openid - Explaining security to non-technical managers -

-

I keep maintaining the intranet website for my company that they want to expose the big, bad hair outside the world . Right now, it does not have any authentication or authorization. My idea to manage user accounts is to validate user accounts using existing technologies and build an authorization model on it. The current technique will be CardSpace and OpenID, which will save us from maintaining a list of usernames and passwords, which will make the site less interesting for hackers. The data on the site is not sensitive either. Actually, we only export the same data as one of our desktop products and anybody can view this information if they know where it is, -Except all users except data are preventing them from modifying data, a superuver destroys all data, in which we have to restore a backup. In worst case scenario, we lose data entry of one day which will translate for most hundred modifications. (Actually 98 was actually the largest number of modifications in a day.)

Everything, this is not very important data, we want some security to be included as well.

Now, the management has suggested to create an additional database where we will store user names and passwords, add encryption and do all other types of things to keep such user data safe We are making all kinds of weird plans to manage user accounts. None of them have experience of the technical aspect of software design and none of them have any knowledge about securing the system. Thus, their designs become complete Chaos. (With a capital C), it is already taking two months to come up with a functional design because they are unable to agree with each other on some security aspects.

So he asked me to understand in the proper security, understand easily because I know that both the cardspace and the open-end are safe, I want to present them as the best option for managing these accounts. I am Add a simple role system on this where each account has been linked to a particular role, by giving additional rights "see only", it will be quick to implement and easy to maintain, making it a proof of building, concept and Getting adequate technical information is easy. I have only one question ...

How do I interpret techniques like cardpace and open-end, who have no technical background? Something like "OpenID Eyed" for Dummy, but it is easy to understand that there is a problem finding the right word without becoming a bit technical (and worse, if I fail to explain it correctly, then they use this technique And I will be wasted to implement a monstrous creation.)

Please, help! : -)

Oh, OK Simplified Question: How can I use OpenID or CardSpace in non-technical terms on break solutions of any home?

Addendum: These managers are not my "normal" managers. They are basically the company's chief executive and associates, who came with the idea of ​​publishing the site. Generally, they will hand over these tasks to regular managers and accept any solutions that will be done regularly. But this has become a bit of a prestige project for them, thus they are individually involved. At least one of them is searching the internet for information about security and wants to be safer than Fort Knox. He is creating some evil, which I do not need to punish them, and without having to understand all the technical aspects, they seem to learn more about this "safety" thing. Since this is a reputation project, they are ready to accept expensive solutions, but it is not good for the company. Personally, I tell them to tell them that to handle this, real professionals. Again, I too would like to keep my work so that I want more political right answers.

You can sell it with "Verisign" logic.

We all can create and store our strong cryptographic keys, but this is a huge overhead and Verisign does for a nominal fee, and like a secure bank, many of them are now more Too) are much more trustworthy than the business community, and when other companies provide the same product, then Varsity is a market leader.

The second aspect of Internet security is User ID & amp; Password "<"> An "open id" is like a passport (forgiving the metaphor), it proves who you are because you have issued your identity to a credible agency (issuing country for passport , Verisign et al for open id) and even after using it to prove that who you are.

Verisign offers open IDs, virtual trust in the market, you can trust open IDs.


Comments

Post a Comment

Popular posts from this blog

c# - ListView onScroll event -

-
I am programming a simple C # application, and I need a Scallow event on the list view. So I inherited the original ListView class created in ListviewEx witch. I found out how to locate the scroll message from WinAPI and I modified the WndProc method. Now I have this WndProc: protected override zero WndProc (Ref message message) {base.WndProc (Ref I); If (m.msg == WM_VSCROLL) {onScroll (This, New EventArgs ()); }} But the problem is, I do not know how to know about scrolling information. This data should be in wParam, but there is a LOWORD macro ++ like in C in C # and I switch to find the criteria like SB_ below, SB_ENDSCROLL, SB_PAGEUP etc. there any way Need to change the LOWORD macro from C #? Or any other way to find the necessary parameters about scrolling? You can define the WParam constants as the following: Private const int WM_HSCROLL = 0x114; Private Constant WM_VSCROLL = 0x115; Private contact int SBHOZZ = 0; Private Consultant SB_VERT = 1; Private Con...
Read more

PHP - get image from byte array -

-
I am trying to create a back-end for my mobile application. I am sending the content of an image in the body of the HTTP request (output stream) as a byte array, I want to read this stream of bytes in PHP scripts and take back an image. Can anyone tell me how can I do this? Thank you. You can obtain the request body $ body = Reading from file_get_contents ('php: // input'); What you do with that data Depending on you, you can write the data in a file as you mentioned that this is image data, you can drop the data into the object can do. Another option is to use and load the image.
Read more

Linux Terminal Problem with Non-Canonical Terminal I/O app -

-
I have a small app written in C to run on Linux. Part of the app accepts user-input from keyboard , And it uses non-canonical terminal mode so that it can respond to each keystroke. The section of the code that accepts input is a simple task that is called repeatedly in the loop: char get_input () {char C = 0; Int res = reading (input_tamille, & amp; c, 1); If (RSS == 0) 0 returns; If (res == -1) {/ * snip error handling * /} return c; } It reads a letter from the terminal if there is no input within a given time limit, (c_cc [VTIME] value in the vocabulary structure), read () 0 And get_input () is called again It all works very well, I have recently discovered that if you run this app in a terminal window, and then the app Close the terminal window without ending, the app will not exit Received, but CPU intensive launches into an infinite loop, where the read () returns 0 without waiting continued. So how can I get out of the apple if it runs from the terminal win...
Read more