Technometria

Home
Why Technometria?
RSS
Atom
Podcast Feed
Add to Google

Recommend This Site

About Phil

Brief Bio
Contact Info
Phil on Twitter
Speaking
InfoWorld
Photo Albums
Video Favorites
CTO Breakfast

Essays

2006
2005
2004
2003
CIO White Papers

Software

Packages

Topic Guides

Understanding RSS
Digital ID Policies
Understanding VoIP
Internet Application Performance
Setting Up a Linux Server
Public Service Tips

Categories

Blog TagCloud

Archives

September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
August 2002
July 2002
June 2002
May 2002

Utah Tech Organizations

BYU Unix User's Group
Provo Linux User's Group
Utah Valley Linux User's Group
Ubuntu Utah
Salt Lake LUG
USU Free Software and Linux Club
Greater Utah BSD User Group
Utah PHP Users Group
Utah Python User Group
Utah Ruby Users Group
Ogden Area LUG
Southern Utah Unix Users Group
UtahSAINT

Copyright

Copyright © 2002-2006 PJW LC. Some rights reserved. Technometria is a trademark of PJW LC in the United States and other countries.

« Understanding UDDI | Main | Geek Dinner Tonight »

Algorithmic Authorizations

Yesterday I was reading Seeing What’s Next: Using Theories of Innovation to Predict Industry Change by Clayton M. Christensen, Erik A. Roth and Scott D. Anthony and came across a story about how credit scoring changed the loan industry:

In 1956, Fair, Issac created a standard predictive risk-assessment tool. It dramatically simplified the process of judging creditworthiness with a statistical methodology that plugged variables from an applicants credit history into an algorithmic formula that produced a score. Credit scoring’s robust, scientifically based, quick assessment enabled a broader population of less-skilled people to make lending decisions.

It occurred to me that this was, essentially, an algorithmic authorization to access a certain amount of credit. In most authorization regimes, we conceive of a two-dimensional look-up tables that says whether a particular identity or role (one dimension) is allowed access to a particular resource (the second dimension). Building these two dimensional tables to completely specify authorizations for all the roles in a company, say, and all it’s resources is difficult and once done quickly out of date.

Being able to compute authorizations from the attributes associated with an identity would make this problem more tractable. Can anyone think of other examples besides credit scoring where authorization to access a resource is computed instead of being lookup up in a table?

By the way, I’ll have more to say about this book later. It’s a very good read and contains some valuable theories and analysis methods.

Posted by windley on January 17, 2006 6:40 AM

See related posts:

 Share this article on Facebook
 Email this article to a friend
  Post this article to del.icio.us
 Format this article for printing
 Get the SNUrlfor this page

5 Comments

Comment from Kevin Tew at January 17, 2006 2:47 PM

We often think of authorizations as a boolean process resulting in either acceptance or denial.

In other words authorization is assumed to be a simple function of authenticated symbols being reduced to a boolean value True or False.

In the two dimensional case
SymbolType1 -> SymbolType2 -> Boolean
Which generalizes to
(SymbolType1, SymbolType2, ...) -> Boolean

While we simply the authorization process as a table lookup to explain the concept, I believe that almost all authorization processes are already computational processes, in order to make the problem more tractable.

Examining group membership attributes of an identity or role is an example of how current authorization processes use attributes associated with identity to reduce the table size, making the problem more manageable.

On the other hand we can argue that examining group membership attributes is really just
a subordinate table lookup. In which case we could view it as only on optimization to reduce the original identity/role vs resource lookup.

What I find interesting about credit authorization is two things:

1) The credit authorization function is a continuous function whereas we assume most authorization functions are discrete, returning only boolean values, Yes or No.

2) The credit authorization function uses statistics to see what segment of the population you are most probable to be a member of according to the credit attributes associated with identity.

If we take statistics away from the credit authorization process above, all we are left with is rules. Rules are just table lookups, such as is identity X a member of group Y. While rules optimize the tractability problem by reducing table size, we really haven't changed the problem.

The statistics component in the credit authorization problem is the key in my opinion. In this case, statistics is just a feedback loop of auditing and accountability.

Some of this thinking comes from being neck deep in XQuery parsing and Perl6 rules.
Dan Greer, however was the one that pointed out that auditing and accountability scale, while authorization doesn't.

So I posit that credit authorization scales because it is a rules framework that uses auditing and accountability data.

Ok this was a long comment. I may be crazy.
Comments and corrections welcome.

Comment from Bryant Cutler at January 17, 2006 3:41 PM

I'm not sure that a computable approach is secure enough for authorization purposes. I mean, a credit ratings system that, via its statistical approach, sometimes grants "false positive" credit, simply had to be able to absorb that much financial damage. Imagine, however, that you use a statistical algorithm to determine whether someone has access to a corporate database - either the threshold is set so high that legitimate users are barred from obtaining access, or you set the standard lower and - poof! - all your data are belong to us!

Comment from Phil Windley at January 17, 2006 5:08 PM

That's the point, though. In some situations, we may be able to absorb quantifiable risk in exchange for the ability to do more than simply audit and less than full-blown, role-based authorization (with it's attendent costs).

Comment from Shekhar Jha at January 18, 2006 4:36 AM

I am not very convinced that the statistical approach can be applied to authorization. In case of credit scoring the worst case scenario of a "false positive" will mean that the damage is well quantifiable (in terms of stats and probability) and people using the system are well aware of the risk and are ready to live with the risk.

The authorization "false positive" on the other hand has bigger consiquences like identity theft, inside trading and possibly SOX compliance failure which has much larger consiquences. It may make sense for these to be first line of defence (like being integrated with self-learning IPS) to keep check over statistical anomaly and apply the controls but the last line of defence will always be needed to enforce corporate and national policies for access control (which do not translate well to algorithms most of the time).

Thoughts!!

Comment from Phil Windley at January 18, 2006 6:33 AM

I'm not suggesting that a statistical approach is right for EVERY authorization problem, just that it might be better for some.

You mention SOX compliance, for example. I think you could convince auditors you were SOX compliant in many cases with a computed risk and post-hoc audits to find and shutdown problems.

But beyond that, I'm more interested in extending authorization to regimes that it can't be profitably used now. What if I want to restrict access to some documents and can live with computed risk that they might be viewed by an authorized person? That would certainly be better than having no authorization scheme (which is where 99% of all corporate documents live today).