On the surface, you might chuckle to learn that a Sun guy exploited a Microsoft guy’s website. But I think there is a deeper lesson to be learned.

Last Tuesday, while I was away from my computer, I got an urgent instant message from my colleague, Rohan Pinto, “Could you please contact Kim Cameron for me and let him know that his blog was not hacked, but a mistake on my part of not informing him prior to testing an infocard exploit … please …”

Rohan had just posted a brief message on Kim’s blog by logging on via CardSpace and then exploiting a little security hole in WordPress. Oops!

Well, Rohan got in contact with Kim before I got the message. Kim’s explanation and Rohan’s response make an interesting read.

The lesson? No matter how inpenetrable the security veneer wrapped around an application is, the application itself must also must withstand exploitation. When we talk about Identity Management as a necessary component in an Information Security strategy, we must address system security holistically, not as just a point product or technology. It is one thing to correctly authenticate a user, but it is quite another thing to make sure that the authenticated user is not able to access more functionality or data than authorized.

One more thing … I just learned about another connection between Rohan and Kim. Kim grew up in Canada; Rohan lives in Canada now. Could there be signficance? Nah, I won’t even go there!

Technorati Tags: Identity,
Digital Identity,
Identity Management,
Sun Microsystems,
Microsoft,
Rohan Pinto,
Kim Cameron,
CardSpace,
WordPress