Jiri’s Notepad

In a recent interview at Computerworld on the topic of web services, Tony Scott, GM’s CTO notices that,

“There are two issues for me. One is absolute security, and the other is the scalability of the security model. For GM, scalability is as much an issue as the absolute security. There are lots of things that can be done very securely. They just don’t happen to scale very big. And so this trade-off between scalability and absolute assurance is a tough one. It’s not an easy problem.”

This is an interesting topic and a one that are worth exploring.

There are certainly challenges in authentication, however my feel is that the problems of single-simplified sign-on are being understood more and more and as such it is not such an issue. There is a limited number of ways how one can log-in and there needn’t be much change in design when the system needs to support ten people and when one hundered.

Authorisation and access control, on the other hadn, do have a scaleability issues. Why access control? Survey (like this one) often show that about half of the incidents is perpetrated by internal, half external attackers. Only the internal ones translate in higher losses. People using data and systems in ways not allowed (and I am not talking about file-swapping and private use of email) are perhaps the most serious source of insider threat. The baseline for protection against this threat is access control.

Today’s IT use an assortment of access control models, ranging from traditional capabilities and ACLs. The tighter the better is the theory. Practice is as often different. Daniel Greer has the following take on the subject.

“If you look at the access control problem, it is a matrix. The rows are requestors and the columns are objects of their desire. Linear growth in either or both means geometric growth in the number of table entries in that matrix. […] We’ve actually seen this phenomenon before — when a RACF permissions list grows beyond a certain size no  one can get their head around it anymore. From that point forward, it is natural and efficient to special case what you need to do to get today’s job done and from that moment on there will never again be anyone who can get their head around what RACF is actually doing. An awful lot of legacy systems’ durability is explicitly derived from this combination of ‘essential’ and ‘cannot be understood.’”

Role-based access control is supposed to help, unfortunately defining roles and responsibilities is a difficult thing, burdened heavily by corporate politics. From businss viewpoint, access control is all about authority and responsibility and so it comes as no surprise that access control is synonymous with organisation charts, sign-off levels, lines of reporting and other institutional tools. Therefore, introduction of role-based access control is esentially a reengineering exercise bringing all issues that made reengineering almost a dirty word (and without gains in business productivity).

Greer’s suggestion is that where access control does not scale, accountability will. This is probably true, but as we can see with laws such as HIPAA are pushing towards ever more granular access control, it would seem that the majority of our society has not come to the same conclusion yet and therefore scalability of access control and its social and managerial issues are not such a bad topic to explore.