Identity Unbound

Editor’s Note: This CTOvision.com post was written by  , a highly regarded security professional and inventor in the UK with a focus on design and implementation of multilevel and cross-domain IT security (“MLS”)-bg.  

This is something I posted to a Sun internal discussion group a while back; it stirred a little interest back then, but given the way that the world has moved on, I figured it would be worth revising and reprising it here.

The issue of identity has been bothering me for a while. While identity can clearly be applied to human consumers of services – and expressed as a subset of information held about them in various places – I also wonder how the concept of identity could be used for various other entities, and indeed how the properties of identity as applied to humans could potentially be mapped onto them.

Hence the table below, which is a first attempt at making this mapping in the context of servers and services, for files, running processes, OS instances, Solaris zones (and to some degree BSD jails and IBM LPARs), hardware domains and services. Cells with question marks in them are areas where I currently don’t see a mapping – this could mean that a mapping is not appropriate, or that an appropriate technology does not exist today, and could point the way for a bit of fundamental research.

I suspect I’m heading down a path which has been well-trodden already, but you might find some parts of this interesting and thought-provoking. For clarity, FMRIs (Fault Management Resource Identifiers) are Solaris Service Management Framework constructs resembling URLs, which uniquely describe an instance of a service in terms of processes needed to provide the service and their dependencies. For more info, see  http://www.oreillynet.com/pub/a/sysadmin/2006/04/13/using-solaris-smf.html .

Also, labels refer to the data structures in Solaris Trusted Extensions, which are usually mapped to protective markings.

Anyway:

 

Human File Process OS Instance Zone Host / Domain Service
Name Leafname pid Nodename Zonename Hostid Nodename, [port|app]
Address Full pathname, maybe hostname too pid, ppid, tracked back to init (or zsched) process – maybe zone / hostname too ? Hostname of global zone? ? FMRI with host / zonename prefixed
Family tree OS instance / zone and pathname / elfsign signature pid, ppid, tracked back to init (or zsched) process ? Hostname of global zone? ? FMRI with host / zonename prefixed
Biometrics Strong checksum / elfsign signature Strong checksum of code pages (Harvard arch only) Solaris Fingerprint Database checksum Solaris Fingerprint Database checksum Hostid Strong checksum of available content?
UserIDs / passwds Owner Owner ? ? ? Same as process?
Certs / keys ? TCG attestation pass Key (WANBoot miniroot), TCG attestation pass ? TPM key Certs / keys
Kerberos principals ? ? Kerberos host principal Kerberos host principal ? Kerberos service principal
Govt baggage (social sec no, driving licence no, etc) Signed metadata trackable to root CA TCG attestation pass(?) Accreditation (Common Criteria etc?) ? ? Certificate trackable to root CA
Privileges Privileges (forced, allowed) Privileges (inherited, saved, effective, permitted) all Zone-restricted limit set all (/ TCG?) Privileges of serving process
Clearances Label Labels / polyinstantiation label_encodings Label (1 per zone) ? Labels / polyinstantiation

 

Noting the appearance of Trusted Computing technology (attestation, Trusted Platform Modules) in several places, this gives further weight to the sound (but currently unofficial) advice from Bromium, to the effect of “don’t buy any more servers that don’t have TPMs in them”.

Sign up for your free CTOvision Pro trial today for unique insights, exclusive content and special reporting.

CTOvision Pro Special Technology Assessments

We produce special technology reviews continuously updated for CTOvision Pro members. Categories we cover include:

  • Analytical Tools - With a special focus on technologies that can make dramatic positive improvements for enterprise analysts.
  • Big Data - We cover the technologies that help organizations deal with massive quantities of data.
  • Cloud Computing - We curate information on the technologies enabling enterprise use of the cloud.
  • Communications - Advances in communications are revolutionizing how data gets moved.
  • GreenIT - A great and virtuous reason to modernize!
  • Infrastructure  - Modernizing Infrastructure can have dramatic benefits on functionality while reducing operating costs.
  • Mobile - This revolution is empowering the workforce in ways few of us ever dreamed of.
  • Security  -  There are real needs for enhancements to security systems.
  • Visualization  - Connecting computers with humans.
  • Hot Technologies - Firms we believe warrant special attention.

 

Recent Research

Request Your Invite to the 20 May 2014 Andreessen Horowitz Fed Forum in DC

Amazon Hopeful that Fire TV will Spread

What The Enterprise IT Professional Needs To Know About Git and GitHub

3D Printing… At Home?

Tech Firms Seeking To Serve Federal Missions: Here is how to follow the money

Creating The New Cyber Warrior: Eight South Carolina Universities Compete

Mobile Gamers: Fun-Seeking but Fickle

Update from DIA CTO, CIO and Chief Engineer on ICITE and Enterprise Apps

Pew Report: Increasing Technology Use among Seniors

Finding The Elusive Data Scientist In The Federal Space

DoD Public And Private Cloud Mandates: And insights from a deployed communications professional on why it matters

Intel CEO Brian Krzanich and Cloudera CSO Mike Olson on Intel and Cloudera’s Technology Collaboration

solid
  • http://www.bridgepaydayloan.com/states/payday-loans-missouri/ Missouri payday loans

    I thank you for taking your time sharing your thoughts and ideas to a lot. amazing ! really really I LOVED IT. .