Laissez-faire Security – A Good Thing

Bruce Schneier wrote today about a paper that describes something it calls laissez-faire security: the idea that tight role-based security (RBAC) will lead to situations where the security prevents people from doing what they need to do for their jobs, which subsequently leads to normal people finding ways to circumvent (and weaken) security.

The proposal presented in the paper Laissez-faire Security (by two researchers from Columbia University and two from Microsoft) suggests that rather than tightening things down, one should audit strongly instead. One of the authors, Steven M. Bellovin, is a luminary steeped in the history of the Internet, in the security arena, and one of the founders of Usenet.

The results of RBAC can be seen by every administrator sooner or later – many times, experienced personally. SELinux is a perfect example: despite its acknowledged security benefits, it is commonly disabled or left in an “advisory” state only because of the problems in implementing such a restrictive policy.

From a user perspective, there are numerous examples of people bypassing security in efforts to share data or to utilize tools to get work done.

Laissez-faire Security is about letting users select the appropriate security rules within a framework of policies – which they can ignore (after notification and auditing) – at their own peril. The policy violations can then be handled outside of the computing environment in other ways if needed.

The paper compares computer security to an economy and to the workings of the free-market economy in particular. This paper is very interesting reading and would be worth reading for any security-minded administrator.

About these ads

One Response to Laissez-faire Security – A Good Thing

  1. Matt Simmons says:

    I think the most obvious argument against this is that it isn’t the users who are in peril in the event of the data being compromised, it is the organization itself. If I do something that permits data loss, sure, I’ll get fired and maybe sued, but that’s at best a punitive measure. No amount of retribution against me will put the horse back in the barn.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 43 other followers

%d bloggers like this: