And, not quite finally, the last "A" in IAAA: accountability.
Accountability doesn't just have to do with accounting. Although there definitely is some relationship between them in terms of auditing and investigation. Accountability is not just about who is going to be held to account, or who is going to be fired because something went wrong. As we all know, very often the person who gets fired is not necessarily the person who is actually responsible for what went wrong. (However, that is also a political statement and not necessarily something that ordinary folk need to know about in terms of their security.)
Accountability, in terms of information security, is about who did what, and sometimes even *what* did what. Accountability is making sure that our systems, and we, individually, keep track of, and keep records of, who did what. So that if something goes wrong we can figure out what actually did happen, and who made certain parts of what happened happen, and what we need to do to prevent it from happening again. Yes, sometimes the accountability identifies someone who did something contrary to policy, and that that is what caused the problem. However, sometimes it is important to know what actually did happen so that we can identify the fact that there *wasn't* actually policy or any tool that would have prevented whatever bad thing happened from happening. In that case, the point is not to fire the person who did something wrong, but rather to make sure that we look at our situation again, and our entire security system as a whole, and make sure that we do have the proper policies and tools to address things that can go wrong, and try and *prevent* things from going wrong.
Accountability, in technical terms, is primarily about systems. Identifying from the identification that is stored, who was it that performed an action, or what system it was that performed an action. This provides us the information that we need to have in order to figure out what it was that actually did happen. Who did what, and did whatever people did, in the normal course of their work, cause the problem that we see.
Our systems need to track this. This is why identification, authentication, authorisation, and accountability are all done together as IAAA in access control. Everything is based and centred on the identification. Who was it that performed some action. Who did what? Or, as I say, sometimes *what* did what. The identification is key to the authorisation and the accountability. As we noted before, in order to really have a proper system and really have a good grasp of what happened and why, we have to verify the identification with authentication. But authentication is based and done on the basis of the identification. The authorisation different entities are allowed to do, and the rights and permissions that they have, is based on the identification. And, of course, it's all topped off with accountability. Are we, in fact, able to track anything that an entity did, and all the actions that were taken with respect to who took those actions.
In the case of this scandal, we are pretty well all certain that the people who actually created the problem will never be held accountable. Nobody is going to discipline them and nobody is going to restrict their actions. So, we can pretty much guarantee that similar problems are going to happen in the future. There isn't any punishment. There isn't any negative reinforcement for this careless behaviour. Therefore, the behaviour will continue.
However, if you are not the lackey of a dictator who wants to take over large parts of the world (and doesn't want to have anyone around to say he can't do it), what does all of this mean to you, as an ordinary person, in regard to your own security.
Well, the first thing that it means is that there are reasons for identification authentication, authorisation and accountability. It does mean that if you want to actually know what happens with regard to your systems and why they don't work the way you thought that they were supposed to work, you have to know where to find that accountability information. It's there for a purpose and it's there for a reason. It's not just there to prevent you from getting your work done. So don't keep trying to find ways to turn it off or avoid it. Don't try to fool it. It's there to help you. Don't hurt yourself by turning it off.
I was dictating this to myself as I was walking home from the hospital. I stopped in to get breakfast (even though it was afternoon, because I was at the hospital because of an emergency call out for vigil this morning). The manager apologized for having all kinds of management papers spread all over the booth. He noted that they were about to have an audit, and so he was making sure that everything was up to date and being handled properly. That is part of management, and it's good to know that he was keeping an eye on things. In reality, of course, while special attention to these things might be paid when you are facing an audit, really you should be doing it all the time. ( After all, that's why they have audits in the first place: to impress upon you the need to pay attention to all the details.) This is why we want accountability. We need to make sure that we are doing things properly. In the corporate world, we have to have auditors because we need to have somebody *else* look at what we're doing. However, in the small business world, we can't always afford to have somebody come and audit us. This is why it is so important to do our own auditing, and to make sure of our own accountability. Therefore, in an informal situation, where somebody isn't imposing an audit help on us, it becomes more important, rather than less, that we make sure that we have accountability in whatever it is that we are doing.
Next: "Security for ordinary folks": Lessons from Signalgate - 7 - Is doing that really worth it?
No comments:
Post a Comment