Is there anything "better" than Access Control Lists (ACLs)? - security

I've spent some time casually mulling over ACLs in my head. I can see the real benefit of ACLs and their flexibility. But I have some serious concerns when it comes to implementing ACLs for a project that could have hundreds of thousands of users , if not millions. All connected someway to hundreds of thousands of resources (such as images, messages, BLOBs).
It seems to me that the overhead in processing and managing the rules applied to millions of resources for hundreds of thousands of users would be obscene.
But then I haven't seen any alternatives. Are there any beyond username, password, user-level?

I would not be too scared of any performance impact of ACL.
If it turns out to be slow, profile it and optimise it.
There's nothing in it that is inherently so slow as to make it unsuitable for large projects.

Most companies end up being crushed under the weight of their RBAC and or ACL implementation. Whether they realize it or not. The future is attribute based access control. Simplifies things by going from "Johnny can access X because he is in the admin role." to "Johnny can access X because it is between 8-5 and he has clearance X as well as part of business unit Y."
Google XACML and watch this amusing presentation on Roles http://vimeo.com/2723800 . Zed nails it.

Have a google for "Role Based Access Control" and "Domain-Based Network Management".

Managing ACLs (or any equivalent) can be a bear if you don't plan ahead. The one thing that makes the biggest difference is to grant access to groups, not individuals, avoiding redundancy. This is particularly relevant when a group contains other groups.

Related

Is CouchDB per-user database approach feasible for users with lots of shared data?

I want to implement a webapp - a feed that integrates data from various sources and displays them to users. A user should only be able to see the feed items that he has permissions to read (e.g. because they belong to a project that he is a member of). However, a feed item might (and will) be visible by many users.
I'd really like to use CouchDB (mainly because of the cool _changes feed and map/reduce views). I was thinking about implementing the app as a pure couchapp, but I'm having trouble with the permissions model. AFAIK, there are no per-document permissions in CouchDB and this is commonly implemented using per-user databases and replication.
But when there is a lot of overlap between what various users see, that would introduce a LOT of overhead...stuff would be replicated all over the place and duplicated in many databases. I like the elegance of this approach, but the massive overhead just feels like a dealbreaker... (Let's say I have 50 users and they all see the same data...).
Any ideas how on that, please? Alternative solution?
You can enforce read permissions as described in CouchDB Authorization on a Per-Database Basis.
For write permissions you can use validation functions as described on CouchDB
The Definitive Guide - Security.
You can create a database for each project and enforce the permissions there, then all the data is shared efficiently between the users. If a user shares a feed himself and needs permissions on that as well you can make the user into a "project" so the same logic applies everywhere.
Using this design you can authorize a user or a group of users (roles) for each project.
Other than (as victorsavu3 has suggested already) handling your read auth in a proxy between your app and couch, there are only two other alternatives that I can think of.
First is to just not care, disk is cheap and having multiple copies of the data may seem like a lot of unnecessary duplication, but it massively simplifies your architecture and you get some automatic benefits like easy scaling up to handle load (by just moving some of your users' DBs off to other servers).
Second is to have the shared data split into a different DB. This will occasionally limit things you can do in views (eg. no "Linked Documents") but this is not a big deal in many situations.

When should I use ACL in my application

I am pretty much confused as to when I should implement an ACL (access control list) system in my application though I can easily manage permissions on groups simply by fetching the session group id and restricting the access using the Auth component.
How is an ACL solution better then the approach I discussed above (restricting the group access based on group id) ?
How does implementing an ACL solution simplify things when it comes to managing access rights in your application ?
Till now I have learned that through ACL, permissions can be granted and revoked at runtime, but this functionality is also achievable without using an ACL.
I am very much confused about this, please help me understand the concept, when to use ACL and the benefits of using ACL in your web application.
I prefer to code with cakePHP v1.3 so it would be great if the explanation is given in context of cakephp but any help (language/technology independent) related to my question is greatly appreciated.
You must use ACLs (or an equivalent user permission mechanism such as literal database User and Permission tables) rather than groups if you need to control access to individual entities which vary dynamically. File systems attach ACL's to individual files since you don't want to create a separate group for each file. Database managers attach ACL's to databases, tables, views, stored procedures and whatnot for the same reason. Web servers deal with web applications in the same manner.
In a business application dealing with business entities, you may want to partition access to entities such as e.g. different sales orders, customers, products or divisions within your company, where not everybody is allowed to create/update or even read the same entities. For instance, when sales staff are in direct competition for bonuses, they don't want everybody else to see all the information on their CRM-stored prospects.
Usually, though, you want to keep your access mechanisms as coarse-grained as is humanly possible: groups are usually good enough. Fine-grained access control mechanisms have a tendency to grow complex, expensive, inaccurate and hard to use correctly. They may even decrease security, since administrative frustration encourages people to find clever workarounds...
I think that ACL technic for securising user access to ressources is usefull only for a typical or medium - sized application . for big applications like CRM or financial data warehouses , ACLs will fail to manage a very complex set of user / ressource couples , when the data increase in size , in type and in volume , the ACLs tables made for that purpose will increase too , which it make for me no sense to overload the database server with ACL Tables. There are many others technics used to install security access and permissions and privileges ... The use of ACL files instead does not sound bad but it is not a good idea as files may corrupt from time to time so data failure is over the risk to not have access to a file containing ACL rules or to access a non existing file or a lost one ... The only way to play with permission is to use the business tables used in the context or in the purpose of your application with relationships between your tables and some logic to add to your Service Side Scripts if you are under MVC Architecture or any else ... So Avoid using ACL for very big sized applications.

