Security architecture

Hot Topic

Samples for Profile Manager
Design Question about an "actor" in a use case
Looking for database design patterns
How do I allow n possible new fields in a App (CRM)
Possible Bug in Collegue Tracker Web Part?
i need to change the default value of a field in create new item in the task list items
Routing Messages synchronously to services
SharePoint with LDAP ?
State Machine Workflow - change state
List column display name

SharePoint Products

Web Forms and Search abilities in Sharepoint product versions
application lifecycle management
Service Oriented Architecture ??
Call Logging System
Network Load Balancing vs. Hardware Load Balancing (CISCO Arrowpoint)
can't create workflow - sharepoint designer 2007
Any good Ntier real world (architecture)examples available for download?
When BDC Webpart reports error, what log should we look at?
MOSS 2007 domain account install requirements
Integration of web app to Sharepoint Portal 2007

Security architecture

Hi,

I am venturing into Security architecture.It will be covering the security features provided by .net as well as general concepts like EKE,Single Sign On, Race condition etc.

I wasn't been able to find any good forum where i can discuss these topics.

Could somebody please let me know a few forums and blogs in which we can have discussions on this.

regards

Answer this question

Security architecture

  • Thomas Israelsen

    What is your security question

    What area are you worried on , it is imperative security, declarative security, attribute based security or encryption mechanism to be used and why use passport or what and in what app domain ( is it web based, window application based) as that also govern your security architecture.

    Race on condition is a mostly prevelant in threading aspect, not sure why u club that with security feature



  • maverick_majnoo

    Hi,

    Security requirements can be broadly grouped into following concepts.. if you can tell us which area you are dealing with.. may be we can discuss here itself.

    Security Requirements :

    1. Client Authentication

    2. Server Authentication – Phishing

    3. Repudiation – denying the action

    4. Confidentiality

    5. Integrity

    6. Auditing

    7. Replaying

    8. Authorization

    http://DotNetWithMe.blogspot.com
    vikas goyal



  • daxu

    I'd also keep an eye on the following NFRs....

    9. Compliance - are there laws / regulation guideance governing what protection you need to enforce on certain data - remember your company directors/vps can go to prison for this stuff. In the UK you'll need to consider Freedom of Information Act (regarding audit data), Data Protection Act, Disability Discimination Act (CAPTCHAs for example is a problem for blind people), Financial Services Act, Official Secrets Act. Security classifications of data and relating security classifications of staff. In the UK we would have an Information Security officer who could help you with this stuff

    10. Performance - do you have to fit your security reqyurements inside a performance requirement

    11. Scalability - how many end users / systems are you targeting - you'll need volumes from the business

    12. Interoperability - do you need to adopt an open standard to enable interop between existing systems - do you need to interop with an old system

    13. Availability - is this critical system for all others what is the requirement for availability

    14. Data Loss - This is really interesting with audit data - if someone wants to cover their tracks they need to delete the audit data, so what is the requirement to protect this and back it up - should this info go off site

    15. Data Latency - when you change a centralised security profile how long is you customer willing to wait - how many times you have you rung a help desk, they change your profile to give you access to a resource and they say "wait an hour and you'll be able to get access"

    Finally when looking at Security all keep in mind how your IT department will gain access to the system. What is done to keep them from accesing live data: seperate live network (seperate machines on live network), security cleared individuals or temps, do you audit their access These are your biggest threat as they can by pass application level security.

    In a survey by Prefix IT:

    • 37% of men beleive it is acceptable to take database information and sales leads
    • 49% of 16-24 year olds do not consider workplace theft as stealing
    • 73% of graduate trainees admit to office theft

    Be paranoid and enjoy it :-)



  • Security architecture
Answer this question