If you can’t trust your locksmith – or your network admin – who CAN you trust?
Why is the possession of lock picks by non-locksmiths
illegal in some states? That was the
unlikely question posed to me by IT security expert and CEO of ProofSpace,
Paul Doyle, when he called me this morning. The obvious answer to the question is that lock picks in trained hands
may be burglary tools. That kind of “super
power” is also disconcerting. When my neighbor locked his babysitter out of the
house accidentally last week, the babysitter came over. I called my neighbor on
his cell phone and asked if he wanted me to pick the lock – I am a locksmith
after all. He declined and preferred to
drive 20 minutes back to his house to unlock it himself. He really didn’t like the idea that his house
wasn’t private to someone with lock picks.
There is a corollary to law and IT security. Individuals with admin privileges on a
corporate computer – like an email server or database – essentially have
logical lock picks. So shouldn’t admin privileges
be closely guarded. In many states locksmiths
have to be licensed. Should we license
our computer and network administrators? Just about every computer I’ve ever seen in use by security personnel is logged in as admin.
It was American Express or some other mega financial
services firm which recently had its complaint thrown out of court. The company contended that another firm
misappropriated confidential data. The
judge in the case asked the plaintiff a simple question: How do you know the
data was authentic? The company did not
have an adequate answer and the case moved no further.
Fascinating. How do
you prove that data – like emails – are authentic? Well, you can sign it with a hash, measure it
with a checksum, closely audit all activities with Verdasys Digital
Guardian™, or sign it with ProofMark™ from ProofSpace.
If there were an easy, cost effective way of ensuring or
measuring authenticity of data that companies would buy it? I think so. Just like companies bought RACF and ACF2 for their mainframes, or
SeOS/eTrust Access Control for their Unix boxes. What do you think?