Sunday, October 01, 2006

Defence in Depth in the world of Single Sign-on

Recent expansion of our network has led me to revist the concept of Defence in Depth and its relation to security. I am a big beliver in Defence in Depth. To the point all the computers at work run with software firewalls in addition to the hardware firewall. But that is not what the point of this post.

Rather, it is the concept of Defence in Depth in web services. The question arises of how many web service companies use Defence in Depth. Given the recent security failures my guess is not many at all. Cruel experience will change that I am sure. But this does lead to the problem of the social engineering attack.

I am wary of single sign-on as it seeminly destroys the usefulness of Defence in Depth. One sign-on and the cracker will then have access to all of a targets services. As web services usually have weaker protection from attacks that come from inside the service it opens up a whole world of hurt. I wonder if Defence in Depth is considered by Identity 2.0 crowd.

An interesting problem.

Tags: ,