A Technical Architects Guide to the SIF 3 Infrastructure: Modernized Security
On the wire:
- Internet grade security.
- Upgrade ready.
- Encrypted payloads, a reality.
- Trusted accounts (service or personal).
- Trusted servers.
- SSO ready
- Personal touches service paths and hints at the future.
It should come as no surprise that good Web Services employ Internet Grade Security to keep their communications safe on the wire. What many people don’t realize is that Internet Grade Security has to keep changing. From security holes found in the protocols used, to better hardware that can reduce yesterday’s math based security to plain text, the one constant in this consistent requirement is change.
We are here to help! The SIF 3 Infrastructure has a separate Product Standard and Test Harness. Respectively, to communicate current Internet Grade Security expectations and help you ensure our software meets them. For the extra cautious, SIF 3 has been built so it may pass encrypted payloads. It is great to be part of a community that keeps on top of this.
So while no one is eavesdropping on SIF 3 Infrastructure connections, who is communicating? For us this is an interesting situation. In the past we embraced certificates fully. For verifying server identity this has become the dominant mechanism for establishing trust and we still follow it. However Clients Certificates have not faired as well. So while there is nothing preventing their use in SIF 3, we don’t expect them to be the norm. In fact, we really are not confident of an industry norm in this area anytime soon. So while the SIF 3 Infrastructure has some built-in ways to authenticate, it also is designed to allow for support of multiple Single Sign On (SSO) solutions. We are working with at least one identity provider to help make this not only possible but also easy.
Whichever authentication mechanism you choose, they will grant access by data object type. Additionally, we have a tradition of filtering sensitive fields, which is being bolstered and codified by the Student Data Privacy Consortium (SDPC) and Australian (AU) locale. In the end, all data providers will be able to know and enforce the rules. We seek to have the most trusted standards for accessing education data.
Good security is built in, not bolted on.
To find out more about the SIF 3 Infrastructure Specification, please go to: http://www.a4l.org/page/Infrastructure