[Previous] [Next] [Index]
[Thread]
Re: NYT Article and Physical Security
> The nugget of truth in all this is that typical sites place the trust
> boundary at the walls of their building and implicitly trust all
> employees. Look at the statistics on fraud caused by "inside jobs" to
> judge the long term wisdom of this.
There's just no easy answer when people are involved. Auditing has a
long tradition of being part of the solution (as in computer logging
of actions taken or refused). And that's not something we've talked
much about in WWW circles yet. Government and financial institutions
adopt two-person control authorization policies to double the number
of people that need to be subverted (or make it more difficult for one
person to figure out how to circumvent the control). "Who will watch
the watchers?" goes back to Roman times (why can't I find that quote
in my Barlett's? Anyone know who it's by?).
> A longer term solution might be the commercial equivalent of the
> expensive "multilevel secure" systems the government has tried to
> promote for over a decade. Given the cost and functionality tradeoffs,
> this might not ever happen.
The government also puts a lot of money into vetting employees above
unclassified. It's not the kind of investment most companies want to
make. And, the truth of the matter is, trusting people less tends to
make them less trustworthy. It takes a special kind of person to work
in a military environment.
Mez
Follow-Ups:
References: