App Security: Throw Out the Org Chart!
"Only administrators can add users-- no exceptions! ...except Bob in accounting, but that's because he's covering for Sally. But only until February. And this sort of arrangement might happen again. But most of the time, it won't. I mean.. ninety-nine point nine percent of the time. But there might be exceptions... ".
Sound like a requirement you've heard before? How did you handle it?
In an earlier post, I stated that all security models are idiosyncratic, and that the way you go about designing for security must reflect the nuances and -isms of your organization. You might mistake the form used to express the model (HR records, existing databases, or some XML schema) as your security model, but you risk an uphill battle getting your organization (and I mean the people here, not boxes and circles on an org chart) to accept the result.
All of this has less to do with how we design software and everything to do with the way people organize into groups..
Groups and hierarchies are never fixed-- fluctuations occur, even if the rate of change varies from organization to organization. We see this all the time in our everyday interactions-- associations can be temporal in nature, two groups may need to work together on occasion (but only, say, within a certain context). Ownership can cut across hierarchies, and influence can shift from one group to another based on other environmental factors.
A well designed security model needs to accommodate for these kinds of factors (even if it means fluidity in some areas, and stringency in others). Handling exceptions to the original security model are key, and the sooner people discuss it while building a piece of software, the better.
The bad news is that your IT department has chosen to see your company through a fixed lens, and will attempt to enforce the same level of stringency across the organization as a whole. But can you blame them? Two department heads suddenly decide to pool their resources for a period of time to make a deadline, requiring a temporary loosening of security restrictions, and suddenly the onus is on IT to work late hours dealing with the fallout. Something which might have started as a simple conversation between two managers inadvertently puts an otherwise stable security model at risk.
So why do we expect rigid specifications when solving the problem of security in the first place? After all, these specifications often reflect only a snapshot of the structure of an organization, and rarely its propensity for change.
Colleagues of mine cite external factors as the driving force behind the need for stringent security models in the enterprise (identity theft, liability, or a third party requirement). I don't mean to discount the importance of these types of requirements, but the big risk here is mistaking contractual specifications (e.g. "PCI compliance" or "HIPAA compliance") for a security model. The two are not the same thing.
All of this leads me to the conclusion that a contractual specification is not a substitute for a security model.
The former specifies an agreement between organizations in how to handle certain business transactions, while the latter dictates user roles and access rights and even more importantly, the process by which authorization can change based on fluctuations within the organization.
Before you choose a security model for your application(s), you have to understand how the organization can change. It may be useful to look at an org chart to build a vocabulary, but in most cases you are just as well served by tossing it aside.
Topics: authorization, modeling, Security
Comments: 3 so far
Leave a comment
About Pathfinder
Follow the Blog
-
Get a monthly update on best practices for delivering successful software.
Subscribe via email
