Xref: utzoo comp.unix.internals:2633 comp.unix.admin:1680 Path: utzoo!utgpu!news-server.csri.toronto.edu!hub.toronto.edu!thomson Newsgroups: comp.unix.internals,comp.unix.admin From: thomson@hub.toronto.edu (Brian Thomson) Subject: Re: Unix security additions Message-ID: <1991Apr25.122921.23072@jarvis.csri.toronto.edu> Organization: University of Toronto References: <39950@cup.portal.com> <1991Mar14.230944.9184@eci386.uucp> <1991Mar22.024124.3238@ec <1090@mwtech.UUCP> <19183@rpp386.cactus.org> <1991Apr12.101319.8523@jarvis.csri.toronto.edu> Date: 25 Apr 91 16:29:21 GMT Lines: 47 In article peter@ficc.ferranti.com (Peter da Silva) writes: >In article <1991Apr12.101319.8523@jarvis.csri.toronto.edu> thomson@hub.toronto.edu (Brian Thomson) writes: > >> You don't get a secure installation by buying a secure machine and >> putting it in a location where a user can tamper with its backup tapes. > >We're not talking about random users here. We're talking about the regular >backup operators. > >> Of course secure systems require physical safeguards! > >Of course, but who watches the people who work behind those safeguards? That depends. Maybe no-one does - that is the situation at many machine rooms in this university. The other extreme is that the operators are watched by security staff. Closely. I mean guards at the doors to make sure that tapes move only between the archive and the IO room (and certainly not out of the building!), and they are signed in and out when that happens. It is also prudent to divide up duties, so that the person who mounts and dismounts tapes is not the same person who uses them (i.e. does not have an account that is privileged to use tapes). If you feel that the first situation is too lax, or the second too strict, you have missed the point. It is in every case a question of cost versus benefit, and the "benefit" is really the absence of the damage that might be suffered. At the university, the possible damage is not great, and we don't feel that intruders would be highly motivated, so low-cost security measures are expected to be adequate. This means we trust our operators quite a bit, but not because of their exemplary character, because the overall risk is not high. Banks, however, don't give the keys to the vault to any individual - two or three simultaneous keys, given to different people, is more like it - because the temptation is too strong and the potential loss too great. So, in the case of this hypothetical installation, what are the risks? How inviting a target are you? If you are not happy with the present procedures, separation of duty is potent medicine, but it will probably interfere with productivity and may even require hiring new staff. Those are part of the cost - that you must balance against the benefit. -- Brian Thomson, CSRI Univ. of Toronto utcsri!uthub!thomson, thomson@hub.toronto.edu