Tuesday, July 17, 2007


Most everyone associated with security is familiar with the standard four layer security model. Well, in August of last year Bruce Schneier published a brief update of this on his blog. Dave Piscitello proposed adding another layer. I liked it so much that I typed out the whole list and stuck it on my cube wall so I wouldn't forget it.
  • Admissibility: Is the host device/channel valid and safe?
  • Authentication: Who are you?
  • Authorization: What are you allowed to do?
  • Availability: Is the data accessible?
  • Authenticity: Is the data intact?
Although its on my wall, staring at me for the last year, I hadn't made any connections to it yet. I was thinking of hard wired shielded networks with proprietary connections. And there is plenty of argument about the validity; if its on an open network, and you rely on the machine to tell you everything is fine, that can be spoofed as well. The end result is I was not sure how it would ever apply to me until I looked at it this morning. I spend a lot of my time now designing UI and specifying behaviors for a bundle of fairly restrictive FCC regulations coming online on 12/8. If you don't work for a telecom, this is the fallout from that pretexting stuff last year. One of the components is notification of...everything. Changes, possible spoofing, password resets, etc. It all goes to your contact addresses on file. You get an email, text message, letter or whatever. And for extra security, you have to wait 30 days before a new address can be used (till then, all comms go to the old address). Presumably this gives time to correct an improper reset action by someone hacking in. But the 30 day rule is exempted for wireless devices. Specifically (I have presumed and specified; as its not super-well written) our wireless devices. See, we own the network, head to toe. We have control over the device's access to the network. If you report it stolen, its functionally disabled, immediately. And so on. So, this is a great example of device and network admissability in practice.

No comments: