Tuesday, November 04, 2008

A brief history of Access Control

Access Control is an important part of the computer security realm. It is complex, hard to achieve in a robust and bullet-proof manner and it will always screw up ordinary users that want to surf and play around without being confronted with nasty restrictions, decisions and limitations. Is this realistic, achievable? Well, everything seems to be a big loop in the computer and software industry [a reference to the good old times :-)]. Take the cloud-stuff as example. Sharing resources and deploying thin clients is not that new. Its just branded (and pushed) like a new hype. Where is the relation to access control? Access control can be implemented in the operating system (OS) as well as in other layers of the application stack. I’m gonna focus on the OS level here. I remember times [aka as the good old times :-)] where user-rights in terms of access control were very limited. The change came with the advent of personal computing. Everybody wants to be an admin (and can be an admin) very easily, even programmers. In case of a disconnected, single-user machine, it might not be a problem. But this is not a valid scenario. We want and need the Internet. Yes! But beside all the cool stuff, male-ware is everywhere, and needs our machines as host or target. We are easy prey when running everything as admin. So we need to get back to the good old times [in order to complete the loop:-)]. In Vista, a serious attempt has been started. It might be boring to get asked all the time when feeling like an admin (but just being a standard user for the process in execution which is the parent process for later stuff). And, it might be cumbersome to maintain the virtualized registries for the old programs. Security versus usability and maintainability, this is the battle that it is raging. It should be fought and security must prevail (in the era of identity theft, male-ware and root-kits); especially when everything is running in the clouds. Hopefully, smart people will come up with some smooth solutions that make limited user-rights in terms of access control more acceptable.

No comments: