Preamble

  • Skepticism is not a philosophy of disbelief. Rather it is a philosophy that suggests that there is merit in examing beliefs. A skeptical view of the world allows for faith, in fact recognises that 'faith' at some level often underlies so-called scientific theory. Skepticism does not lead us to the 'entire truth' of the universe, but it is discipline that allows us to better understand small parts of it. And for those parts that we want to grow or progress, skepticism is a tool to open the hood, check the hoses, replace the worn out parts, and lubricate the engine.
  • So why is the focus of this Blog on Skepticism and Technology, and Computer Technology particularly? Because Computer Technology (like every new science struggling for respectability) has surrounded itself with beliefs, an aura which resembles an old style religion where the priests have all the knowledge and know what's best for the humble, confused and worshipfull users of the technology. While the Computer people might enjoy the adulation and their 'special status' and while the computer users (and their managers) retreat comfortably into their 'I don't know what I'm doing and can't be held responsible for anything' attitude, the field of computing technology will largely stagnate. In such an environment we can only extend computer technology by replacing more and more manual processes. That is to say that we can use technology to replace jobs, but we have largely failed to empower the users of the technology to use technology to find creative ways of enhancing their existing jobs.

Skeptic Links

  • Stranger in a Strange Land - Robert Heinlein
    "You know how Fair Witnesses behave." "Well no I don't, I've never met one." "So? Anne!" Anne was on the springboard; she turned her head. Jubal called out, "That house on the hilltop-can you see what color they've painted it?" Anne looked, then answered. "It's white on this side." Jubal went on to Jill, "You see? It doesn't occur to Anne to infer that the other side is white, too. All the King's horses couldn't force her to commit herself ... unless she went there and looked-and even then she wouldn't assume that it stayed white after she left."
  • New Scientist Magazine and Website
    Opinions are best informed by facts - and other (especially differing) opinions. New Scientist has plenty of both, or if you believe a fact is just an opinion wrapped up in a prejudice, plenty of those as well. The best - the easiest - way to keep up to date with just about anything in the life, physical or technological sciences. If you see it on television or hear it on the radio, you probably read it here the day before.
  • David Hume, Philosopher 1711-1776
    "If I ask you why you believe any particular matter of fact, which you relate, you must tell me some reason; and this reason will be some other fact, connected with it. But as you cannot proceed after this manner, in infinitum, you must at last terminate in some fact, which is present to your memory or senses; or must allow that your belief is entirely without foundation." (David Hume, 1737)
  • Massimo Pigliucci. On reasonable skepticism
    I'd recommend his article on Monty Python for anyone who believes skeptics don't have a sense of humour, and his article on the difference between skepticism and cynicism for anyone who ever wondered.
Subscribe to this blog's feed

« Call Centres: Understanding Relationship Flows | Main | Concepts in Security Management: Invisible Organisations »

Component Security Certification: System User Certification

Whenever we control system users access by assigning (or holding back) permissions, we are effectively 'certifying' their IT security status.  If we don't have a single document (literally a certificate) that describes the sum of all of a particular persons 'permissions', we have the equivalent recorded in various systems.   System User Access Control could then be otherwise described as System User Certification.  As system users are as much components of the IT environment as applications or hardware, it would be fair to say that System User Certification could be called a type of Component Security Certification.

So far then we've tentatively accepted that we can use a new name to describe a thing that we are already familiar with; does this improve our System User Certification process?    I have to admit that the 'benefit' mostly flows the other way.  I am hoping to give some 'respectability to the concept of 'Component Security Certification' and to suggest that certifying Computer Applications and Computer Hardware as 'security compliant' is as important as certifying System Users.

Well so far perhaps that doesn't sound too radical, although certifying that a printer is 'security compliant' might be a novel concept to some.  Others will note that we already have protocols for ensuring that applications are built to standards (which include security standards), and security-sensitive hardware such as routers are configured with security 'in mind'.   What I am talking about is a universal process that ensures that all hardware and software are put through a process of certification of compliance with our security expectations, ensuring that none are bypassed because 'we didn't appreciate in advance their significance'.    Ninety percent of office 'hardware' will not have any security implications and can then be certified 'clean'  straight away.   So what's the advantage in doing that (apart from satisfying some super-bureaucratic itch)?  Well consider the printer again.

