Passwords and Aliens
Many alien-invasion movies rely on this plot device: the aliens have one central ship, or queen, or machine that can be destroyed, rendering all the aliens powerless. We’ve seen this in: The Avengers, Battle: Los Angeles, Cowboys & Aliens, Edge of Tomorrow, Independence Day and many, many other films.
I call this the SPOF ex machina, where SPOF stands for “Single Point of Failure.”
We laugh at the writers who predicate their plot on such a weak device.
And yet… in cybersecurity we humans fall into this same trap all the time. We put all our app-defending eggs in one basket: the front door. We guard that front door like it’s a bank vault. We use two-factor authentication, password complexity rules and other devices to bar entry to the uninvited. Various network- and application-level firewalls deter some attacks and cybervandalism. But once someone (authorized or not) gets in the system, anything goes.
Guarding different doors differently
A security system works best if it is adapted to its use case. To protect your own house, guarding the front door makes sense: once you’re home, you should be able to go anywhere and do anything. But if you’re protecting a hotel, you want a guest’s key to open: the front door, their own room, and maybe the spa — that’s it. The security guard’s key should open many other (but not all) doors. Differentiated access is how we prove we’re smarter than movie aliens, and how we best manage a system that combines shared and private resources.
Access Control is the phrase used to describe this software feature set. But it is also the phrase used by people who make combination keypads and remote-control doors, or “physical access control.” The confusion is made worse by “flavors” of access control: role-based (RBAC), attribute-based (ABAC) and so on.
Language issues aside, something has gone wrong in the evolution of access-control systems. We’ve ended up with big, complex (and expensive!) systems aimed at very large organizations, with features that primarily address regulatory compliance and big-company IT concerns; while on the smaller-organization end of the spectrum, systems that are largely homemade and all too often inadequate for their intended use.
Eggs & baskets & doors, oh my!
We mock aliens who put all their “eggs” in one basket (the mother ship, etc.) yet many software applications do just that. They provide no access control, or they provide a simplistic and rigid level of access control that feels like the developers are saying “here you go, now please stop bothering me.”
On no planet do Admin, User, Guest cover all the use cases, even for a small organization. And on no planet does the resident intelligent life-form enjoy managing access control separately across three, five or 24 different applications, to express the simple policy that “Gertrude can edit content.” Such a system is error-prone and does not scale well. It’s putting a single egg in each basket, roughly as silly as putting them all in one basket.
This is the problem we are trying to solve. Please help us, or let us help you.
Photo credit: Miriam Espacio on Unsplash
Originally published at www.hubrix.co on January 10, 2018.
