Back in January 2009, I put together a to do list for Enterprise security, including this:
While we're at it - can we agree to stop writing access control from scratch? There are plenty of good libraries out there. Everyone always says "ohmygoshyoucantwriteyourowncryptodonchaknow!!!", but then what do they do? They protect the key(s) with some hand rolled access control foo. It makes no sense.
In the case of what we know about wikileaks its not about breaking crypto, its that access control is approximately seventy billion times harder to deploy in the real world than crypto. Note, I am not saying that crypto is easy, just that it is far simpler than access control. Access control's matrix could not be simpler, subjects on one side, objects on the other, capabilities/roles in the middle, but this is too simple. How is it integrated? This simple matrix results in a real mess.
Why do people do this to themselves?
People dont write their own virus protection, but for some reason attempt to do their own input validation, it is the same exact problem. people routinely write their own authentication, authorization and audit. i could go on.
I have rarely seen an industry so ripe for disruptive innovation as software security.
What gains does any enterprise get from reinventing the wheel on access control?
I don't think it's so much the access control code, though, as it is the scalability (or lack thereof) of the related management functions. Implementing access control for 5, 10, 50, 5k... this isn't too bad at scale... However, increase that to 10s if not 100s of thousands and I think the management of the model - any access control model - ends up collapsing. fwiw.
Posted by: Ben | December 09, 2010 at 08:18 PM