Wednesday, August 27, 2008

Compromised integrity

Two words we often use in InfoSec... compromise and integrity. But their origins outside of technology are of interest to me today.


Compromise - To expose or make liable to danger, suspicion, or disrepute.


Integrity - Steadfast adherence to a strict moral or ethical code.

What do I mean by this? I mean asking yourself how what these things mean to you as a member of a community (substitute nation, organization, company, family).

In the tech world, when a machine gets compromised, there is often a battle between the security team and... well, everyone else. Security says, once it's compromised it can't be trusted again - reformat and rebuild from scratch. The techs often say "that'll take hours" or worse, "that'll take days" and of course, it's a critical system. Management agrees, after all, it's going to cost us money to take those services down. And no, there are no hot spares or quick reloads available. In the end, the risk is made clear and the machines are replaced.

But what happens when the human soul's integrity is compromised? Many security folks have been a part of internal investigations. Often evidence isn't entirely clear how much an insider may be compromised. Did they make a one-time mistake? Or are they actually malicious? Again, the security folks often recommend termination and replacement. Again, there is often some (but not nearly as much) push back - especially if that person is critical to the organization.

Those who read Geek Girl Detective know how devastating it can be to a company when someone in an important position becomes compromised. It could be the end of the organization itself. But again, is it better for an organization to implode, minimizing the damage of the compromise, or explode with a devastating shockwave of litigation?

I've been told recently that no person should be replaceable. Same is true when designing systems. However, in either case, is this always feasible? No. But it's on the table as something that should be thought about and planned for - People and computers.

No comments: