On the heels of my post the other day where I questioned my place in the workforce, I had an epiphany-like set of thoughts tonight.

Joe and I talked about compsec in our group and organization wide quite a bit the last time we were face to face. I told him I was having trouble knowing what our mission was for our organization. I got the impression that we always delegated responsibility. Even when it seemed like my group should be spearheading a particular project or rollout of something, instead we delegated it.

So I was in an odd spot. I began asking "what is it we really _do_ around here if all we ever do is delegate?" I began to feel like my work was pointless. I'd come in every day, lots of stuff would happen, but I would just delegate it all, and then I would go home. How do you derive meaning out of a job where you essentially function as a middle manager?

Joe made it more clear to me when he explained that due to the way that the organization is structured, our mission is to function as the head-node in a system of integrated computer security. Integrated is the key word and it's what got me thinking tonight.

We have a vast number of homegrown applications at work. As part of the integrated security model, the focus is to push security down to the desktop level and have a focus applied at many levels. At the sysadmin level, line management, division head, and organization wide.

To really accomplish this goal though requires that the tools that we use in our</strong> day-to-day work, be available at all those levels. So if Bob the user needs data on X, and we have that data, then given the appropriate authorization, Bob can get his data. Bob's manager should be able to get data relevant to work functions he needs to do also, and on and on.

So to accomplish all this, it really</strong> falls back on us in computer security to place a heavy focus on making our systems available.

I'm a big proponent of integration. I like tieing systems together so that they can do bigger and better things. I have no tolerance for those that whine that "it's too hard" to provide a programmatic interface to anything</strong>.

So I make it a primary requirement of all the software we buy or make and all the appliances or other crap we purchase have a strong, mature, well documented API.

I think it also is critical that we provide these APIs in as many formats as we can reasonably provide. Web service formats like REST, XML-RPC, and SOAP are easy</strong> to provide all from one spot... ...if</strong> you use the right framework. I love web services. Anything that can talk HTTP can pretty much make use of them; they're fantastic.

Having said all this, I know how frustrating it can be when you're told that "no, there's no API" for any particular application. Many that we use in our own group do not have them because those applications were not designed with an API in mind; a decision that I consider to be absolutely unacceptable.

But Tim, it's hard. But Tim nobody will ever use these data sets. But Tim we just can't control access to all of these things.

Wrong, wrong and wrong.

There is little extra work required to provide an API to anything</strong> given that you are using the right tools. The second argument is just a flat out lie. Anyone with half a brain knows that, given the opportunities, people will come up with some pretty creative ideas. So exposing those opportunities in a controlled way is vital in helping to get the creative juices flowing. And finally, access control is a problem that has been solved over and over and over again. Just pick a solution.

So I think there is a strong argument that can be made for providing interfaces to our systems in particular</strong> because of our focus on integrated computer security management. I also think that it should be a requirement that these interfaces are exposed in as many ways as can be reasonably managed because, in the end, the user interface is a highly subjective beast. If you can make the UI essentially just a mashup of API calls, you make everything much more flexible.