Contrary to my expectations, Lilith by George MacDonald is a tough slog. I’m not sure why. Maybe I was expecting something more like The Princess and the Goblin. It seems as though Lilith is really a message with a story as a background rather than a story with a message in the background. I’m sure it is just my lack of sophistication. Despite this, MacDonald manages to transmit quite a few profound ideas to the attentive reader.
“These words are too big for you and me: all is one of them, and ever is another,” said a voice near me which I knew.
George MacDonald, Lilith, p.93
Ahh, such sweet music to my epistemological senses, however distorted they may be. Yes, there is little context to go on here, but it does speak for itself doesn’t it? All and ever are rarely epistemologically admissible and yet easily used in our everyday speech. Who has such authority to lay claim to all and ever? Is it you and I?
“Doubt”, I said to myself, “may be a poor encouragement to do anything, but it is a bad reason for doing nothing.”
George MacDonald, Lilith, p.97
Classic. Do I need to elaborate?
Books, Thoughts
George MacDonald, Lilith
The classic CIA Triad (Confidentiality, Integrity and Availability) as it is affectionately called has been used for decades as a means to coarsely outline certain security/assurance expectations of a system. It has lasted this long because who can forget a TLA? Sadly, it is too general to be used effectively in most application security endeavors. There have been many who have attempted to elaborate on the triad to make it more useful. Microsoft’s Security Frame was a great effort. It identified the important and relevant categories that were hidden away within the triad. However, going from a TLA to a set of ten concepts or IAACSSCEA isn’t exactly easy to recall. Yes, I know, this should be documented as part of a defined process chock full of cheat sheets, tips and lists. Well, in an effort to align these concepts with my view of security functions and properties I created a set of six concepts that are derived from CIA, but that add more precision. You’ll probably recognize some of these labels. Yes, some of them made sense to retain from Microsoft’s Frame, others were useful labels gathered from the Common Criteria (oh no! not that!?). So, I managed to trim a few items by merging them with a more common categrory. Let’s see if an uninformed reader can make sense of these:
- Accountability and Event Reconstruction
- Data Protection
- Identity and Access Management
- Exception Management and Availability
- Management and Configuration
- Survivability
Identity and Access Management is perhaps the most intuitive category. In encompasses authentication, authorization and other concepts related to access control. Accountability is also fairly straight forward. What is your take on the others?
Security
Application Security