Subprotocols to WS-Security already exist: WS-Trust allows issuing, renewing, and validating of security tokens, especially between trusted security domains. WS-Federation allows participating security domains to accept authenticated identities from other security domains. WS-Policy is used by security domains to advertise what security policies various identities must meet to be accepted -- for example, identity must be two-factor authenticated, can be anonymous, and so on. These WS-Security protocols are the underpinnings of a true globally secure Internet.
Interface for Metadata Access Points (IF-MAP)
Another Trusted Computing Group invention, the IF-MAP open specification [PDF] has the ability to essentially communicate state information about users, computers, and networks. Currently, IF-MAP protocol version 2.0 is being used. In my "Fix the Internet" whitepaper, I suggested creating a DNS-like security service that would notify everyone whenever a computer or network was no longer under the complete control of its authorized operator.
The developer of a Web service is ultimately responsible for its secure use. Every application should be securely written to work with reliable protocols and authentication methods. As it stands, the majority of Internet compromises take advantage of application-level vulnerabilities, so there's a lot of work to do in this space. If the rest of the Internet was properly secured using the protocols and specs discussed above, malicious hackers wouldn't have as much of a chance to get at application-level vulnerabilities and we'd be more likely to catch them.
We have the technology
Whatever Internet security standards emerge, they'll likely include a combination of the aforementioned protocols and technologies. Ironically, this points to the fact that the protocols and technologies we need to secure the computing world are already available. All it would take to achieve this goal is for the right global consortium of technical and policymakers to sit down in a common room for a few weeks (or months) to decide on common services and trust values. The group would ultimately deliver the new official opt-in standards as Internet security best practices that should be implemented by all participating vendors and service providers.
Within a year or two, we would have a significantly more secure Internet -- one where we, our colleagues, and our loved ones could surf without the constant fear of malicious interference. How much faster and better would our entire computing Internet experience be if we didn't have to spend every second implementing a 100 disparate defenses that won't work?
Don't let anyone sell you on the idea that we have to live with the current state of Internet insecurity or that it would take years to make it safer. We could do it right now. I'm keeping my promise to repeat this call until the masses listen and take action.
This story, "10 building blocks for securing the Internet today," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.