I went to an interesting lunch with some identerati - including Bob Blakley, Dale Olds, Pamela Dingle, and Kaliya Hamlin; and I brought up one Gladwell's most security relevant articles where he discussed Treverton's Puzzles and Mysteries
The national-security expert Gregory Treverton has famously made a distinction between puzzles and mysteries. Osama bin Laden’s whereabouts are a puzzle. We can’t find him because we don’t have enough information. The key to the puzzle will probably come from someone close to bin Laden, and until we can find that source bin Laden will remain at large.The problem of what would happen in Iraq after the toppling of Saddam Hussein was, by contrast, a mystery. It wasn’t a question that had a simple, factual answer. Mysteries require judgments and the assessment of uncertainty, and the hard part is not that we have too little information but that we have too much. The C.I.A. had a position on what a post-invasion Iraq would look like, and so did the Pentagon and the State Department and Colin Powell and Dick Cheney and any number of political scientists and journalists and think-tank fellows. For that matter, so did every cabdriver in Baghdad.
The distinction is not trivial. If you consider the motivation and methods behind the attacks of September 11th to be mainly a puzzle, for instance, then the logical response is to increase the collection of intelligence, recruit more spies, add to the volume of information we have about Al Qaeda. If you consider September 11th a mystery, though, you’d have to wonder whether adding to the volume of information will only make things worse. You’d want to improve the analysis within the intelligence community; you’d want more thoughtful and skeptical people with the skills to look more closely at what we already know about Al Qaeda. You’d want to send the counterterrorism team from the C.I.A. on a golfing trip twice a month with the counterterrorism teams from the F.B.I. and the N.S.A. and the Defense Department, so they could get to know one another and compare notes.
The distinction is important in access control! In authorization you know the subject and you know the object - you need to do some mapping but it is knowable. ideally, you should have some patterns to do this. You can make your design tradeoffs between entitlements, roles, delegation, impersonation and so on. But again its in a knowable realm -its an authorization puzzle.
Ultimately, authentication is not. It is a mystery. And there are lots of things people try to do to demystify this process - add factors, set timeouts, and so on. Just like in statistics you want to separate good data from bad data and not make decisions based on an equal weighting of good and bad data, in security its essential to separate our puzzle logic from our mystery logic.
But why I think this is important from a design standpoint, you don't want to get your puzzles and mysteries mixed up. The things you do in one area don't or shouldn't matter in the other. This is one area where the WS-Security and SAML separation of the IdP and Service provide has the potential to help quite a bit. the SP doesn't even try to authN only authZ. One of the major to dos coming out of the last OWASP conference was to build up an access control working group and hopefully steer some progress in XACML and SecPal implementation patterns, after all that part is just a puzzle.
Comments