Credit where it’s due – why the Singapore regulator has it right on security
In a sense, there’s no reason why IT security professionals should care about the Monetary Authority of Singapore, writes Eric Chiu. After all, this organisation – officially the central bank of Singapore, the sovereign city-state in Southeast Asia – exists to “promote sustained non-inflationary economic growth, and a sound and progressive financial centre.” So what does that have to do with virtualised data centres and cloud computing?
Here’s what: MAS has implemented security measures that, among other policies, go a long way toward preventing attacks by rogue operators working on the inside. Those are exactly the defence mechanisms that can play a valuable role in protecting every IT infrastructure, especially those that are virtualised and carry a huge concentration of risk.
In the banking authority’s exhaustive Technology Risk Management Guidelines manifesto, there are three basic internal security principles. The first is labelled “Never Alone,” and it stipulates that “certain systems, functions and procedures are of such sensitive and critical nature that financial institutions should ensure that they are carried out by more than one person at the same time or performed by one person and checked by another. These functions may include critical systems initialisation and configuration, PIN generation, creation of cryptographic keys and the use of administrative accounts”.
This simple rule actually applies far more broadly, particularly in this industry. Many big banks and other financial services providers now require exactly this kind of dual approval for specific actions – for example, transferring funds or writing checks over a certain amount. Had the policy been more actively enforced, it’s fair to say that some of recent history’s most spectacular debacles could have been avoided: England’s venerable Barings Bank went under through the misguided actions of a single rogue trader, and France’s Société Générale nearly suffered the same fate for the same reasons (it did lose billions in the process).
The two-man rule is even more relevant to technology. The most high-profile breach of national security information, the Edward Snowden fiasco, occurred because this single individual, by virtue of his position as a systems analyst, had virtually unlimited access to highly classified data in the National Security Administration. If the system was configured in such a way as to prevent him from accessing information without explicit approval from another person in the organisation, ideally a superior, it might have helped prevent the entire debacle. (For the record, the NSA is now in the process of implementing the two-man rule.)
Other victims are likely to follow suit. Target is still in the news – and likely will be for a while – for the massive data breach it suffered late last year. It appears that, perhaps among other tactics, thieves were able to gain access to the control point that distributes software to the retailer’s point of sale mechanisms. A policy that required secondary authorisation for software updates could have conceivably made the hack twice as difficult. And while it received less attention outside the IT universe, Adobe was similarly hit with a massive attack on its source code files, affecting some 38 million users. Here, too, a ‘never alone’ policy could have prevented the problem.
As simple as it is, the rule is not exactly new. It has even entered pop culture: A key scene in the 1995 submarine thriller Crimson Tide revolves around the characters played by Denzel Washington and Gene Hackman arguing over a decision to arm nuclear missiles, a procedure that requires dual approval.
All of which brings us directly to virtualised infrastructures and the cloud. Many organisations are migrating to these computing models, which involve a software-defined concentration of risk as a by-product of easy access to information. This in turn means that an entire class of systems professionals has the power and ‘authorities’ to extract any kind of information they wish. Many of the recent high-profile cases highlight the problem of wide-ranging insider access. It’s also not only about rogue operatives on the inside; the theft of insider credentials by outside parties immediately escalates the dangers of breaches and fraud.
Corporations have the obligation and responsibility to develop their version of the ‘never alone’ policy for all sensitive data and mission-critical operations. In fact, the ‘two-man rule’ in a sense goes further by streamlining the security measure and enables organisations to scale the tactics to meet business needs and operational demands. It’s not a panacea, any more than a single security measure is. However, it does offer a stronger defence, and makes it easier to contain the damage once a breach occurs. And that’s why IT professionals should care.