« Begin the Begin - Cloud Security | Main | Dangers of Mixed Incentives »

Simple Matrix = Real Mess

This just in: security people are beginning to understand that in the real world access control is much harder than crypto. An amusing post from Thomas Ptacek. Its always amazed me that people are always saying - "hey don't write your own crypto! that is hard stuff - leave it to the pros at the shop."


then when it comes to protecting the keys and cryptosystems, what do you need? why authN, authZ, and audit - your basic access control systems. and people write their own from scratch all the time and no one says boo. A lot of this is marketing and golf of course. But I have never really been able to figure out why people are so adamant that you should NEVEREVEREVER write you own crypto, but sure go ahead and do programmatic authN/authZ/session mgmt. It makes no sense, but then I figured it out, or rather a Dutch guy did

"Normally, everything is split up and problems are solved separately. That makes individual problems easy to solve, but the connections between the problems become very complicated, and something simple ends up in a real mess. If you integrate it in the first place, that turns out to be the most simple solution. You have to think ahead and you must always expect the unexpected." 

- Jan Benthem, Schipol airport chief architect

In crypto things are split or rather you have to split them up to determine the data or channel you're encrypting. Its integrated from the get go and you have some visibility into whether encrypt/decrypt and sign/verify are working.

In access control however things are "split up and problems are solved separately", you supposedly classify your data, define roles, groups, and objects do a big mapping and voila - an access control matrix. 

Unfortunately, your access control matrix is not code, it needs to be mapped to several zillion config files, URLs, resources, SOAP calls, and on and on. Your simple access control matrix ends up in a "real mess"

Crypto theory is vastly harder on the whiteboard than access control (Subject-Object-Session how hard is that?). In practice, implementation is the exact opposite. Yet we are told that crypto is only to be done by the high priests whilst junior programmers build access control functions every day.

June 04, 2009 in Security |

Comments

Steffen Bartsch

A good point: "your access control matrix is not code"

Why is that so? Why don't we have adapters on all those different levels, mapping to the same access control matrix? How hard would such a mapping be? How would it look like?

Of course, there is the whole XACML architecture. For large projects XACML might be the right answer. But who is to read and understand or even write XACML policies? I'd say we'd need something being easier to grasp for domain experts, not only security experts. Anything out there?

Posted by: Steffen Bartsch | June 05, 2009 at 02:59 AM

The comments to this entry are closed.