Security

Why the ‘two-man rule’ is only the beginning

Eric Chiu

In the raging debate over the data breach at the National Security Agency, here’s a nugget that deserves more attention than it has received: The NSA'a director, Gen. Keith Alexander, recently instituted a two-man rule to limit the previously unfettered access of the 1,000-plus systems administrators who work for the agency. It ensures that no single person can gain access to confidential, sensitive and often top secret data.

This is a great first step toward reining in the access, and resulting power, of IT administrators. Still, it’s no more than a step. The whole situation should instead serve as a wake-up call for government organizations and corporations that have had their heads in the sand.

Here’s the insider threat issue in a nutshell: Administrative accounts provide godlike privileges over the entire infrastructure, including systems, applications and data -- anything that’s managed by systems administrators. Through the cloud, infrastructure administrators can access and make copies of every virtual machine at an organization, and can delete and destroy a private cloud in a matter of minutes.

But because most organizations look at security from the outside in, they put up strong perimeter controls to keep bad guys out but do very little or nothing to lock down internal systems.

That has to change. Not only are insiders and systems administrators a very real threat, but external attackers can use sophisticated advanced persistent threats to steal employee credentials and privileges and gain access to carry out and escalate attacks.

Again, the two-man rule is a good idea. It is conceptually the same security mechanism that prevents a single person from launching a nuclear missile. (Remember Denzel Washington and Gene Hackman in “Crimson Tide”?) The two-man rule enforces oversight so that a rogue administrator cannot access confidential information or otherwise create havoc. Every government organization and corporation should have something like this in place as a matter of protocol.

However, the two-man rule should also be part of a larger set of policies and access controls to ensure least-privileged access (through which employees are able to perform only those operations that are part of their normal job duties) and need-to-know access (under which they are able to manage and access only the resources they’re responsible for).

To do this right, security policies need to be lightweight and not cumbersome; otherwise, they won’t be followed. For example, policies should be enforced transparently, and workflow for secondary approval as part of the two-man rule should be automated.

For the record, this isn’t nearly enough. Most important, organizations need continuous role-based monitoring and alerting to remain aware of what administrators are doing. Having an unobstructed view of the enterprise, which this methodology enables, is the best way to let administrators do their jobs while retaining the ability to head off rogue actions.

About the Author

Eric Chiu is president of HyTrust. He has also served in executive roles at Cemaphore Systems and MailFrontier, and was a venture capitalist at Brentwood (now Redpoint) and Pinnacle. He is a published author on topics related to cloud and virtualization issues, and speaks at industry forums throughout the world.

The Fed 100

Read the profiles of all this year's winners.

Featured

  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Tue, Jul 9, 2013 earth

Given that, many “external” threats are attempts to get an “insider” to act as an unknowing proxy, fishing to get an insider to click a link behind the firewall for instance; this could be expanded to every operation. Of course, if you then sequester half of the pair at any one time, you could block all external and internal threats. Just kidding.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group