Monday, 30 July 2007

What is SISA?

A couple of weeks ago Microsoft released what they are calling SISA, their Secure Information Sharing Architecture. I'm not going to link to it, because they don't need any help in invading the security space.

In a nutshell, they have taken a few complementary technologies and bridged a couple of gaps that needed filling, then released it all as a package they support under the MS umbrella. Information sharing is obviously something which many businesses need to do, or can benefit from, but there are a lot of hidden security issues here which I'm not sure cobbling together from the top down is going to address in full.

I'd love to read up on the whole solution and tell you where the weak points are, but there's nothing available as yet to tell you how it's done exactly. All there is is lots of fluff about "you asked, we delivered", "it's not vaporware", etc.

The lady doth protest too much methinks. This is hardly a proven application of any of the technologies involved (EMC, Cisco, MS and three smaller companies). I can't help thinking that the "military style security" they talk about would be much better and more easily achieved if they would apply military securing techniques, including data-classification, then applying proper access controls via key management, and making sure the data is not only encrypted (which achieves very little) but has ensured integrity.

Now I may be slightly biased, being a Product Manager for a Data Integrity company, Kinamik, but I work here because I think there is a massive need for what we do, not because I've been told that there is, or because there's any market shift in this direction. I'm glad MS are looking into this area, it means people will have confidence in going down the data protection route.

The problem with requirements driven markets however, is that they are rarely properly secured. Whilst availability has always been well considered, and to a large extent confidentiality is built in, integrity is often overlooked and it's about time people realised how important it really is.

No comments: