[Disclaimer: I am not a security expert. 'Nuf said...]

Ivan Medvedev (test lead on CLR security team) has a great article about the security and psychology. Its main topic - people as the weakest link in any security system.

In the article Ivan says the following:

What can you do to make the system you are architecting more secure? The rule of thumb would be – require as much as possible information for a person to be able to access the data.

Ivan's words above mean to me “require as much information proving the right to access the resources”. Unfortunately lot of people confuse this with “always know everything about people that access your resources”. It's a confusion between authentication and authorization. While the tow features are tied to a degree, they are not the same. Authorization requires proof of one's right ro access particular resources. The authentication requires proof of one's identity (she is who she claims to be).

It is possible to have authorization without knowing the identities of the persons trying to access the resources. This is relatively easily achieved and demonstrated in the software systems. In fact, most computer software relies on one basic identification verification system - username/passwords. Based on this pair, it is assigning an identity and doing access authorization. There is nothing preventing a user to have two or more usernames/passwords to access the same resource or multiple users sharing the same username/password. In other words, the software does not know the true identity of the user.

This is even more obvious in distributed systems such as web services. Let's say Google provides paid web service for their services and Microsoft pays for its employees rights to access these services. Let's I write small application to use these services. Should Google care about my identity? Of course, Google wants to know my identity because of lot of other reasons - targeted marketing for example, tracking of my behavior and so on and so on, but from purely authorization point of view they care only about whether I have the right, which can be verified easily by me proving I am Microsoft employee. In fact, I think Google shouldn't even know this information - they should only know whether Microsoft has given me the right to act on their behalf with regards to Google services.