8.2 Trust No One The Highest SecuritySome computers contain data so confidential that they should trust no one. This means they should not have a connection to the Internet or even the organization's normal network, either directly or indirectly. It does not take a rocket scientist to know that highly classified data such as designs for nuclear missiles never should be accessible to the Internet, and the intelligence services follow this policy. Even the Weather Channel gets weather feeds over a completely separate network from the Internet, and its computers that receive this feed are on a network isolated from the rest of the organization. Other organizations do not realize they should be following this policy, too, for certain data. The rule of thumb should be:
It is clear that many large databases of confidential data have no business being on the Internet. Some examples of such data include the following:
In many cases, such databases should be on a computer in a locked room with no data access from outside of that room. In some cases, access via a private network not connected to the Internet (except, possibly, via a very carefully evaluated VPN) may be acceptable.
In other cases, very limited access may be acceptable, such as an e-commerce site's database of customer credit card numbers and other data. I describe my technique for doing this in "One-Way Credit Card Data Path for Top Security" on page 302. In essence, the technique is to create a special server as the only service listening on the network. This server will not offer a command to "dump the database"; thus it will be very hard for a cracker to compromise it. This technique can work equally well for other types of data, such as employee data, medical data, etc. For issues that are this important, have your security consultant evaluate your design and implementation. |
Top |