A good security practitioner of the Rule of Trust is one who is a friend to everyone, but really trusts no one. Since saying we don't trust someone or something often has negative overtones, let's be more politically correct and simply say, "Anything can happen." Sure, Mel has been a faithful employee for 20 years and helps to find orphaned kittens new homes during the winter holidays. This does not mean we should give him the combination to our safe, or let him enter the computer room without signing in with security. The fact is that anything can and will happen. Mel could suffer a breakdown and decide to erase all our customer data. Mel may also be harboring a secret grudge against the manager of Human Resources because the guy hates cats. The truth is, you just never know. ConceptUnderstand the full effects before extending trust to anyone or anything, and only trust that which is required (Rule of Least Privilege). Understand that "trust" is an extremely strong word and can have drastic effects on an organization. In security, giving someone or something complete trust means that we are putting a lot of power in their hands. The moment someone is "trusted," he or she has the amazing power to get away with anything. If no one is checking up on him/her, then the rules can't really apply. This is a very dangerous situation. Security policies should be made with the idea of layered trust. To perform a job function, the company must have some level of trust in each employee. This level of trust, however, should be different based on the individual person and role. In correspondence with the Rule of Least Privilege, it must be reinforced that no one should get access unless that person needs it and can handle it. Feelings of personal trust, friendliness, and lack of suspicion should never affect basic security practices. All individuals and groups should be treated equally according to the Rule of Least Privilege.
We need to be especially careful when trusting our partners, vendors, and any other entity that harbors systems, networks, and physical areas outside of our immediate control. Sure, it may be a giant company with great security, but unless we control who touches their system, and unless we are in direct control of hiring and firing their personnel, we really don't know who we are dealing with. Their best employee could let his/her son use a workstation to do homework and, next thing we know, all the e-commerce servers are hosting the latest version of Quake. Practicing This RuleTo practice this rule within your organization, simply remember that anyone can be the enemy, even you. This is not intended to incite paranoia, but honestly, the best hackers do not dress in torn-up jeans and wear anti-government slogans on their pizza-stained t-shirts. Humans are very complicated beings with very complex minds; knowing everyone's motives and how they would react in any situation is beyond our capabilities. So always remember:
Seven Key Considerations Before Extending Trust to Any Object or Entity
|