I'd like the access control chapter updated to clarify some stuff.... Access control is a broad topic, and the scenarios doesn't seem to be described to me very well so far. I'm not finished with the chapter, but between memory management, the lack of access control on home pc's, the home pc style operating systems in business applications, the internet and its links to our applications, cloud file management like blobs, google drive, business and industrial sectors, human machine interfaces....
These are some of my experiences. I understand that basic concepts like identification, authentication, authorization, least privilege, privilege creep are all very applicable when managing identities. However, access control is semantically broad and in a diversifying field. The big dogs are pushing for changes, and it is fair to say the Windows was not what a lot of business were looking for when it comes to access management. Now we are seeing new file management platforms all over the place. Hundreds of them. I was particularly interested in Microsoft blobs though. Then we have all these new asset/content managers out here that push marketing content onto social media. Platforms like sprinklr and hookle. Then we have all these security specialists talking about securing the gaps with SSPM's and using the right API's... The cyber security world doesn't seem to be talking much about what Amazon, Google, Microsoft, and other major companies are doing on their platforms though. So much has changed, and I feel like this chapter is a couple years behind or will need dramatically updated in the nearing future once the changes in file management stabilize. What does the next generation of file management look like?
I spent some time shopping, and couldn't find a company that could deliver my personal and professional wants when it comes to file management which is a different but still an applicable topic, I think...
Human machine interfaces are huge in today's automotive industry, which is very much access control. Which brings into the question of command centers and remote access to machines.
Then we have all the talk about sessions, tokens... I hear about big hacks all the time related to this stuff. Yet, I don't feel like I'm much more qualified to protect a company from certain hacks. Only disfunction maybe, but then again, I still feel like I'm very limited.
From a programming perspective. I want to override a low-level class and invoke authorization as an easy escape from the complicated topic. My head is spinning with experiences. Every way I look at it I see vulnerabilities that I can't confirm if today's technologies are even protecting and the more, I learn the less I feel confidence in today's architectures. Our technologies grew in complexity which prevents most from malicious activity, but the vulnerabilities are often still there.
I need you all to do that thing where you make us put everything into categories so a can organize my thoughts into your standards
