Educause Security Discussion mailing list archives
Re: "Porn-surfing hits taxpayer IDs"
From: Gary Flynn <flynngn () JMU EDU>
Date: Thu, 15 Jun 2006 09:00:09 -0400
Jere Retzer wrote:
The scenario that concerns me is business partners, some who are unsophisticated technology users who need to access sensitive data from machines that are totally outside your control.
Bottom line: Unsophistated/untrusted operator. + Unsecured/untrusted machine. + Sensitive data. ----------------------- Accident waiting to happen There is no way to change that equation. You must change one of the variables or pay for business convenience with higher risk to constituent data disclosure. The entire industry is facing that problem. You may be able to reduce risk by running fraud detection software on the servers to help detect unusual access. But, of course, screen scraping of authorized access wouldn't show up. Two factor authentication may limit the times the compromised computer could access the server to those times when the token is available. But it has to be a physical, removable token and the operator has to remove it. Your web application is covered with SSL and you have access and authorization in place to keep out unauthorized users, but the machines these authorized outside users use to access the application may be infected. Hence providing access to unauthorized users. Guy Pace suggested quarantining machines that don't pass muster but I'm concerned scanning business partners' machines would be unacceptable. Ideally, their organization would scan their machines. You could even form some sort of a trusted, federated security assertion along the lines of the federated identity idea. On the other hand, if you are responsible for your constituents' sensitive data, how much trust do you place in their processes? How much auditing are you willing to do? You'd effectively be developing a standard like the credit card companies' PCI data security standard. And, of course, if they're accessing your constituents' data with their home machines, all bets are off unless you enforce some desktop security.
gtoal () UTPA EDU 06/14/06 3:01 PM >>>How about for machines we do not control?you put them in a zone where you don't care too much if they're infected. Certainly not a trusted 'inside' zone with access to anything valuable. (I'm assuming that just keeping them out altogether is not an option) G
-- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- "Porn-surfing hits taxpayer IDs" Jere Retzer (Jun 14)
- <Possible follow-ups>
- Re: "Porn-surfing hits taxpayer IDs" Joel Rosenblatt (Jun 14)
- Re: "Porn-surfing hits taxpayer IDs" Gary Flynn (Jun 14)
- Re: "Porn-surfing hits taxpayer IDs" Jere Retzer (Jun 14)
- Re: "Porn-surfing hits taxpayer IDs" Brendan Callahan (Jun 14)
- Re: "Porn-surfing hits taxpayer IDs" Pace, Guy (Jun 14)
- Re: "Porn-surfing hits taxpayer IDs" Jere Retzer (Jun 14)
- Re: "Porn-surfing hits taxpayer IDs" Graham Toal (Jun 14)
- Re: "Porn-surfing hits taxpayer IDs" Jere Retzer (Jun 14)
- Re: "Porn-surfing hits taxpayer IDs" Gary Flynn (Jun 15)
- Re: "Porn-surfing hits taxpayer IDs" Chris Green (Jun 15)
- Re: "Porn-surfing hits taxpayer IDs" Graham Toal (Jun 15)
- Re: "Porn-surfing hits taxpayer IDs" Jere Retzer (Jun 15)