Unix security additions

Brian Thomson thomson at hub.toronto.edu
Fri Apr 26 02:29:21 AEST 1991 

In article <QRXAL18 at xds13.ferranti.com> peter at ficc.ferranti.com (Peter da Silva) writes:
>In article <1991Apr12.101319.8523 at jarvis.csri.toronto.edu> thomson at hub.toronto.edu (Brian Thomson) writes:
>
>> You don't get a secure installation by buying a secure machine and
>> putting it in a location where a user can tamper with its backup tapes.
>
>We're not talking about random users here. We're talking about the regular
>backup operators.
>
>> Of course secure systems require physical safeguards!
>
>Of course, but who watches the people who work behind those safeguards?

That depends.

Maybe no-one does - that is the situation at many machine rooms in
this university.

The other extreme is that the operators are watched by security staff.  
Closely.  I mean guards at the doors to make sure that tapes move only between
the archive and the IO room (and certainly not out of the building!),
and they are signed in and out when that happens.  It is also prudent
to divide up duties, so that the person who mounts and dismounts tapes
is not the same person who uses them (i.e. does not have an account that
is privileged to use tapes).

If you feel that the first situation is too lax, or the second too strict,
you have missed the point.  It is in every case a question of cost versus
benefit, and the "benefit" is really the absence of the damage that might be
suffered.  At the university, the possible damage is not great, and we
don't feel that intruders would be highly motivated, so low-cost security
measures are expected to be adequate.  This means we trust our operators
quite a bit, but not because of their exemplary character, because
the overall risk is not high.  Banks, however, don't give the keys to the
vault to any individual - two or three simultaneous keys, given to different
people, is more like it - because the temptation is too strong and the
potential loss too great.

So, in the case of this hypothetical installation, what are the risks?
How inviting a target are you?  If you are not happy with the present
procedures, separation of duty is potent medicine, but it will probably
interfere with productivity and may even require hiring new staff.
Those are part of the cost - that you must balance against the benefit.

-- 
		    Brian Thomson,	    CSRI Univ. of Toronto
		    utcsri!uthub!thomson, thomson at hub.toronto.edu

More information about the Comp.unix.admin mailing list