30 March 2010

Information Assurance as a Service and Abstracting Complexity "Away"

The State of the Internet Operating System

We are once again approaching the point at which the Faustian bargain will be made: simply use our facilities, and the complexity will go away. And much as happened during the 1980s, there is more than one company making that promise. We're entering a modern version of "the Great Game", the rivalry to control the narrow passes to the promised future of computing.
In the world of Information Assurance, there is a strong desire from application and service developers to "abstract away" the complexities of security. Think of this in terms of Security-as-a-Service or an Information Assurance Framework in the cloud. This can be accomplished for difficult security functions, such as handling X.509 certificates using Server-based Certificate Validation Protocol (SCVP) and PKI Resource Query Protocol (PRQP). The complexity is "removed" from the relying party to the trusted Validation Authority. Given the difficulty and risk associated with different certificate validation implementations by relying parties (some implemented more securely than others), this abstraction of complexity "away" from relying parties to a trusted Validation Authority run by an "expert" has advantages. The security experts create and control the security context in which applications will work.

It also means that the relying parties have made a "Faustian bargain" with the security experts that take "on the pain of managing complexity" and end up "with a powerful lock-in."