Friday, March 16, 2007

Can't help myself

I can't help but comment on a blog post I saw by Rob Newby the other day. Struck a cord about how paranoid the regular security person needs to be........

His original post is here: http://robnewby.blogspot.com/2007/03/one-of-us-has-to.html

If you're worried about collusion and superadmins with access to everything you're a bank, a defense department, or paranoid.

Not that a single "superadmin" should be able to anything by themself, but I'll skip that point for now.

If what you're looking for is protection against all of the scenarios you've outlined then you're not looking for commodity hardware, operating systems, physical security, etc.

Maybe you ought to consider not hooking the system up to anything. And bag checks at the door. And periodic interrogations, surveillance of the admins, credit checks, black-bag jobs to break into their houses, etc.

If you're really worried about multiple people colluding and walking off with the data, then you're going to need more than logging and hope to achieve it.

4 comments:

Rob said...

I agree that you can't protect everything I've talked about with log security, but I think you may be being a little picky (and maybe hence the title!)
My blog is necessarily truncated to avoid boring too many people to death, but I describe a very long process of securing in only one sentence as a result. You can protect against all of the above with process, policy, hardware, software, etc. and I have done.
OK, so collusion is rare, but if you were a true retentive you would know that we're not protecting against what's probable, but what's possible.
Funny thing though, most of my customers ARE banks. Maybe I am paranoid?

Andy Steingruebl said...

Wasn't trying to be too hard on you Rob. My reaction was based on what I saw as a relatively defeatist attitude about protecting against data walking out the door. I think it was the phrase "superadmin" that really tweaked me. In the scenarios you described there shouldn't be a superadmin.

Which makes me think of a Dr. Strangelove quote and possibly another blog entry...

Rob said...

Actually, there's no defending it, you're absolutely right, it's a bit of a stupid thing to say isn't it? I've been so focused on telling the story, I've fudged the details. Perhaps I could hire you as a proofreader for future posts? ;)

Oh, and as for being hard on me, I didn't take it like that, I just love answering back! Criticism is always welcome, as long as it's constructive. I encourage debate, as it's the best way to achieve the results we all want, if I've made an error, I need to be corrected, isn't that what security's about?

Rob said...

On the other hand...

http://www.cnn.com/2007/US/03/20/lost.data.ap/index.html