was considered a ‘10’, a complete system compromise, does this have an impact to you? As 11 is the only release affected, making the comments about databases being a ‘Sitting Duck’  are a little overblown IMO. I am unaware of any corporate client of ours who has gotten Oracle 11 out of the lab and into production, so the scope of this threat is minimal.

What does concern me is when areas of the code like DBMS_CDC_UTILITY and SYS.DBMS_AQ which are complex and have had vulnerabilities over time. Hackers tend to learn the nuances about specific modules and then attack them over and over again, thus why we see a chain of vulnerabilities against specific modules over time. But those modules tend to be the ones that were not designed with security in mind and why they were targeted to begin with.

I will post more once I get a chance to review the patches more thoroughly, so while I recommend you apply it when you get a chance, I do not see anything that is a huge hair on fire threat.

The Four Horsemen

The Network Is the Compu...oh, crap.  Never mind, it's broken. (Death)

Nearly made me snort coffee from my nose when I read this line. That is brilliant.  It is a long post, but worth the time to read.  It will take imagery like this for people to understand the fundamental changes offered by Virtualization ... or as I have heard many people  refer to it, the Virtualization ‘feature’ ... and subsequently why approaches to security need to be re-considered.  We may be marginalizing and commoditizing IT resources like processing, but we are breaking a lot of existing assumptions along the way.  It is going to be harder to determine where your data is, who has access, and how it is being used.  If you want an example set of why an Information Centric data security model is a good idea, this is it.

The week in review

Spent last week in San Francisco at various shows and events, so I thought I would share some of the high (and low) points.

 

IDC Virtualization Conference : I was at the Virtualization show on Tuesday just to get some variety during the week of RSA all the time. Really not much going on here at all other than product pitch after product pitch ad-nauseam. You would have thought they were selling condo time-shares. And here is a hint, if you are going to inundate us with a sales pitch, at least have coffee to keep us awake. 

The only presentation that actually had a customer success story, Pano Logic, happened to be the highlight. This is a very cool little box for client side virtualization. From a security standpoint, data is not floating around, as there is no disk or local memory to steal from. And the session follows the user to any location they choose to use. While not suitable for every user the benefits in both security and IT costs are considerable. Check it out!

 

Ziff-Davis: A very nice security briefing put on by Ziff Davis Enterprise in the evening, and followed it up with excellent food & drink at the reception. I have seen Lawrence Walsh presentations a couple of times now and I always enjoy them, and this particular “Risk Perceptions and Reality” was no exception. His research on where security dollars are being spent, and presentation points on applying those dollars in a more risk management oriented way is similar to some of the presentation I give, only his research data is better than mine. The major theme was ‘security will not improve until security becomes part of the business process’.  Not sure the audience was getting the point, but it was not for lack of trying. 

 

RSA:  How would I encapsulate the RSA show? In a word? “uhhhh”. I am too apathetic to yawn. It appears that they are still waiting for an answer to the question “What would Turing do?” Even the San Jose Mercury news only had a very tiny piece on Chertoff's presentation, so if they could not find much to write about you know it was bleak. 

It seemed to me that the industry has fallen back onto two of the ‘security pillars of truth’, access control and encryption. Essential ingredients to security cookbook, sure, but nothing that appeared innovative and new. Marketing these solutions to Governance, Risk and Compliance, which is new and possibly only 3 years too early, plus no one seems to agree on exactly what GRC means. Oh well, here’s to next year!

 

Security Bloggers Meet Up 2008:  The best after hours RSA party had to be the Security Blogger’s event organized by Jennifer Leggio at Fortinet. Great turnout, great people, great food and a whole lot of fun. I met up with people I have not seen in 8-10 years, and met a dozen so Bloggers who I have been reading for the last year or more.  Fun and educational. Great work Jennifer!

 

Miscellaneous fun #1: McAfee Hacks hackers. Did you know that? Their banner says so. I was intrigued, so I stopped by their booth and asked for a white paper on how exactly they do this?  What is it they offer? Can I pick the hacker to hack, or is it more random hacker hacking?  How do you reduce the false positives of hacking White Hat guys instead of Black Hat guys? What is my ROI? They took my business card and said they would get back to me. Maybe the product is still in Beta. 

Miscellaneous fun #2:  SFPD & Security. I took Cal Train into the city on Wednesday morning. It did not dawn on me that this may be a problem until I arrived and I heard that several of the bus lines were shut down because of the Olympic Torch. Then I started to worry when 10 kids with Chinese flags were walking along side of me right into the gauntlet of Sherriff’s officers.  Uh oh!

I have been to the out front of the west wing of the White House,  the executive building, the Senate and various other official places, but I have never seen a security show like this. Every hundred yards all the way up 4^th street were a pair of motorcycle cops flanking both sides of the street. Every nook, cranny and side-street had a Police, Sherriff, Marshall or undisclosed official vehicle standing by. Train schedules altered, bus routes changed or halted, streets barricaded, street lights run manually, profiling of participants, helicopters and more. Nothing going on as I guess they moved the torch route, but the Police were clearly on 100% alert. Amazing!

