February 01, 2011
Update

Debate: The model of 'trust but verify' is effective at mitigating the insider threat.

FOR

A. N. Ananth CEO, Prism Microsystems

The emergence of WikiLeaks has focused attention on the insider attack, yet it is not a new problem. While not as common as external attacks, insiders can be highly destructive to an enterprise's credibility and security.

Completely disabling functionality (e.g., removable media) in the name of hardening is impractical, inefficient and eventually noncompetitive. Ignoring the issue is just as bad. It is not a question of “if” the insider attack will happen; it is only a question of “when.” Responsible organizations should “trust but verify” when it comes to insiders – trust that employees are doing what is right, but verify that information is handled correctly.

Insider threats must be balanced with information needs by following several key steps. First, identify critical assets and establish access control based on need. Second, publish acceptable-use policies and educate users. Last, enforce these policies with effective monitoring of all access. Ideally, use behavioral analysis to identify variations and abnormalities from a running baseline.

AGAINST

John Kindervag senior analyst, Forrester Research

Trust, but verify – the sacrosanct mantra of modern infosec – has failed our profession. It is a joke – literally. It comes from President Reagan's speech commemorating the signing of a historic nuclear weapons treaty between the United States and the former Soviet Union:

President Reagan: We have listened to the wisdom in an old Russian maxim. And I'm sure you're familiar with it, Mr. General Secretary, though my pronunciation may give you difficulty. The maxim is: Dovorey no provorey — trust, but verify.

Gorbachev: You repeat that at every meeting.
Reagan: I like it.

Our profession misunderstood the joke and implemented trust and forgot to verify, thereby opening the door for numerous insider breaches, with WikiLeaks/Bradley Manning being the most prominent.

Trust is not a concept that should be anthropomorphized down to the packet level. We must quit trusting and start verifying. Until then, the joke is on us. Dovorey no provorey.

From the February 2011 Issue of SCMagazine »
Related Articles
Related Topics

Sign up to our newsletters

More in Features

Suspect everything: Advanced threats in the network

Suspect everything: Advanced threats in the network

Are there ways to catch sophisticated malware that hides in trusted processes and services? Deb Radcliff finds out.

Urgent care: Safeguarding data at health care providers

Urgent care: Safeguarding data at health care providers

Health providers have pressing reasons to now embrace security, says INTEGRIS Health's John Delano. Karen Epper Hoffman reports.

Deciphering cloud strategy

Deciphering cloud strategy

There are steps security pros can take to achieve greater peace of mind with cloud implementations, reports Alan Earls.