Too groggy to work!
January 12, 2006
Like I needed an excuse. Boss, I won’t be in today, I have a sleep induced hangover.
Follow-up: Network Security Still Sucks
January 12, 2006
As of this writing Rocky, Ken and Daniel have all replied to my original post on the shortcomings of network security, in particular the delegated authority features of directory services packages like Active Directory and eDirectory.
Daniel seemed to take the post in the spirit that it was intentioned and start suggesting some fine tuning that could be done to the Active Directory management tools which could improve things. Unfortunately there is no point adding salt to a broth of rotten vegetables and smelly socks.
Here is my question for you Daniel – if you were playing the role of an interaction designer how would you enable users to manage security using tools that they are already familiar with? Hint – it won’t involve a tree view or an explorer style interface, but more about that later.
Both Rocky and Ken came back with fantastic responses listing all the reasons why the system exists in its current state:
- Managing authentication and authorisation is complex.
- Users could open holes up in the network security.
- The tools require training to use properly.
- An infinite number of settings and configurations.
- Lack of tools to manage delegation.
Bzzzt. Wrong answer guys. Here I am, a user, and I’ve presented you with a problem, and rather than envisioning a solution you’ve given me all the reasons under the sun that I’ve got no right to question the current state of affairs.
What I want you guys to provide me with is something like the following:
- Managing authentication and authorisation as easy as e-mail.
- The system defends itself from holes being created in the network.
- The tools have an inductive user interface.
Actually, as I write this I already have a good example of an application that effectively delegates the responsibility of access control to the users that is neither complex and as far as I am aware has not opened up holes in our network. Furthermore it has an inductive user interface which has allowed non-technical staff members to effectively grant and deny access to resources.
What is the name of that product? When a Windows SharePoint Services site is created the person who created is made the administrator of that site and is responsible for granting on denying access to that site. If someone tries to access the site they are given the opportunity to provide alternative credentials and if they fail three times they are presented with a screen that they can use to request access to the site, or some particular function of the site (if they already have limited access).
When they click send an e-mail is sent to the site owner who can then grant the level of access requested. I have been using feature for quite some time and although its not perfect its a darn sight better than having to put in an infrastructure request (which we also manage on SharePoint) to have some adjust an ACL.
So my question is – if its good enough for a WSS site that stores all manner of corporate data, why is it not good enough for file system access, printer access and *gasp* logging into the network in the first place.
How can we take this simple but effective approach to delegation and expand it to work across the entire Windows platform, and indeed across all platforms?
Network Security Sucks
January 12, 2006
In the early part of my IT career I spent a lot of time behind the administrative console tweaking security settings and really locking down the network. People would come to me with access requests which I would either allow or deny based on my interpretation of the security policy of the organisation that I was working for.
The truth of the matter is that I had a lot of power, perhaps more than was appropriate because I didn’t really understand the business or its needs and seldom had any empathy for the users that I was dealing with. I was a PFY fast turning into a BOFH.
Today I don’t spend nearly as much time behind the administrative console and I have to deal with BOFHs just like every other luser. My new position in the world has given me a greater appreciation for what it is like waiting for an access request and getting the fifth degree from someone other than the business owner as to why I need this level of access.
More often than not a request of increased network rights will result in a negative response and I will be forced to try and compress years of experience into a document for a technician to execute on my behalf. For other users the issue might be as simple as getting the rights to get access to a particular share on the network or the ability to provision WSS sites from SharePoint Portal Server.
It is now my opinion that the general practice of centrally managing access sucks. Essentially the problem is the lack of support for federation and delegation in the tools like Microsoft’s Active Directory and Novell’s eDirectory products.
Now before all you security gurus pipe up and tell me I am wrong, think about all the organisations out there using a directory services product, and then think about the extent to which those organisations delegate authority to manipulate parts of the directory. You could probably count them on one hand.
Even if there was the desire to support delegated authority in your organisations directory service how many users in your organisation could use the Active Directory tools effectively? I would guess that most would give up without getting anywhere, some would succeed, and scarily, some would cause some kind of irreversable damage to the directory.
Basically – the user experience is so bad for the end user that the feature may as well not even exist. So what is the solution? Thats a subject for another post!
