One Article Review

Accueil - L'article:
Source AlienVault.webp AlienVault Blog
Identifiant 908610
Date de publication 2018-11-20 14:00:00 (vue: 2018-11-20 16:00:45)
Titre Let\'s Talk about Segregation of Duties
Texte Segregation of duties is a fundamental information security practice. In simple terms, it means you split out important tasks between two or more people. This prevents one person getting drunk on all the power they wield, and also prevents one person from making a mistake that can have undesired consequences. One of the best examples of segregation of duties can be seen in movies when it comes to launching nuclear missiles. The system relies on two people on opposite sides of the console to put in and turn their keys at the same time. This segregation or separation of duties ensures that one person can’t launch a nuclear missile on their own. Segregation of duties works best well when there is a clearly defined function and where there is some physical separation. For example, in a call centre or a banking app, a low junior administrator may be able to authorise payments up to $500, but anything above that would need supervisors’ approval. The junior admin can enter in the details, and send it off to the supervisor who can then approve or decline it. But in many cases, the broader application can sometimes have some flaws. In one of my first jobs in IT Security, our team had implemented a process for separating duties whenever a new HSM key (key change ceremony) needed to be loaded. I worked in the team that would have half the password to complete this task, and another team would hold the other half. Much like the end of the film Bulletproof Monk; I even had my half of the password tattooed on my back – I still don’t know what it says to this day. Once a project was underway, it meant I’d have to travel across the country to the data centre with my half of the password in order to change the key with the help of a colleague. The only problem with that is - have you ever worked on a project? It’s never on time - always delayed. And datacenters are COLD! So here I was sat in a datacenter with this other guy who was about 50, but was clearly experienced in these projects as he was sitting under a blanket he’d brought, reading his book and munching on some snacks. What’s wrong with this scenario? Other than the fact I didn’t have a blanket or snacks - that we’ve travelled from different parts of the country, with half of a password, only to be sat together for hours. Invalidating all the expensive measures taken to segregate the two halves of the password. Even worse, I had no idea what I was doing or how to do it. I was told the documentation was up to date and easy to follow - but documentation being up to date is one of the biggest lies our team told. So, I ended up having to ask my colleague to help me out -  which inevitably meant I gave him my half of the password and asked him to enter it… yeah, separation of duties kind of fell apart right there. Having said that, those were simpler times, there was no bring your own device, and there certainly wasn’t anything hosted in the cloud. Many times when organisations adopt cloud apps, they overlook segregating duties, or defining job functions for role-based access control (RBAC). So, it ends up with an all-or-nothing approach. Which works fine if all employees are trustworthy, and never make a mistake. Unfortunately, it’s all too easy to make a mistake. When a single contractor is able to inadvertently leak the personal details of all employees in the database, one has to consider whether one person should have the power to do that, or if the access sh
Envoyé Oui
Condensat $21m $500 able about above access accidentally accountability across admin administrator adopt all allow allowed allowing also always another any anything apart app application approach approval approve apps are ask asked authorise back balances bank banking based bec being best between biggest bit blanket book bring broader brought bulletproof business but call can can’t carry cases centre ceremony certainly cfo chain change checks cinema clearly click… cloud code cold colleague comes complete compromise consequences consider console contractor control country data database datacenter datacenters date day decline defined defining delayed details developers device did didn’t different documentation doing don’t drunk duties easy email employees end ended ends ensures enter environments even ever example examples expensive experienced fact fell film fine first flaws follow forethought fraudsters french from function functions fundamental gave getting going got guy had half halves harm has have having he’d help here him his hold host hosted hours how hsm i’d idea implemented important inadvertently inevitably information invalidating investments it… it’s job jobs junior key keys kind know large launch launching leak learn let lies like little loaded long lot low make making manner many may means meant measures missile missiles mistake monk monk; more movie movies much munching need needed needs never new nothing nuclear off once one only opposite order organisations other out overlook oversight own parts password payments people person personal physical place power practice prevents problem process production project projects proper push put question rbac reading recently relies resulted right rogue role said same sat says scam scenario security seen segregate segregated segregating segregation send separating separation seriously setup should shouldn’t sides similarly simple simpler single sitting situations snacks some sometimes split such supervisor supervisors’ system systems taken talk task tasks tattooed team technologies terms than them themselves then these those time times together told too trader trades travel travelled tricked trustworthy turn two under underway undesired unfortunately wasn’t watch way we’ve well what what’s when whenever where whether which who why wield without worked works worse would wrong yeah your
Tags
Stories
Notes
Move


L'article ne semble pas avoir été repris aprés sa publication.


L'article ne semble pas avoir été repris sur un précédent.
My email: