September 2010 Archives

A Case for K.I.S.S.

The GPS Staff Database project is prompting a discussion of access privileges. Users commonly suggest elaborate rules for viewing, editing and creating data. While I take privacy and privilege very seriously, I often argue in favor of a mallet rather than a scalpel approach to security.

  • Building a complex security layer requires more work and more development time. While this is never justification on its own, it's part of the equation.
  • In my experience many degrees of access that seem important in the beginning, eventually collapse into fewer in practice. You're left with a system that makes distinctions, the logic of which is forgotten and the business process no longer supports.
  • In my freelance career, I often felt access privileges were determined by personality and politics rather than job function. When someone quit or advanced, the access layer no longer "fit" the organization.
  • Quis custodiet ipsos custodes? Who guards the guards? A system has yet to be build that prevents malicious use. Trust, Training, and Tracking. We have to trust people. We have to train them not only on the system but the business process around it. We track who does what, when. Not in secret, but in a log where everyone can see.
  • IT should never be part of the access plan. Sure, we have the master password, but we're outside the business process. We have to rely on what others tell us. In which case, why not make it so those in-the-know can do for themselves?
  • IT can't be integral to the systems we build. Think of us as freelancers who disappear once the work is done. You can call us back for further development but day-to-day operation has to be owned by users.


Forgive me blogger for it's been six weeks since my last post.

  • I missed a deadline for the Third Party Billing Report. In my defense, I learned of business rules beneath the surface that needed to be understood and applied. It's not simply plucking values off the interface as we assumed in the Statement of Work. I submitted a new draft to Catalina yesterday.

Redeeming Developments

  • Before leaving for vacation, I wrote and circulated a Statement of Work for the Staff Database project.
  • External Funding is complete; just waiting for the Business Process Owners to complete a few things before scheduling a Close-Out meeting.
  • External WIV Programs is done. Next week I train the WIV team.

Completing last the two projects means we can let the Backup Server die. This is big, as that server required constant end-of-life care.

Formula for Absolution

  • Complete the Third Party Billing Project.
  • Resolve support tickets assigned to me.
  • Conclude DW Connect for LAC.
  • Work on two smallish projects for CARLA.
  • Fix the Event Registration work-around for the Dean's Office.
  • Focus my energies on the Staff Database project.