I just love distributed conversations, it gives everyone an opportunity to put their two cents in whilst allowing them the time they need to formulate their ideas. An idea is where my two posts ([1] and [2])about the current state of network security, in particular directory service products came from.
Both Rocky and Daniel have contributed to the discussion once again with their posts here and here respectively. Rocky has started putting on his solution hat on and is looking at ways we could make it work. He is talking about online forms being routed for central approval and a better AD user interface.
The forms routing technique would work and be acceptable if the form was routed not to a system administrator but to your line manager, or more specifically the next person above you in the organisation chart that has the authority to approve your request. I don’t like any system where someone outside the business domain is responsible for approving requests, and I will explain why when I talk about Daniel’s post.
Rocky previously mentioned (in his first blog post) that if users managed their own security things would quickly get scrambled. I want to clarify, I would never endorse users being able to elevate their own set of authorisations, you couldn’t have a security system that did that, but you can have a system where an end user with the delegated authority to grant permissions is involved rather than a system administrator. This end user would be a business user, not a technologist.
Given that no one would be able to grant permissions that they don’t have the right to you can’t get into too much trouble, although the astute reader may point out that you could end up with thousands of very fine grained permissions instead of a well ordered group hierarchy. I’ll talk about this when I put forward my proposal.
Daniel had an idea where something like instant messenger would be used as part of and access request mechanism which involved an automated agent (sentry) and possibly a system administrator if a manual approval that needs to take place.
I like where Daniel’s head is at, but his solution has a couple of flaws that would need to be addressed, specifically:
- Potentially not secure, how is the access requester authenticated?
- Potentially tied to an instant messenger as a communications link.
- Involves the system administrator in a business level access request.
The first two are really technical issues that could be easily addressed, but the third is an important business problem. Government departments, law enforcement agencies and armed forces (at least in Australia) use a common security classification scheme which has a number of levels and streams.
The classification scheme is signficant because in order to even be considered eligible to get access to a piece of information you need to be cleared up to the appropriate level in the correct stream. In addition to requiring the correct clearance level you must have the “need to know”.
I guess the point that I am making is that while a system administrator might have the level of security clearance required they rarely if ever have the “need to know”. Having said that if the first two issues with Daniels solution could be addressed I am sure the third could be as well.