insecurity
Nov. 16th, 2004 10:14 pmThere is a theory of security that I have never seen stated directly. Yet I see so many people acting on it, and its variations, that I suspect security experts must state it explicitly somewhere. They probably even teach the theory to beginners in the field. In metaphorical terms, I can summarize it as, "The body is safer if the right hand does not know what the left hand is doing. It is safer still if every finger stores information separately, and cannot share information with other fingers."
It makes a certain amount of sense to have a firewall, a substantial barrier between "company information" and everything outside the company. That sort of presumes that everyone the company hires can be trusted with the company's information, which I think is a reasonable first approximation. (If it isn't, isolating information in the department that created it is unlikely to solve the more troubling security problem of untrustworthy employees.) The current setup is just infuriating. I can save files to the server, on my group's directory. But my colleagues who engineer the hardware don't have access to that directory. And the machine that's reserved for QA testing doesn't have access to the directory we arranged for the two groups to share. We have people signing in multiple times, copying files in several places, trying to defeat the security measure.
I'm sure it's possible to arrange it more efficiently, even given the constraint that every finger must pretend not to know what the other fingers are doing. (I'm a little afraid of complaining too loudly and being told I'm being a damn fool for going the long way around, and not using a transfer directory I could get to in fewer than 14 clicks.) But I still think it's a really stupid constraint, and I don't see how it could help security.
It makes a certain amount of sense to have a firewall, a substantial barrier between "company information" and everything outside the company. That sort of presumes that everyone the company hires can be trusted with the company's information, which I think is a reasonable first approximation. (If it isn't, isolating information in the department that created it is unlikely to solve the more troubling security problem of untrustworthy employees.) The current setup is just infuriating. I can save files to the server, on my group's directory. But my colleagues who engineer the hardware don't have access to that directory. And the machine that's reserved for QA testing doesn't have access to the directory we arranged for the two groups to share. We have people signing in multiple times, copying files in several places, trying to defeat the security measure.
I'm sure it's possible to arrange it more efficiently, even given the constraint that every finger must pretend not to know what the other fingers are doing. (I'm a little afraid of complaining too loudly and being told I'm being a damn fool for going the long way around, and not using a transfer directory I could get to in fewer than 14 clicks.) But I still think it's a really stupid constraint, and I don't see how it could help security.