Miscellaneous fun #3:  A few years back, at the Oakland Coliseum, I had a disconcerting experience. I was walking out of the men’s room and was suddenly faced with half a dozen very large men in suits who were angrily walking towards me with hands reaching for me. At the last second the tall thin man next to me told them it was OK and they stopped in their tracks and just glared at me. I just so happened to exit the door and bump into Michael Jordan. His entourage was none too happy having me pop out of nowhere and be standing within inches of their charge. Cooler heads prevailed, but you never forget that split second feeling that things are not OK.

So I am walking around RSA exhibitor’s area on Tuesday, down a crowded aisle, and six guys in suits and short hair turned and are suddenly staring at me with that same glare of concern. At first I was thinking it was a secret service detail, and maybe Al Gore was in the area. Did I somehow look threatening in my casual sweater and dungarees? Then I looked up and saw I was standing in front of Guardium’s booth. Ah, now I get it! Move along!  Nice to know they care.

Miscellaneous fun #4: I was over at a partner’s Booth on Wednesday. I did not recognize anyone at the booth, nor did they recognize me. I decided to see what they were selling and what messages they were delivering at the show. Access Control. OK, what about the other security products you offer? I started to quiz them on database monitoring, auditing and the like. My questions were returned with blank stares. The first person did not believe they offered other security products … they do, trust me on this one … and the more senior representative said “Yes, we offer that product, but we have no one here who can talk about it”. OhhhhKay! Your spending $30K on a booth, collateral & shipping at a Security conference, not to mention whatever employee & lodging costs, and you don’t prepare to talk about your Security products?!?!? Nothing like wasting an investment. 

Contrasting Privacy & Integrity Models

Information Centric Follow-on comments

There was a comment on Rich Mogull’s blog page after he posted Principles of Information Centric Security about existing models for security and integrity, and comments on novelty. I think that is worth delving into in a bit more detail.

The Bell-LaPadula model, as I understand it, defines security states and governs how data moves between these states. Its motivation was to help prevent secure information from leaking by providing handling instructions. In essence it would provide decision support for who gets to do what to the data. This is a policy model for data. If your business application is secure document management, this would embody the business rules you might choose to implement, or one of several you choose to implement.

The Clark-Wilson model, as I understand it, is about data integrity. It advocates a user, application and data set triumvirate, along with a verification process, to ensure data integrity. Data and users are authenticated, and the ‘transformational’ algorithms certified for use with certain user& data combinations. In a nutshell, once data in the system is verified for integrity, every modification is subsequently verified before the transaction is completed. If your business application airline flight scheduling, this would be a framework to ensure that all operational and logistical restraints were met prior to scheduling to ensure consistency.

Conceptually, either model could be implemented in an Information Centric manner, or it could be implemented at the Application level (typical), or it could be implemented at the network/device level (is a DLP-esque way).   Clark-Wilson bases the rules on a controlled system. We are moving to systems that are globally networked and we cannot necessarily rely upon central, organized control. Hierarchical security models with mono-directional establishment of trust do not work.

Clark-Wilson has a couple of weaknesses as by definition it implies a closed ‘system’. It relies upon certain trust relationships that may not be valid, for example, within an SOA framework. How do you ensure the integrity of the transformation model? A Rogue can simply ignore the rules of the game. ‘System’ certified relations may not be trusted, a user does not have a way of certifying the systems because there is implicit trust in the relationships as defined. Could it be augmented to fill these gaps? Probably. But this is the tit-for-tat game we have been playing at for decades.

I could make similar statements for Bell-LaPadula in non-trusted environments, and I would also recognize that Bell-LaPadula could be augmented to deal with the issues raised above. That is neither here nor there. My point is not to point out weaknesses in these two models, and these both do what they were designed to do very well. I do want to show the differences in that wrapping security and integrity up with the data, and providing that bundle enough information on defending itself from un-trusted applications, or subverted access controls.  An Inside-Out model, not Outside-In.

 

Also, on the subject of novelty:

I tend to view many things that may not be novel as revolutionary. The first plasma television picture was shown in a lab in 1970, but even in 2002 I could not have imagined having a 50 color television set hanging on my wall!  Patents for novel concepts often lapse before a genuine embodiment ever appears in front of the public. Information Centricity is not novel as discussions and papers have been made available to the public for at least a decade. That does not diminish what I consider to be a more revolutionary than evolutionary approach to security that Information Centricity provides.

“Shortly after I published my paper on ‘Fuzzy Logic’ I started to hear the murmurs and snickering in the hallways behind my back. Not just students, but professors, my own peers, thought I was a fool for seriously proposing such an idea … several years later the Japanese adopted the concept as an effective method of scheduling trains for their rail systems. I was then lauded as a genius by many ... I don’t believe either group is right in their assessment, but the answer probably lies somewhere in between”.

That quote was made by Professor Lofti Zadeh at the beginning of a lecture I had at Cal in 1998. (Or was it 1999? Perhaps my memory is a bit fuzzy as well). Fuzzy Logic was not novel at the time of adoption, but certainly revolutionary in the approach. The evolutionary changes in IT infrastructure has rendered many of our basic assumptions on trust and reliance invalid. Information Centricity turns the trust hierarchy upside down, and would fit my definition of a revolutionary approach. It has its own set of problems, but it addresses many common problems we have with confidentiality, integrity and security. Not a panacea, but a big step forward.