Multi-layered access restriction

Example: A typical building used by a large company has a special room for the most important computer systems, with powerful air conditioning and other protective features, and a locked door. Only a few people have access to that room and to certain computer consoles with very special access. Beyond the computer room lie of ces for employees of the company and getting into these of ces means passing a security barrier. Elsewhere is an area of meeting rooms that has more visitors from outside. Getting into the building at all

involves passing from the public part of the reception area to the private part via another security barrier. These physical barriers are complemented by barriers in accessing computer systems, even when this is done remotely via networks.

M^ULTI-LAYERED ACCESS RESTRICTION should always be attempted in some form and in large organizations should be carried through rigorously and in detail.

™™™

Access must be restricted but some people need access in their work.

Restricting access to data and assets requires a multi-layered approach in two senses:

the journey from the outside world to a precious asset involves moving past 1.

several natural barriers; and

multiple control mechanisms are usually used at each of these barriers.

2.

The idea of multiple barriers is familiar. If we imagine moving from outside an organization to some precious data inside it the objective of protection by access restriction is to minimize the number of people who have access beyond each barrier without undue inconvenience to people with a legitimate need for access.

The number of people with access will usually get smaller as we pass through the following stages:

Access to the organization’’s computer network(s) from outside computer/

•

rooms usually have very limited access.) Sitting at a terminal or personal computer.

•

Getting the terminal or personal computer switched on.

•

Logging onto the terminal or personal computer.

•

Access to the corporate network from an internal computer.

•

Access to sections of the corporate network.

•

Access to particular servers on the network.

•

Access to particular software applications.

•

Access to particular data  les on a server.

•

Access to particular data records and functionality within a software

•

application.

In the interests of ef ciency a controls designer may choose to impose no additional access restriction at some of these stages, but the implications of doing so should be understood.

Computer security is an interesting but complex area with a lot of abstract jargon. To understand the idea of multiple control techniques at each barrier I think it helps to approach it from a more familiar and tangible point of view. Imagine you have a collection of valuable gold coins with historical value –– treasure in fact –– and keep them in your home. How could you secure the coins?

Make it hard to steal the coins.

•

Hide the fact that the coins exist and are in your home.

Hide your home or, more sensibly, hide the coins.

Keep the coins in a locked strong box, in a built-in safe, in a locked room, and keep the doors and windows of the house locked whenever possible.

Have strong locks and strong doors, windows, and walls.

Have as few copies of keys as possible.

Entrust keys to as few people as possible and choose those people carefully.

Have an alarm system installed that is sensitive to movement, body heat, and opening doors and windows.

Supervise legitimate visitors at all times.

Make it hard to get away with it.

•

Use recorded CCTV at all times so that it is harder for someone to break in and get away without being identi ed. Put an exploding paint bomb in the strongbox so that anyone opening the box will be marked.

Hide among the coins a radio device that will allow the collection to be tracked if stolen.

Mark every coin with invisible identi cation chemicals.

Have a record of every coin in the collection and store it, hidden, separately from the coins themselves. Be ready to make this list available to the police immediately a theft occurs.

Make it hard to pro t from theft.

•

Separate the collection into two or three parts and store each separately, dividing the coins in such a way that sets of coins that are more valuable together are stored separately.

Have the coins etched with a tiny mark that identi es them as your property.

All these physical techniques have computer equivalents. An effective control system needs to use at least a handful of them at each level of access to be effective.

For example, a lot of emphasis is placed on passwords (rightly) but there are disappointing limits to their effectiveness. The more you encourage people to use passwords that are hard to guess and change them frequently the more often people will write them down, making them easier to discover.

One way to think about password strength is to calculate the maximum rate of password guessing that would be possible for a cracker who knew the rules. For example, suppose that a password barrier is set up so that users are locked out for

24 hours if they enter an incorrect password three consecutive times in a 60-minute period and there are 25 user pro les that are set up but no longer used. The system allows a person to log on only once and will report attempts to log on twice.

In this situation a cracker’’s best approach is to guess twice an hour on each of the 25 safe user pro les. The maximum guessing rate is 50 guesses per hour –– during working hours at least.

On this basis most ordinary business security arrangements that I have seen allow guessing at surprisingly high rates. If you do an audit test by running a suitable cracker’’s dictionary  le against a password  le you can  nd out how many guesses it takes to crack a password in the  le and so estimate how long it would take to break in.

Another common weakness is to focus on passwords but not monitor for attempted and successful break-ins. In effect, this is focusing on making theft hard but forgetting to make it hard for the thief to get away with it.

In summary, MULTI-LAYERED ACCESS RESTRICTION is a way to structure protection controls and stimulates thinking widely about possible combinations of controls.

Therefore:

Design protection to have multiple barriers and use multiple controls at each barrier to get a good balance between security and convenience.

™™™

One of the most complex parts of this pattern is to manage the access rights of many individuals and this can be done using SEGREGATION RULES ON ROLES.