Paul Robertson wrote:
>Vin's reminder that regulation requires stronger authentication is a good
>one, though I'm not sure the regulation provides all that much risk
>reduction over good control of the access mechanism. I've seen tokens
>taped on monitors with the PIN sticked to them.
I think that goal-focused regulation (to use a concept now popular
among those who are considering infosec regs inside the Beltway) will
inevitably focus more on the potential of audit -- passive network
surveillance for accountability -- rather than access control.
Strong user authentication is, of course, as critical to passive
audit records as it is to active access control.
Dan Geer, a thoughtful guy now chief scientist at Verdasys, has
been arguing for at least a couple of years that access controls will
inevitably, on purely economic grounds, give way to more extensive audit
requirements -- file-level forensic records, redefining the minimalist
"perimeter" -- as IT security again begins to stress accountability over
active authorization.
As access control systems become more granular and authorization
structures more complex, he points out, the cost of maintaining the access
control matrix -- objects/authorization, per user -- expands at a rate
faster than the rate of growth of the organization.
Technical Issues of scaling become compounded by a nasty ratio of
exponentially rising costs, and not even the efficiencies of directories
will withstand that equation.
In a recent interview <http://tinyurl.com/2xq6g>, Geer put it this
way:
"If you double the size of the company, then you double the number
of people and the number of resources. This quadruples the number of boxes.
If there is a fixed minimum cost to maintaining a check in each box, then
the cost of maintaining the matrix grows faster than linear with company
growth. Any cost that scales faster than linear is in and of itself a
barrier to growth. Security cannot be a barrier to growth, or people will
inevitably work around it.
"A similar argument applies if you are busy making your company
more secure by subdividing rows and columns into finer grained access
control, and that is without growing the corporation at all. Pushing access
control too far ensures that the result is diseconomic, the only question
is when.
"The alternative to pushing access control farther than it should
be pushed is to turn your security problem statements towards
accountability. Like in a free society, there is huge efficiency in not
having to ask permission for every niggling little thing but if and only if
there is a high probability that if you misuse your freedom you will then
lose your freedom. That is what accountability is. Accountability at the
object level is where security goes next, and it goes there whether you
come along or not."
I'm less certain of his argument when he predicts universal
file-level audit records -- the defensive perimeter contracted to the data
level -- but the economic logic of his case for the rise of audit
vis-à-vis access controls is compelling.
Surete,
_Vin
----------------------------------------------
Vin McLellan + The Privacy Guild + <vin_at_theworld.com>
22 Beacon St., Chelsea, MA 02150-2672 USA
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Apr 26 2004
Intro
