Signatures by fax, and security in context

(this is a work in progress, thought I would write this in public and see what reactions I get)

Bruce Schneier, the world’s leading authority on security, writes well about why we accept signatures by fax – noting that it works because it is done in context, everyone understands how insecure it is (except in the relatively rare instances when they don’t.) One thing is that we tend to think of new technologies in terms of old technologies: The physical signature can easily be faked with a fax, even easier when we start to use scanned PDFs – in fact, gluing in a copied signature becomes the standard way of doing things for most people.

I am currently thinking about security in a next-generation employee computing setup, where corporate infrastructure has retreated behind a browser and the end user can buy whatever he or she desires – be it a Mac or PC, laptop or desktop, cell phone or public terminal. Every user comes in via the public Internet, even if he or she is physically sitting right next to the server park.

From a security standpoint, this is actually a simplification, much as you simplify PC provisioning when you switch everyone to a laptop. Sure, many of the users don’t need a laptop, and a laptop is more expensive than a desktop. But differentiation has its costs, too. And it is much easier to make a desktop out of a laptop – in essence, all you need to do is sit still – than it is to to do it the other way.

If you move to an architecture with corporate infrastructure and personal, private terminals, you remove the inside-or-outside-the-moat distinction companies often naively use as their main security barrier. Instead you must verify everyone’s identity in terms of the information and functionality they can have access to. You need to specify this as a very granular level, and will need a well defined hierarchy of access rules. You will also, like Wikipedia, need to have a way to track who has done what where, and make it easy to reverse whatever changes has been done, should it prove necessary.

I am less certain that you need much of a standard for what should run on the clients themselves – surely we have progressed to a point now (or will in the near future) where end users can take responsibility for keeping their own technology’s reasonably updated and secure? We probably need to rethink security in terms of consequence management, in the sense that we need to make the consequences of poor security become apparent to the end user. The analogy is to car safety – for all the nagging about putting on your seatbelt and monitoring speeding, nothing would reduce deaths in traffic as much as a mandatory large spike sticking out of the steering wheel, instantly impaling the driver should he or she crash or suddenly brake.

(and that is as far as I got before the telephone started chiming, and it was time to scoot off for meetings and other things that eat up your day. I will be back. Comments, of course, are most welcome.)