Security related events

["Jeff Bohren" <jbohren@opennetwork.com>]

Title: Message

I though I would take this off-line so as not to waste time on the call. I see a lot value in standardizing security related events as part of WSDM. The four events that I would define are:

 

AuthN Succeeded

AuthN Failed

AuthZ Succeeded

AuthZ Failed

 

There are three purposes for these events; general management, security monitoring, and auditing.

 

1) General Management - in this case the AuthN and AuthZ Failed events are the important ones. A increase in the number of these types of events could be an indicator of problems in the system, such as clock synchronization issues, authentication server problems, etc.

 

2) Security Monitoring - again, the AuthN and AuthZ Failed events are the important ones. A increase in the number of these types of events could be an indicator of an attack on the resource in question.

 

3) Auditing - self explanatory. There are, as Hal pointed out, QOS issues with this, but those issues need to be addressed by WSN eventually anyway.

 

Obviously different subscribers would want a different set of these events for different reasons.

 

For MOWS there are some very specific use cases. For instance in the case of an AuthN failure, the SOAP header could be included in the notification. Since WS-Security is now an OASIS standard, it seems logic that WSDM should define a standard WS-Security AuthN Succeeded and Failed events as part of the MOWS specification.

 

I would be glad to put together a proposal on exactly what would be defined in each of these event types, but only if there is sufficient interest by the TC. Would anybody be interested in seeing a proposal on this?

 

Jeff Bohren

Product Architect

OpenNetwork Technologies, Inc

 

Try the industry's only 100% .NET-enabled identity management software. Download your free copy of Universal IdP Standard Edition today. Go to www.opennetwork.com/eval.