NYT Article and Physical Security

• To: www-security@ns2.rutgers.edu
• Subject: NYT Article and Physical Security
• From: Rick Smith <smith@sctc.com>
• Date: Fri, 13 Oct 1995 11:19:24 -0500
• Cc: smith@sctc.com

What it comes down to is that all security measures depend on some
physically protected perimeter. If you can't protect the perimeter,
then you have to protect the data travelling outside.

The nugget of truth in all this is that typical sites place the trust
boundary at the walls of their building and implicitly trust all
employees. Look at the statistics on fraud caused by "inside jobs" to
judge the long term wisdom of this.

What's the near term "solution" to all this? Sites need to take a
really hard nosed view of computers that perform valuable
transactions. If your computer has the software necessary to authorize
a $1,000,000 transaction, then it can't contain anything but software
specifically installed and approved to do your work. Java applets,
downloaded utilities, and games will be verboten. Put a strong
physical security perimeter around all such machines and any unsecured
network services they share. Firewall all accesses to the outside.

A longer term solution might be the commercial equivalent of the
expensive "multilevel secure" systems the government has tried to
promote for over a decade. Given the cost and functionality tradeoffs,
this might not ever happen.

Rick.
smith@sctc.com      secure computing corporation

• Re: NYT Article and Physical Security
• From: zurko@osf.org (Mary Ellen Zurko)

• Previous: Re: NY Times Article
• Next: Re[2]: New York Times article
• Index(es):
  • Index
  • Thread