When a teenager wants to drive.
As a parent of a teen, this is not a hypothetical question to me but one that is here and now. And the decision of whether or not to let her drive are based on some strict decision criteria. What are they?
- 1. What group does she belong to? Drivers.
- 2. What is her role? A student driver.
- 3. What object is she going to operate? A car (mine!)
- 4. What actions is she allowed to take? Drive.
And finally and most importantly:
- 5. What constraints are going to be placed on her? No driving after 8pm, No dog in the car etc.
You may probably be getting the drift of where I am going with this. The first 4 are what are commonly referred to as RBAC or Role Based Access Control. These have been in existence for a long time and have improved considerably with the advent of virtualization. In fact, HyTrust has been a major innovator in #3 of exposing the fine grained objects so that very detailed access rights can be imposed upon them. Great!
But I said #5 was the most important one. Why so? The constraints ultimately are your most valuable asset that gives ultimate flexibility into what happens. In the case of a teen driving the car, these can be imposed by the parents but let’s say she is getting more experienced (read doesn’t blink first when talking to her dad – me), the constraint can be adjusted to say ‘No driving after 9pm’. All without touching #1 – #4 – but expand and contract boundaries by adjusting the constraints.
Similarly, what HyTrust has done with #5 is introduce the concept of ‘labels’ to assign to virtual assets that provides this constraint boundary. For instance, the label could say ‘test-dev’ and that implies that any administrator trying to move the workload to a machine that is outside the ‘test-dev’ environment will get denied. Note this administrator may have passed the #1- #4 checks, the only thing that prevented her from initiating the migration was this constraint. Powerful right? Read more here.