This just in: security people are beginning to understand that in the real world access control is much harder than crypto. An amusing post from Thomas Ptacek. Its always amazed me that people are always saying - "hey don't write your own crypto! that is hard stuff - leave it to the pros at the shop."
"Normally, everything is split up and problems are solved separately. That makes individual problems easy to solve, but the connections between the problems become very complicated, and something simple ends up in a real mess. If you integrate it in the first place, that turns out to be the most simple solution. You have to think ahead and you must always expect the unexpected."
- Jan Benthem, Schipol airport chief architect
In crypto things are split or rather you have to split them up to determine the data or channel you're encrypting. Its integrated from the get go and you have some visibility into whether encrypt/decrypt and sign/verify are working.
In access control however things are "split up and problems are solved separately", you supposedly classify your data, define roles, groups, and objects do a big mapping and voila - an access control matrix.
Unfortunately, your access control matrix is not code, it needs to be mapped to several zillion config files, URLs, resources, SOAP calls, and on and on. Your simple access control matrix ends up in a "real mess"
Crypto theory is vastly harder on the whiteboard than access control (Subject-Object-Session how hard is that?). In practice, implementation is the exact opposite. Yet we are told that crypto is only to be done by the high priests whilst junior programmers build access control functions every day.
A good point: "your access control matrix is not code"
Why is that so? Why don't we have adapters on all those different levels, mapping to the same access control matrix? How hard would such a mapping be? How would it look like?
Of course, there is the whole XACML architecture. For large projects XACML might be the right answer. But who is to read and understand or even write XACML policies? I'd say we'd need something being easier to grasp for domain experts, not only security experts. Anything out there?
Posted by: Steffen Bartsch | June 05, 2009 at 02:59 AM