Lessons from Analog Security
As a security person I try to take notice of security measures in non-digital settings. These are a few I noticed this week.
I think one of the fundamental problems of digital security is the inability to translate historically sound analog security practices into digital forms. Traditional computer scientists are not security experts. Traditional security experts are usually not computer scientists. Addressing this gap would be beneficial to both communities.
Can you think of other examples of security measures in the analog world that could be applied to the digital world?
- When visiting a jewelry store, I saw a sign say the following: "Our insurance policy does not permit us to remove more than one item at a time from this display case." This sign was attached to a case containing the store's most valuable jewelry. This is an example of limiting exposure by restricting access to one asset at a time. In a more generic sense, the digital version might involve following guidelines applied by an insurance company. Perhaps they would require WPA2 for wireless networks, etc.
- I received a check from a client. Underneath the signature line I read "Two signatures required for amounts over $75,000." This is an example of dual accountability. It requires someone writing fraudulent checks to have an accomplice. The digital version involves requiring two privileged users acting together to accomplish a particularly sensitive task.
- At many stores I saw video cameras directly above the cash register. While these might be useful for recording thieves, it is probably in place to deter employees from stealing. The digital version is comprehensive host- and network-centric monitoring.
I think one of the fundamental problems of digital security is the inability to translate historically sound analog security practices into digital forms. Traditional computer scientists are not security experts. Traditional security experts are usually not computer scientists. Addressing this gap would be beneficial to both communities.
Can you think of other examples of security measures in the analog world that could be applied to the digital world?
Comments
it would be nice if that gap could be addressed, of course the bigger problem is that software developers usually skip the design phase and go at it with the "Shoot first, shoot again, and try asking a question or two when finished shooting". Computer scientists needs to address the gaps in their own community before trying to bridge any gaps with others...