Backdoor Strategy- opinion needed

I'm creating an application to track publications and grants for a university. Professors will need to put they CV into the system when it is up and running. Yeah, right.
The person in charge is planning on hiring someone to input all of the information, but my questions is how?
The strategy I'm thinking of is to install a backdoor. The lucky undergrad can log in as any professor using the backdoor. Once all the data is removed, the backdoor can be removed.
Doing so would probably be as simple as editing out a comment in the config file. The IT guys would still have access, but since they control the machines, they would have access anyway. Are there any flaws to this strategy?
Instead of installing a backdoor, why not create a priviledged user role. Users with this role can view and modify data for any other users (or a select group of users if you want to be fancy - and more secure - with it). So, the undergrad could use an account with this role to input the necessary data. When he is done, an admin can remove the role from his account, effectively closing the "back door".
You risk the undergrad dealing some other damage. What you should do is have them create a new user, give that user a small partition, and have the user enter the data on to that. Then just copy it over when he's done. Bad idea to give a student actual access, and even worse to have him log on as the guy - he should have his own user.
Don't underestimate the ongoing need for staff, students, or temps to enter and maintain the data. As simple as upkeep may be after the initial loading (typing) period, some professors simply will not do it, and will delegate it to staff.
In an eerily similar application (ours tracks publications and grants, among other things, as part of a career review for raises and promotions) our decision was to use a "proxy" system, where certain users can "switch to" other users. It's not really a switch because we store who was doing the input/editing along with who the data applies to.
Contrary to what Justin Ethier said about privileged roles, these people are the least privileged in the system, allowed only to switch to another account and do data entry.

SharePoint Governance

I have been search about SharePoint Governance for past few days, the more I search, more confused I am getting about this Topic.
Could anyone just explain in brief? What you know about it or are you using/implementing it?
This is one of those topics that tend to mean something a bit different when you get to the details for different companies, but basically here's my experience with it.
When you talk about governance its about who is responsible for different elements of it, from defining and managing the taxonomy, to the content for different areas. What the process of publication is, for modification is. Who administers different sections, how documents are to be handled/managed/archived/retained, what the auditing policy is. How escalations will be managed, who needs to be notified, who the stakeholders are, etc.
Basically in other words it's about looking at SharePoint as being not just a content storage system but needing to be a coherent enterprise tool with all of the key stakeholders sitting up and taking notice, and recognizing that some things need clear process to avoid either redoing everything in 18 months or being unable to find things.
Some of the most important things that I find ends up getting discussed is security (internal vs. external access, employees vs. contractors vs. external people, logging of who accessed files, etc.), roll back & geographic distribution (for performance), and revocation of rights (when someone is fired, how is their access revocation managed quickly and effectively).
Sorry this is a bit of a shotgun answer, but that's the type of stuff you're looking at. There are actually consultants who have specialized in these areas. It's usually (from what I experience) about 20% technical, 40% change management and 40% process / business.
I hope that helps.

Detecting login credentials abuse

I am the webmaster for a small, growing industrial association. Soon, I will have to implement a restricted, members-only section for the website.
The problem is that our organization membership both includes big companies as well as amateur “clubs” (it's a relatively new industry…).
It is clear that those clubs will share the login ID they will use to log onto our website. The problem is to detect whether one of their members will share the login credentials with people who would not normally supposed to be accessing the website (there is no objection for such a club to have all it’s members get on the website).
I have thought about logging along with each sign-on the IP address as well as the OS and the browser used; if the OS/Browser stays constant and there are no more than, say, 10 different IP addresses, the account is clearly used by very few different computers.
But if there are 50 OS/Browser combination and 150 different IPs, the credentials have obviously been disseminated far, and there would be then cause for action, such as modifying the password.
Of course, it is extremely annoying when your password is being unilaterally changed. So, for this problem, I thought about allowing the “clubs” to manage their own list of sub-accounts, and therefore if abuse is suspected, the user responsible would be easily pinned-down, and this “sub-member” alone would face the annoyance of a password change.
Question:
What potential problems would anyone see with such an approach?
Any particular reason why you can't force each club member to register (just straight-up, not necessarily as a sub or a similar complex structure)? Perhaps give each club some sort of code to use just when the users register so you can automatically create their accounts and affiliate them with a club, but you then have direct accounting of each member without an onerous process that the club has to manage themselves. Then it's much easier to determine if a given account is being spread around (disparate IP accesses in given periods of time).
Clearly then you can also set a limit on the number of affiliated accounts per club, should you want to do so. This is basically what you've suggested, I suppose, but I would try to keep any onerous management tasks out of the hands of your users if at all possible. If you can manage club-affiliated signups, you should, rather than forcing someone at the club to manage them for you.
Also, while some sort of heuristic based on IP and credentials is probably fine, I would stay away from incorporating user-agent, or at least caring too much about it. Seeing a few different UAs from the same IP - depending on your expected userbase, I suppose - isn't really that unusual. I use several browsers in the course of my day due to website bugs, etc. and unless someone is using a machine as a proxy, it's not evidence of anything nefarious.

Resources