Article: Least & Necessary (from: Musing of a Trust Architect)
5 views
Skip to first unread message
Christopher Allen
Sep 27, 2023, 2:54:37 PM9/27/23
to cap-...@googlegroups.com, Shannon Appelcline
I’ve been writing a a series of blog posts called "Musings of a Trust Architect'' https://www.blockchaincommons.com/musings/ about the elements that I feel are needed for trusted architectures for the storage and transmission of data about identities, personal information, and other digital assets. My most recent one talks about a famous security design pattern called “The Principle of Least Privilege'':
https://www.blockchaincommons.com/musings/Least-Necessary/
The Principle of Least Privilege is simple enough. It says: give someone the least permissions they need to do their job. Mark S. Miller later expanded it to consider full ecosystems, talking about not just the permissions you have, but also the permissions held by applications that you have access to.
I think this can be meaningfully expanded as a design principle for data access, using patterns such as Data Minimization and Selective Disclosure. I call this the Principle of Least Access, which I state as follows:
“In order to protect privacy, respect individual entitlements, and maintain human dignity, only the minimum amount of data access necessary to achieve a specific goal should be granted.”
I think this is a useful extension of Mark’s work.
I’d love to hear your thoughts on these design patterns and also their flipsides, which I call the Principles of Necessary Privilege, Authority, and Access. These patterns instead look at what permissions (or authority or access) we must grant to make sure that users can do their tasks. This helps to reset the boundaries of design and to focus a designer’s attention on the positive, rather than fighting a never-ending battle against the negative. Is it more beneficial to start from zero and proactively grant permissions rather than deny them? I think so.
Thanks for your thoughts! I'd love to follow up this article to add any ideas you have.
https://www.blockchaincommons.com/musings/Least-Necessary/
The Principle of Least Privilege is simple enough. It says: give someone the least permissions they need to do their job. Mark S. Miller later expanded it to consider full ecosystems, talking about not just the permissions you have, but also the permissions held by applications that you have access to.
I think this can be meaningfully expanded as a design principle for data access, using patterns such as Data Minimization and Selective Disclosure. I call this the Principle of Least Access, which I state as follows:
“In order to protect privacy, respect individual entitlements, and maintain human dignity, only the minimum amount of data access necessary to achieve a specific goal should be granted.”
I think this is a useful extension of Mark’s work.
I’d love to hear your thoughts on these design patterns and also their flipsides, which I call the Principles of Necessary Privilege, Authority, and Access. These patterns instead look at what permissions (or authority or access) we must grant to make sure that users can do their tasks. This helps to reset the boundaries of design and to focus a designer’s attention on the positive, rather than fighting a never-ending battle against the negative. Is it more beneficial to start from zero and proactively grant permissions rather than deny them? I think so.
Thanks for your thoughts! I'd love to follow up this article to add any ideas you have.
-- Christopher Allen
Matt Rice
Sep 28, 2023, 4:24:28 PM9/28/23
to cap-...@googlegroups.com, Shannon Appelcline
should say I tend to just equate it with least authority, since read
IO is an authority.
"We can state the principle as follows: In order to protect privacy,
respect individual entitlements, and maintain human dignity, only the
minimum amount of data access necessary to achieve a specific goal
should be granted."
I slightly fear this goal oriented definition, since it isn't clear
minimum amount of data access necessary to achieve a specific goal
should be granted."
about the transitivity distinction between privilege and authority.
To purchase a good I need to provide data for the product to be
purchased, payment information, and delivery address.
With multiple participants, merchant, purchaser, delivery agent and
receiver the access needs are asymmetric.
The merchant technically doesn't require the delivery address, just
contact with the delivery agent who does and payment.
Though the goal requires granting the sum of information, in this case
it can be distributed separately across the involved parties.
Essentially it strikes me as odd if we are going to differentiate
between transitive authority and privilege, should access not also
have a similar treatment?
Raoul Duke
Sep 28, 2023, 4:46:35 PM9/28/23
to cap-...@googlegroups.com, Shannon Appelcline
Not to be a pessimist, but i am, and i am probably ignorant to boot, so: if data subset 1 is stored by corp entity A (my ccard usage) and data subset 2 is stored by corp entity B (my maps usage) then you gotta know the gov't is going to buy both subsets via data broker C rendering all the decoupling or "anonymization" sort of statistically moot, i guess? W/out homomorphic encryption powers i feel like copying bits is too easy, no?
Alan Karp
Sep 29, 2023, 11:31:46 PM9/29/23
to cap-...@googlegroups.com
There's an old saying, "with privilege comes responsibility." We give you lots of privileges and ask you to behave responsibly. That phrase describes the current approach to computer security, and we know how that's turned out.
Taking your idea of turning things around, perhaps we should say, "with responsibility comes privilege." If I give you some task to do, I must make sure you have the privileges you need to carry it out. The security depends on how narrowly I can define those privileges.
--------------
Alan Karp
--------------
Alan Karp
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CACrqygDQVfMkynV46dULsyYuHokEOQjZDqAq3RDgLLSb9YKWGg%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages