In an ideal world access to our critical assets would be decided by roles. By the function that each individual carries in their business application. There would be a set list of job classifications that would be defined; buckets that employees could be dropped into, and these would define security access to the network resources. This theoretical model works great on paper but when applied to true functioning business applications there are too many off shoots from those given role definitions, too many crossover roles between these job buckets, and too much change and shift on a continuous basis for a theoretical model such as this to apply and be truly secure.
Does that imply that a model such as this has no place in security? By no means. Strong theory will always lead to a better security design, and the narrower the definition of security access is for each individual the better the security will be for the entire organization. While you may need to shape and design you security model with flexibility to the needs of the business, the original design needs to be based on sound theory.
No comments:
Post a Comment