Reading through the news I noticed that Barack Obama’s passport records were improperly accessed by three contract workers for the State Department. What I thought was interesting was an excerpt toward the end of the article:
The officials said that when a prominent person’s passport records are accessed, it triggers an alarm in the computer system and the person who viewed them is questioned to see if there was a legitimate reason for looking at the file.
Now it obviously isn’t good that three random contract workers seem to be able to access passport records of any individual they want. That is certainly an authorization issue that led to a confidentiality breach. What was impressive, at least, was that the requirements for the system took into account the possibility that some users might try to misuse the system and put in logging and auditing routines and business processes to detect and address these abuses.
A couple of thoughts on this:
- Creating a comprehensive and workable authorization scheme that divided up all American’s with passports into groups is probably really hard. That might explain (but not excuse) why the breach happened in the first place.
- I have no idea if it was responsible in this case, but Threat Modeling is really useful for bringing the requirement for auditing and logging features to the surface early in the development process. Enumerating likely attacks against and misuse vectors for systems is a tremendously useful best practice.
- I see far too many systems that are fielded with no concept of auditability and logging so bravo to the US State Department for at least having the technology and procedures in place to detect abuses. Otherwise there could be hundreds of contract workers accessing all sorts of sensitive passport records and we might never find out. Preventing all abuse would certainly be preferable, but knowing that abuse has occurred is a valuable second line of defense.
dan _at_ denimgroup.com