Subscribe via RSS
Categories
Topics
.NET
.NET Browser Control
2d physics
3d
3D GPS
3D physics
37signals
Acceptance Tests
Accessibility
ActionMailer
actionscript
activerecord
acts_as_ferret
Add new tag
Adium
ADO.NET Entity Framework
Adobe
Adobe AIR
adobe flex
Adobe Illustrator
Advertising
aggregation
agile
Agile Development
agile thinking
AIR
Ajax
Ajax Applications
Ajax Bookmarking
Ajax Components
Ajax Development
Ajax Examples
Ajax Experience
Ajax Frameworks
Ajax history management
Ajax Intervention
Ajax libraries
Ajax library
AJAX Obfuscation
Ajax Performance
Ajax Products
Ajax toolkit
Ajax Tools
Ajax Widgets
A list apart
Amazon
Amazon CDN
Amazon Web Services
amf
Analysis
Android
animation
Announcement
Announcements
antennae
Antipatterns
Apache
Apollo
apple
Application Architecture
Application Development
architecture
AS3
ask a UI guy
ASP.NET
ASP.NET
asterisk
Asynchronous Processing
authorization
awards
axiis
Azure
Back Button
backups
bandwidth
bandwidth profiling
Beans
beer
Benchmarking
Best Practices
BitmapData.draw
BJAX
blackberry
Blaze Advisor
blender
blog
blogging
book review
Books
braindump
browser
Browsers
Bugs
Business
Business Reasons for Ajax
Business Rules
C#
caching
campfire
Canvas
capistrano
Case Studies
CFO
Charles
checklist
chess
Chesspresso
Chicago
chicagoruby
chirb windycityrails
CIO
Cloud Computing
CloudFront
CMS
COBOL
Cocoa
code
code art
Code Generation
code generator
Color
COMET
Conference
Confluence
Consistency
Content Management
continuous integration
converget appliances
core animation
CRM
cruise
CruiseControl
CSS
cucumber
Custom Application Development
Custom Flex Component
Data Mapper
data visualization
Degrafa
deployment
deprec
Design
Design Patterns
design thinking
Desktop
Desktop RIA
Developer's Notebook
development
DHTML
Diagnose
Dojo
Domain Knowledge
don norman
Drools
drupal
dynamic languages
ease of use
EC2
Echo2
Echo3
Editorial
Entrepreneur
erb
ERP
Estimating
estimation
Ethnographic Research
events
everyblock
Excel
externalinterface
Ext JS
Extreme Programming
eye tracking
Facebook
factory
Feedback Loop
ferret
FileReference
Firebug
Firefox
Firefox Extensions
fixturereplacement
fixture replacement
fixtures
Flare
Flash
flash awards
Flash Platform
flash player
flash player 10
Flash Player optimization
Flash Remoting
Flex
Flex3
flex code generator
flex css
flexmock
Flex optimization
flex skins
flexunit
Flickr
Flock
Flow
Fluent
forms
Frameworks
FriendFeed
front end
front end development
fulltext search
functional
Games
Gauge Component
gem
getting things done
Git
github
gitignore
Golf
Google
Google Analytics
Google Analytics for Flash
Google Analytics for Flex
google android
Google calendar
google docs
Google Gadgets
Google Gears
google maps
GORM
government
g phone
Grails
Graphics
Greasemonkey
Groovy
GStreamer
GTD
Gwittir
GWT
h.264
haml
hardware
Healthcare
heuristic evaluation
Hibernate
hosting
HTML
Hudson
IBM
IDE
Ideation
IE
IE6
IE7
IE8
iGoogle
illustrator cs3
ILog
ILOG JRules
imacros
importing graphics to flex
Information Architecture
infrastructure
Innovation
Instructional Design
Interaction Design
interaction patterns design
Internship
Interview
iPhone
iPhone SDK
iPod
irb
iteration
IT Mill Toolkit
iTunes
jakob nielson
Java
javafx
Javascript
JavaScript frameworks
Javascript Libraries
JBoss Rules
Jess
Jetty
JIT
jmeter
Jobs
jQuery
JSF
JSON
JSP
JSR-94
JsUnit
laptop
Lazlo
Legacy Systems
lightweight
LinkedIn
LINQ
logging
Logical Model and Conceptual Model
Low Pro
Mac
Malware
mapping
Mash Note
Mashups
math
Meebo
metal
metaprogramming
MetaWidget
Methodology
Microformats
microsite
Microsoft
migrations
minimalism
Mobile
mobile platform
mocking
mock objects
modeling
mod_rails
monitoring
Mootools
mouse
mouse scroll
mouse wheel
Mozilla
Music
MVC
MySql
natural key
neal ford
NetNewsWire
networking
news
newspapers
nfjs
NHibernate
nokia
notebook
NSURLProtocol
