There was an unfortunate news report today on CNet (Zoho Writer search bug exposed private documents) about a security problem with our fellow web application ZOHO Writer. Martin LaMonica wrote about a very brief security violation, that was caused by some bad timing in their server indexing and testing process.
It sounds like the breach was very short-lived, and the potential risk was quite limited. But it led Mr. LaMonica to wonder, “Still, as a user, it made me think twice about putting private documents online.“?
This is the sort of news item that sends chills down the organizational spine of all of us who are offering web-based applications. To get a sense for the risk of this kind of incident, I went to Buzzword’s technical lead and co-founder, Mike Kraley, who has decades of experience in software architecture and deployment, including a stint at BBN at the very conception of the Internet. Mike is an industry graybeard – a sober, meticulous and insightful engineer who has thought through these issues, and many others.
As Mike explained it, there are two places in the application stack where you might consider implementing access controls:
* As close to the user as possible: in the user interface, where the response to users’ actions can be most immediate, where the application can “gray out”, for example, options the user shouldn’t perform.
* As close to the data as possible: controls at the server, where the application stores and retrieves content.
In fact, Mike explained, you want to provide access control at both ends of the stack. That way you can provide the immediacy that makes an application like Buzzword feel responsive and intuitive. But there’s always a second check back at the server, in case a misguided request is made by the UI and someone tries to access a document for which they do not have permission.
According to Mike, when developing a new feature it’s conceivable that the UI code could inadvertently violate the established access control model, and the server would provide the last line of defense. Mike said the error message back from the server may not be elegant, but it’s effective. In Buzzword, you simply can’t get to documents without getting past the last ditch server-based access control, even if you found a way (accidentally or deliberately) to get through the controls in the UI.
All of us in the online application space are working hard to make sure this environment is safe and secure for all your authoring needs. In fact, I generally feel that my documents are safer in Buzzword because they aren’t separable morsels of content that can be mailed around, copied to thumb drives or hacked from network intruders.
And the two-level security model ensures that only my intended collaborators will have access.