Layer 8

Security is fundamentally about people, and everything we know about people is relevant to security. -- B. Schneier

Separation of powers and the creative use of escrow.

I’m a firm believer in the use of layer 8 mechanisms for controls, along with other layers.  You may claim that users are unreliable, and that they’re the weakest link, but I think if you pick the right users, they can provide a service that nothing else can:  escrow.

Let’s say that you have a security group separate from your IT operations group, and you want to implement a separation of powers.  The elements you can use are:

- the power of one group to cut off access for the other one
- the power of one group to monitor the other one in a way that the second group can’t alter
- the power of selected passwords that only one group knows

Now, when you have sysadmins, there’s very little you can do to get around the fact that they hold the keys to the system kingdom, i.e. the administrative passwords.  They can cut off anyone from a system, or an AD domain, at any time.  However, you can set up a system that they don’t know the password to.  As long as the sysadmins don’t also control the network infrastructure (that should be a separate group), you can set up a balance of power.  If you get a copy of all the logs off the sysadmins’ boxes as soon as the events are generated, and send them to a receptacle that they don’t control, then at the very least you can detect activity when the stream stops. 

But if your security group also has sooper powers, you end up with a kind of standoff situation.  Either side can mess up the other, but mutually assured destruction doesn’t usually make the CIO feel any better.  And you still have to monitor the security group for equal accountability.

First of all, I prefer to keep my sooper powers in a box:  i.e. a separate login.  My activities under that login are still visible to the sysadmins (they still have a copy of their own logs, remember), and they still control the systems that I work on, including my workstation.  However, I do have an encrypted volume to which they do not have the key.  Who has the key?  The rest of my security group.  Anyone can go ask them for it at any time, but being who they are, they won’t accept anything less than a clearly documented order from MY boss, or higher up.  I’m still accountable to them.

Another example of escrow:  you can base a key on information that a very separate group has, such as the facilities people who issue the badges, or human resources.  You can always go get the information from them, but given their nature, they’re going to ask you, a person from an unrelated department, why you need it.  You’ll have to have that documented good reason.  Sometimes bureaucracy, organizational silos, and suspicion can be wielded as useful security controls.

If you spread out the pieces widely enough in an organization, the end effect is that only the common management—usually high up in the chain—can make use of the whole.  This is bad when you’re trying to speed things up, but it’s very handy when you’re trying to slow things down.  It ensures that nothing in the security arena will be misused by any one side.

Oh, and it also helps to have a deputy who has a suspicious streak a mile wide and is handy with zip-strips.

Posted by shrdlu on Saturday, March 31, 2007
(2) CommentsPermalink blogmarks Favicon del.icio.us Favicon Digg Favicon Fark Favicon Furl Favicon Google Bookmarks Favicon StumbleUpon Favicon Technorati Favicon TailRank Favicon
Page 1 of 1 pages