Sunday, January 26, 2014

Are Administrative Security Controls Really Effective?

Administrative controls certainly have their place. For instance, I wish that cryptographic keys were generally generated and installed on user systems, wherever appropriate, as part of 'first day on the job' policy.  "Wherever appropriate" is the hard part. Does a new hire need ssh in addition to email? What is the cost of placing such a system in front of HR? Should it be done when traditional HR has quite enough on their plate, simply ensuring that the appropriate forms are signed? Or should it be done after that potentially overwhelming first-day HR experience, when that new hire joins their team. I would argue for the later as required system access will likely be less accurately known at the HR level. That does not have to be the case, but any other approach involves an additional expense associated with maintaining what has become a critical in-house application, for no obvious reason.

These are managerial policy issues. They are notoriously difficult to drive into code, and this is only partially due to worthwhile approaches, based upon the simplicity of good parsers reading flat text files not being widely implemented. Separation of code and data is always a security win, if for no other reason than that the data persistence layer is far easier to audit.

Three notes on the above paragraph

  1. A 'good parser' is one for which a thorough set of tests has been written against, including corner-cases such as only a single name (a so-called mononymous person) being used for a person. E.g. common in Indonesia, the 4th most populous country.
  2. "Easier to audit" enables modern continuous audit techniques by requiring fewer system resources. Lower CAPEX is a Good Thing.
  3. Pluggable data persistence layers are preferred. Flexibility is more cost-effective in the long run. 

Administrative controls are only sometimes effective

A reasonable example would be passwords. A common approach approach is to promulgate complexity requirements based upon exponentiating over password length and character set: such and such a length, require numeric, require punctuation, etc. Let us set aside that modern password-cracking schemes do not often allow for advances in modern cracking dictionaries (which seem likely to be more important than parallel cracking via GPU).

An administrative 'control' is often as simplistic as a policy forbidding writing a password down. One consequence of this that the classic Post-It Note stuck to the side of a display has been driven underground to the extent that password lists have long since migrated to being taped to the underside of the keyboard. There is probably some sort of joke that could be developed from this, related to hiding the problem.

My views on passwords are somewhat heretical, and this was just an example. I'm not going to write about them here.

Bottom line

In common circumstances, the intersection of technical and administrative security controls is far more more important than either one, considered alone.

No comments:

Post a Comment

Comments on posts older than 60 days go into a moderation queue. It keeps out a lot of blog spam.

I really want to be quick about approving real comments in the moderation queue. When I think I won't manage that, I will turn moderation off, and sweep up the mess as soon as possible.

If you find comments that look like blog spam, they likely are. As always, be careful of what you click on. I may have had moderation off, and not yet swept up the mess.