Jamie Lewis, CEO of the Burton Group gave a very detailed talk on identity infrastructures. I wish I had access to an online copy of the slides because they've got a lot of information in them. One of the things he talked about was provisioning and the security issues surrounding it. Simplified, the issue comes down to, at least for employee provisioning, making sure that authorizations are tied to roles so that as employees move from job to job within the organization or leave the organization, the access rights that they had before terminate when their role does. Think of all the information that people still have access to, weeks, months, and years after they leave their job because no one turned off access. Its one thing to have a policy. Its another thing to have an architecture that supports the policy and makes it possible. The Utah Master Directory gets us one step closer to being able to support access control though architecture, but there is much left to do.
On a related note, Jamie pointed me to a speech by Dan Geer, CTO of @stake on identity where Geer says:
Tacking authorizations onto the assertion of identity is nevertheless a commonplace necessity, but there is an odd "gotcha" there, viz., the irreducible vulnerability of any system to Denial of Service (DOS) attacks is proportional to the amount of labor that system must expend before it can make its authorization decision. Ever more fine grained authorization decisions tend to be more complex, and the denier of service can call upon you to do them over and over. In that sense, authentication decisions, being as they are permanently simpler than authorization decisions, have a durable design advantage.
This leads to the issue of scaling where Geer says:
If the access control matrix eventually scales out of reach. What then? I submit that where the geometric scaling of access control will kill it in the end, accountability stands ready. This is not to say that I like pervasive, universal accountability, per se, but the only reason a free society works is that you can pretty much do anything though if you screw up badly we will find you and make you pay. Accountability is like that, i.e., it is a log processing problem.
Geer's entire talk is worth reading. It asks the question of how much time and effort we want to spend authorizing behavior (say of citizens on the utah.gov website) vs. how much effort we should be into policing that behavior and removing rights when the behavior doesn't meet acceptable standards. Our society does not try to authenticate people and then authorize them to perform certain bahaviors by default, the overhead would be too high. How does that inform our web site policies?