A bright light was finally illuminated on some odd questions and conversations I had been hearing lately. These questions were about how administrators and super users could have super privileges and not have the ability to do everything at the same time. Sort of like giving Lois Lane kryptonite to make sure that she can get Clark Kent to take out the garbage. Today I heard the story of Terry Childs (refreshed this link).
The highlights of the case are that Terry Childs was the network administrator, and apparently the only one, for the city of San Francisco’s new network. Something happened that is not quite clear and he did not or was not able to provide the only password to the network. Because of this situation he has spent over a year in prison. Now there are several articles out there that talk about what happened on each side of the story, but that’s not what got my interest. A conversation proceeded for the next fifteen minutes on the topic and evolved into how this will make things harder in the IT world.
The discussion was around how do you ensure that a single person is not able to control a vital system. The feeling was that all systems would need to be changed and a new infrastructure put in place to ensure that no single person would be the weakest link. Please note that the situation doesn’t need to be malicious. As a former boss used to say, beware of the truck with your name on it. Simply choosing an upstanding individual to be the only password holder doesn’t mean that they can’t have an accident. I listened patiently and after several minutes I finally gave my solution. Everyone at the table was astounded by how simple it was.
It all starts with how banks manage vaults. Contrary to what you see in the movies, the bank manager does not have the combination to the vault. It’s shared. It’s a two person commit, like you see in the old ’80’s world war three movies and the keys to the silo. Several individuals are assigned the first half. Then several others are assigned the second half. It take two to open the vault. In my IT model it takes four individuals and possibly one line of code.
Any typical password change screen requires a password to be entered twice. The second time to ensure that password was entered correctly. It is this fact that makes my procedure so easy to use.
- Start with four individuals (Alice, Bob, Carlos and Delilah).
- Put them in two groups (first half is Alice and Bob while the second half is Carlos and Delilah).
- Each team confers on a secrete code, using mixed case, numbers, letters, and symbols. For further security could be achieved by a random value generator but I question if this would result in the value being written to paper.
- Then in the new password field, Alice enters the first half value and Carlos the second half value.
- Next in the confirm new password field, Bob enters the first half value and Delilah the second half.
Now your done. In case you wondering why not have only two individuals. The second pair ensures you don’t loose half of the password which puts you in the same boat.
But now I left the table with my own question. Why do we feel the need to solve every computer problem with a digital answer?
2/11/16 – While updating the broken link above, a slight clarification came to mind on the need for four individuals. In the scenario above one person on each half should be a manager or higher. You really don’t need all the people involved to understand “what” needs to be done, but they do need to know “why” it needs to be done. Also by keeping both have in separate hands, you avoid any one individual going rogue.
A couple of things come to mind.
1) For major companies – all sys admins should be bonded. You will never completely prevent unscrupulous behavior but you can mitigate the risk both technically and financially.
2) Knee jerk reactions to fear of sys admin hijinks can cripple an IT organization. As you said Marko – added security comes by including more people in the process – that is not without cost and workload. It may not seem like much work but too many of our systems – particularly in legacy and networking – are highly dependent upon rights that exceed reason. changing them all is REALLY expensive. Too often policies are implemented to mitigate the risk without understanding the human cost and quality of life for the group of people that literally hold the keys to your kingdom.
Great point on bonding. You don’t need to bond everyone but at least those managing critical systems. Background checks can help as well.
But I’m not sure that the resolution needs to be expensive. In my example for instance that second person could simply be a manager and this would mean that the administrator would need contact his supervisor to get into the system. The supervisor should need to know why that person needs to get in. Once the task is done, the supervisor should review an audit trail or system log to make sure that the administrator performed the tasks they stated. The fact that the administrator only has half a key ensures that he can’t change the password without the supervisor and the second administrator (half) should allow what was unintentionally done to be undone.
But in the end it is the human element. You really need to know who you have working for you. And life creates changes. What a person is today is not who they are tomorrow. The more isolated individuals are from their work the harder see those life changes.
We’ve all seen the news stories. It’s the inside job that’s always the biggest surprise. But there’s always one interview with that “friend/ coworker” where they say something like, “well you know I was worried she might do something like this.” Just once I’d like the interviewer to reply, “And you decided not to say anything because?”