RE: Stanford break in

[Vin McLellan <vin () theworld com>]

Paul Robertson wrote:

> Vin's reminder that regulation requires stronger authentication is a good
> one, though I'm not sure the regulation provides all that much risk
> reduction over good control of the access mechanism.  I've seen tokens
> taped on monitors with the PIN sticked to them.

        I think that goal-focused regulation (to use a concept now popular 
among those who are considering infosec regs inside the Beltway) will 
inevitably focus more on the potential of audit -- passive network 
surveillance for accountability -- rather than access control.

        Strong user authentication is, of course, as critical to passive 
audit records as it is to active access control.

        Dan Geer, a thoughtful guy now chief scientist at Verdasys, has 
been arguing for at least a couple of years that access controls will 
inevitably, on purely economic grounds, give way to more extensive audit 
requirements -- file-level forensic records, redefining the minimalist 
"perimeter" -- as IT security again begins to stress accountability over 
active authorization.

        As access control systems become more granular and authorization 
structures more complex, he points out, the cost of maintaining the access 
control matrix -- objects/authorization, per user -- expands at a rate 
faster than the rate of growth of the organization.

        Technical Issues of scaling become compounded by a nasty ratio of 
exponentially rising costs, and not even the efficiencies of directories 
will withstand that equation.

        In a recent interview <http://tinyurl.com/2xq6g>, Geer put it this 
way:

        "If you double the size of the company, then you double the number 
of people and the number of resources. This quadruples the number of boxes. 
If there is a fixed minimum cost to maintaining a check in each box, then 
the cost of maintaining the matrix grows faster than linear with company 
growth. Any cost that scales faster than linear is in and of itself a 
barrier to growth. Security cannot be a barrier to growth, or people will 
inevitably work around it.

        "A similar argument applies if you are busy making your company 
more secure by subdividing rows and columns into finer grained access 
control, and that is without growing the corporation at all. Pushing access 
control too far ensures that the result is diseconomic, the only question 
is when.

        "The alternative to pushing access control farther than it should 
be pushed is to turn your security problem statements towards 
accountability. Like in a free society, there is huge efficiency in not 
having to ask permission for every niggling little thing but if and only if 
there is a high probability that if you misuse your freedom you will then 
lose your freedom. That is what accountability is. Accountability at the 
object level is where security goes next, and it goes there whether you 
come along or not."

        I'm less certain of his argument when he predicts universal 
file-level audit records -- the defensive perimeter contracted to the data 
level --  but the economic logic of his case for the rise of audit 
vis-à-vis access controls is compelling.

        Surete,
                _Vin


   ----------------------------------------------
        Vin McLellan + The Privacy Guild + <vin () theworld com>

                    22 Beacon St., Chelsea, MA 02150-2672 USA