A bright light was finally illuminated on some odd questions and conversations I had been hearing lately. These questions were about how administrators and super users could have super privileges and not have the ability to do everything at the same time. Sort of like giving Lois Lane kryptonite to make sure that she can get Clark Kent to take out the garbage. Today I heard the story of Terry Childs (refreshed this link).
The highlights of the case are that Terry Childs was the network administrator, and apparently the only one, for the city of San Francisco’s new network. Something happened that is not quite clear and he did not or was not able to provide the only password to the network. Because of this situation he has spent over a year in prison. Now there are several articles out there that talk about what happened on each side of the story, but that’s not what got my interest. A conversation proceeded for the next fifteen minutes on the topic and evolved into how this will make things harder in the IT world.
The discussion was around how do you ensure that a single person is not able to control a vital system. The feeling was that all systems would need to be changed and a new infrastructure put in place to ensure that no single person would be the weakest link. Please note that the situation doesn’t need to be malicious. As a former boss used to say, beware of the truck with your name on it. Simply choosing an upstanding individual to be the only password holder doesn’t mean that they can’t have an accident. I listened patiently and after several minutes I finally gave my solution. Everyone at the table was astounded by how simple it was.
It all starts with how banks manage vaults. Contrary to what you see in the movies, the bank manager does not have the combination to the vault. It’s shared. It’s a two person commit, like you see in the old ’80’s world war three movies and the keys to the silo. Several individuals are assigned the first half. Then several others are assigned the second half. It take two to open the vault. In my IT model it takes four individuals and possibly one line of code.
Any typical password change screen requires a password to be entered twice. The second time to ensure that password was entered correctly. It is this fact that makes my procedure so easy to use.
- Start with four individuals (Alice, Bob, Carlos and Delilah).
- Put them in two groups (first half is Alice and Bob while the second half is Carlos and Delilah).
- Each team confers on a secrete code, using mixed case, numbers, letters, and symbols. For further security could be achieved by a random value generator but I question if this would result in the value being written to paper.
- Then in the new password field, Alice enters the first half value and Carlos the second half value.
- Next in the confirm new password field, Bob enters the first half value and Delilah the second half.
Now your done. In case you wondering why not have only two individuals. The second pair ensures you don’t loose half of the password which puts you in the same boat.
But now I left the table with my own question. Why do we feel the need to solve every computer problem with a digital answer?
2/11/16 – While updating the broken link above, a slight clarification came to mind on the need for four individuals. In the scenario above one person on each half should be a manager or higher. You really don’t need all the people involved to understand “what” needs to be done, but they do need to know “why” it needs to be done. Also by keeping both have in separate hands, you avoid any one individual going rogue.