Eight years ago the first reports of printers being 'hacked' into came to light.  This was a result of a change in 'capability' in printers, now being network enabled.  Obviously large multifunction printer/copiers/faxes in offices have introduced another 'capability'.  This capability opens up the interesting possibility of programming the machine to fax everything that is printed or copied to an external location.  Wouldn't someone notice? Possibly not, most large printers are in storerooms or open areas (eg nobody sitting beside them) and most people wouldn't have a clue what they are doing most of the time.  Then there's another capability, the ability to place hidden codes on everything printed on a certain machine that enables 'investigators' to track that material back to that machine.  You might ask how that is a security risk; well generally it's not, but if you ever want to make use of that 'information' to support a case (say data theft) that has gone to court you might find that your case collapses if the court doesn't like the fact that you didn't tell folk about the photocopiers traceability capability.  Oh, and of course if you didn't know about the capability (because you'd never gone through the considered process of certifying the equipment) you would never have been able to take advantage of it.

What are the other advantage of certification, apart from ensuring everything is 'roped in' at some stage and considered.  Well, a 'certificate' implies some kind of form (real or virtual) that means that we can incorporate a checklist which helps us (and particularly others) maintain a consistent standard of checking (or share the task).  The 'form' is also a touchstone for auditors, and an anchor for change control processes.

Ok, if we accept that System Users, Equipment, and Applications should (or could be) certified, is it reasonable to propose that we apply the same approach to Agreements, Contracts, Services and Environments.  For instance, if you employ a contractor to work in a secure area you probably already do a security background check on them (so they are in fact 'certified'), but if you send equipment off to be repaired (under a contract) what do you do to ensure that there's nothing on the machine that is 'sensitive'.  Well you can ensure that the service agreement with the repairer includes a provision that imposes a DUTY on the folk shipping the thing off to repair to CHECK it first.  You might also include some provision for liability if anything from the machine 'leaks' beyond the service centre should we have been so negligent as to send any there in the first place.   Would we have overlooked this without Component Security Certification there to remind us?  Possibly not.  As to environment, if you have three phase power do you know which circuit is supplying power to your servers and what is to stop electricians turning them off without warning you?  Do you know whether there are any sewer or water mains in the ceiling above your computer room?  A formal certification process should lead you through consideration of all of these things.

Finally, getting back to the System User Certification.  Perhaps there is some value we can add to that process after all.  If you consider granting access as a process of certification, are you reminded that there may be cases where grant of access should depend upon the person being able to demonstrate competence at some level, or have some qualification.  If you have a computer system that has significant health or financial consequences, should you 'let people loose' on it without going through a formal process of training and subsequent certification of their competence.  Just a thought... and that is the primary aim of Certification, to suggest to people to 'stop and think for a moment' about what's happening around them.

January 18, 2006 |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8341f725753ef00d835253c4253ef

Listed below are links to weblogs that reference Component Security Certification: System User Certification:

Comments

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

My Photo

About

Skeptic meets Cynic

Recent Posts

Categories

Blog powered by TypePad

Legal Notices


  • The following terms and conditions apply to your use of this web site. By accessing, browsing, using or downloading materials from this web site you agree to follow and be bound by these terms and conditions. I reserve the right to modify or amend the terms and conditions of this agreement without notice at any time and you agree to be bound by such changes. If you do not agree to be bound by these terms and conditions, please do not use this web site or download any materials from it
  • Copyright
    Creative Commons License
    Except as noted below, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 2.1 Australia License. Copyright materials from other sources that are quoted or referenced in this work, and material added to this work by persons other than the primary author of this work retain their original rights, unaffected by the Creative Commons license that otherwise applies to this work
  • General Disclaimer
    The contents of this site are provided for informational purposes only. This web site is not the authoritative source of information on any matter. All information and opinions are provided "as is" and I do not make any representations, warranties or guarantees, express or implied, regarding the accuracy, completeness, timeliness, non-infringement or merchantability or fitness for any particular purpose or use of any information, opinions, products or services contained in this web site or of any information, opinions, products or services available on web sites that are accessible by links found on this web site. While the information contained on this web site is believed to be accurate, it may include errors or inaccuracies. Your use of this web site is at your own risk. I am under no obligation to monitor this web site and assume no liability or responsibility for content added to this work by other persons, or for content originally authored by me but subsequently changed by other persons without my direct consent. The information, opinions, products and services available on this web site, and the links to other web sites contained in this web site, are made available on the express conditions that no obligation, responsibility or liability, based in contract, tort (including, without limitation, negligence) or otherwise, will be incurred by me for any loss or damage whatsoever, whether incidental, special, indirect, consequential, punitive, exemplary, or for lost profits in connection with, caused by or arising from any delays, inaccuracies, errors or omissions in or infringement by, or from any use of, or reliance on such information, opinions, products or services available on this web site, the links to other web sites contained in this web site or any information, opinions, products or services available on such web sites. I assume no responsibility or liability for any damages to, or viruses that may infect your computer equipment or other property in connection with your access to or use of this web site or your downloading of any data, text, images or other material from this web site.