obj-c
Object-Oriented
Objective-C
Object Relation Mapping (ORM)
ocmock
Office
OmniGraffle
online spreadsheets
OOAD
OOP
opengl
Open Screen
OpenSocial
Open Source
opensource
Opera
Oracle
ORM
osx
OS X
pagination
Pair Programming
palm
papervision3d
Pathfinder Development
Patterns
Peer Creation
Performance
Personas
PGN
PHP
Phusion Passenger
physics
physics engines
planning
plugin
plugins
portableapps
pragmatic
Predictions
preloader
primary key
process Web/Tech
Product Definition
Production Support
productive programer
productivity
product launch
Progressive Enhancement
project concept
project management
Project Website
Prototype
Prototyping
PureMVC
PV3D
pyro
QA
qooxdoo
Radiant CMS
rails
railscasts
Rails Environment Tests
railsrx
Really Simple History
Refactor
refactoring
References
regex
regular expressions
Requirements
Requirements
Alice Toth
Requirements Visualization
resesign
Restlet
RETE
Review
rfp
ria
Rich Interactions
rich internet applicaiton
rich internet applications
ROI
rspec
ruby
rubyamf
Ruby on Rails
Ruby on Rails testing role
S3
SaaS
Safari
San Francisco
Scalability
Scenarios
Scriptaculous
Scrum
SDLC
Search
Secretariat
Security
Selenium
SeleniumIDE
Semantic web
SEO
Server Side
shoulda
Silverlight
simplicity
skins
SOA
soapUI
Social Networking
software develoment
Software Development
Software Engineering
Software Processes
Songbird
SpiderMonkey
Sprajax
Spreadsheets
StageScaleMode
Standards
standish
starting projects
Startups
static typing
Stencils
STI
Story Telling
Structured Design
Struts
sun
surrogate key
Swing
tabs
tag
taglib
Tamarin
Tank Engine
Task Flows
tdd
teams
telephony
Tellurium
test::unit
Test Driven Development
Testing
tether
textmate
The Ajax Experience
throttling
Tilt Component
Tools
touch screen kiosk
TraceMonkey
Training
Trends
Tumblr
Tutorial
Tutorials
Twitter
ubuntu
UI
UIViewController
uml
unit testing
Unit Tests
unity3d
Usability
Usability Testing
user driven agile
User Experience
user experience design
user groups
user interface
User Interface Standards
User Research
UXD
value
Venture Capital
Video
Vision
visual analytics
visual design
visual documentation
Visualization
VLC
VML
Volta
waterfall
watij
watir
web
Web/Tech
Web 2.0
web app
Web Design
Web Development
web forms
web hosting
web infrastructure
Webkit
Weblogs
Web Services
WebSockets
Web Standards
WebTest
Widgets
will_paginate
Windows
windows mobile
WinForms
Wireframes
WordPress
workflow
work life balance
xcode
XML
XML Metadata
xp
XUL
Yahoo Map AS3 API
YUI
Zeigarnik
Zeigarnik Effect
ZendAMF
ZK
Archives
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
Blogroll
Recent
- Elements of Testing Style
- Aesthetics and Web Design
- Asterisk-Java Testing with Groovy
- 3 Misuses of Code Comments
- Fluently NHibernate
- Digging a Hole and Covering it with Leaves — The Software Development Version
- The Importance of User Experience - Do You Understand It in Your Bones?
- Writing Your Own Protocol With NSURLProtocol
- What’s In Your Dock: iPhone edition
- Feature Fatigue
[...] shares information on the topic of Ajax. Some posts you’ll see in Agile Ajax include "App Security: Throw Out the Org Chart!" and "Scriptaculous: Fixing Hover After [...]
Pingback by 20 Excellent Websites for Learning Ajax - Six Revisions, Thursday, December 11, 2008 @ 8:22 pm
[...] shares information on the topic of Ajax. Some posts you’ll see in Agile Ajax include "App Security: Throw Out the Org Chart!" and "Scriptaculous: Fixing Hover After [...]
Pingback by 20 Excellent Websites for Learning Ajax | SulVision, Monday, December 15, 2008 @ 7:01 pm
[...] that shares information on the topic of Ajax. Some posts you’ll see in Agile Ajax include “App Security: Throw Out the Org Chart!” and “Scriptaculous: Fixing Hover After [...]
Pingback by Websites for Learning Ajax | CSS Experiments, Thursday, January 29, 2009 @ 3:17 pm