ComputerScienceExpert
$18/per page/
How would you organize your information resources so that only authorized individuals, both internal and external, have access to the information they need, in order to carry out their job responsibilities? Is perfect access control possible, what do you think, weigh in on the debate (see attached)?
https://learn.umuc.edu/content/enforced/172416-026824-01-2168-GO1-9044/SchneierRanum_FaceOff_Is_Perfect_Access_Control_Possible.pdf
Â
http://searchsecurity.techtarget.com/magazineContent/Schneier-Ranum-Face-Off-Is-Perfect-Access-Control-PossibleJune 9, 2012Schneier-Ranum Face-Off: Is Perfect Access ControlPossible?Point: Bruce SchneierAccess control is difficult in an organizational setting. On one hand, every employee needs enoughaccess to do his job. On the other hand, every time you give an employee more access, there'smore risk: he could abuse that access, or lose information he has access to, or be sociallyengineered into giving that access to a malfeasant. So a smart, risk-conscious organization willgive each employee the exact level of access he needs to do his job, and no more.Over the years, there's been a lot of work put intoSearchSecurity.com members gain immediate and unlimited access tobreaking industry news, virus alerts, new hacker threats, highly focused securitynewsletters, and more -- all at no cost. Join me on SearchSecurity.com today!Michael S. Mimoso, Editorial Directorrole-based access control. But despite the large number ofacademic papersandhigh-profilesecurity products, most organizations don't implement it--at all--with the predictable securityproblems as a result.Regularly we read stories of employees abusing their database access-control privileges forpersonal reasons:medical records, tax records, passport records, police records. NSAeavesdroppers spy on their wives and girlfriends.Departing employees take corporate secrets.A spectacularaccess control failure occurred in the UK in 2007. An employee of Her Majesty'sRevenue & Customs had to send a couple of thousand sample records from a database on allchildren in the country to National Audit Office. But it was easier for him to copy the entire databaseof 25 million people onto a couple of disks and put it in the mail than it was to select out just therecords needed. Unfortunately, the discs got lost in the mail, and the story was a hugeembarrassment for the government.Eric Johnson at Dartmouth's Tuck School of Business has been studying the problem, and hisresults won't startle anyone who has thought about it at all.RBAC is very hard to implementcorrectly. Organizations generally don't even know who has what role. The employee doesn't know,the boss doesn't know--and these days the employee might have more than one boss -- and seniormanagement certainly doesn't know. There's a reason RBAC came out of the military; in that world,command structures are simple and well-defined.Even worse, employees' roles change all the time--Johnson chronicled one business group of 3,000people that made 1,000 role changes in just three months--and it's often not obvious whatinformation an employee needs until he actually needs it. And information simply isn't that granular.Just as it's much easier to give someone access to an entire file cabinet than to only the particularfiles he needs, it's much easier to give someone access to an entire database than only theparticular records he needs.This means that organizations either over-entitle or under-entitle employees. But since getting thejob done is more important than anything else, organizations tend to over-entitle. Johnson estimatesthat 50 percent to 90 percent of employees are over-entitled in large organizations. In theuncommon instance where an employee needs access to something he normally doesn't have,there's generally some process for him to get it. And access is almost never revoked once it's beengranted. In large formal organizations, Johnson was able to predict how long an employee had
Attachments: