Laissez-faire Security – A Good Thing

Bruce Schneier wrote today about a paper that describes something it calls laissez-faire security: the idea that tight role-based security (RBAC) will lead to situations where the security prevents people from doing what they need to do for their jobs, which subsequently leads to normal people finding ways to circumvent (and weaken) security.

The proposal presented in the paper Laissez-faire Security (by two researchers from Columbia University and two from Microsoft) suggests that rather than tightening things down, one should audit strongly instead. One of the authors, Steven M. Bellovin, is a luminary steeped in the history of the Internet, in the security arena, and one of the founders of Usenet.

The results of RBAC can be seen by every administrator sooner or later – many times, experienced personally. SELinux is a perfect example: despite its acknowledged security benefits, it is commonly disabled or left in an “advisory” state only because of the problems in implementing such a restrictive policy.

From a user perspective, there are numerous examples of people bypassing security in efforts to share data or to utilize tools to get work done.

Laissez-faire Security is about letting users select the appropriate security rules within a framework of policies – which they can ignore (after notification and auditing) – at their own peril. The policy violations can then be handled outside of the computing environment in other ways if needed.

The paper compares computer security to an economy and to the workings of the free-market economy in particular. This paper is very interesting reading and would be worth reading for any security-minded administrator.

Implementing Security (and the NSA)

The NSA is, of course, the United States National Security Agency. It’s their job to a) keep the nations computers secure; b) find out how to break everyone else’s (ah, the dichotomy of national intelligence!). Thus, some of the best computer security minds are at the NSA – it was the NSA that brought us SELinux (and still does!).

They also have a vast array of security guides available for download. These include guides on securing Solaris 8 and 9, MacOS X 10.3 and 10.4, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and more.

Use a security guide next time you secure a box – and not necessarily just one. Do some research. Implement all of the security you can on all of your boxes – even if it is not on the Internet. One day, someone might just crack through – then all of your internal systems will be at risk. Each system should be able to withstand an assault without falling.