Tim’s Weblog Tim's Weblog
Tim Strehle’s links and thoughts on Web apps, managing software development and Digital Asset Management, since 2002.
2006-01-19

Access control, monoculture, and accountability

Jon Udell at InfoWorld - Access control, monoculture, and accountability:

"Geer argues that access control lists -- although they’ll remain a vital ingredient of information security -- can’t take us where we now must go. The reason is that linear growth in the number of people you authenticate, or the number of resources you control their access to, or both, results in geometric growth of the matrix of checkboxes you must fill out. Every checkbox requires an explicit choice, and it gets impossibly hard to keep up.

The way forward, Geer suggests, is not to abandon ACLs but rather to augment them with aggressive monitoring that holds people accountable for behaviors that can’t economically be permitted or denied. ACLs don’t scale because checkbox maintenance requires a scarce resource: the human decision-maker. Accountability does scale because event logging and data analysis ride the favorable current of Moore’s law."

Thu, 19 Jan 2006 12:48:49 +0000