Identity, authentication, attribute management and authorization domain experts tend to seek clear distinctions between each of those facets. The operational folks who actually deal with these issues often blur the boundaries between them. This blog post shows an example of laying out access control use cases from an operational perspective that I found rather educational.
With the current buzz around mobility and BYOD, there is sometimes a belief that the infrastructure and choices that exist today will have to be completely re-done in order to accommodate new devices. While I am not sure about that, I recently saw a public NASA ICAM presentation that outlined a framework for how to look at access control from an operational perspective that I found relevant.
I've kept the concept, but changed some of the details for the sake of clarity:
The key to the above visualization is to know that no one does credentialing and authentication for its own sake but as a means to an end to manage access to a system or resource. From an operational perspective, it allows for calling out an end to end process using natural language; "A person who is anonymous, using an organization managed PC, on the organization's network, wants to access administrator level functions during normal business hours".
You can then lay out the use case variations using a tabular format:
|Use Case||Applicability||Priority||Criteria A|
It immediately gives you a way to articulate possibilities that may or may not apply to you; What if it was a Smartphone instead of the PC? What if the connection is from the Internet? etc. It also provides you insights into what aspects change, what aspects still remain the same.
Do you have any pointers to frameworks like these that help to clarify choices people need to make regarding access controls?
Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!
This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.