SDP 10: SEPARATION OF PRIVILEGES

Kip Boyle:
Hi, thanks for being here. This is your cyber path. We’re the podcast that helps you start a career in cybersecurity or if you’re already working in cybersecurity, we’re going to help you accelerate your career. You’re going to get more responsibility more, and you’re going to have a lot better work in your hands. I’m Kip Boyle. Here with me is Jason Dion. Hey, Jason.

Jason Dion:
Hey, Kip. Nice to see you again.

Kip Boyle:
Good to see you. It’s nice to have you back on dry land. Jason has been cruising like there’s no tomorrow, like cruising is going to come to an end anytime soon.

Jason Dion:
Well, it did in 2020, so I mean, I had to make it for lost time. No, this is the navy sailor and me. I just love being on the water. I don’t know.

Kip Boyle:
Well, you’re back on dry land for I guess a short refit and you’re on your way again really soon. So I’m glad I got a chance to pin you down. So what we’re going to do today is we’re actually going to finish a series of episodes that we started a long time ago on security architecture and design principles. Now this all comes from a paper that was originally published back in 1975, and if you go back to the first episode in the series, you’ll hear me talk, me and Jason talk about where this paper came from, why it’s so important. But today we want to talk about the 10th and final principle, and why is this important? Okay, so this is my last chance to tell you it’s important because so much of the work that we do changes all the time– new technologies, new products, new attacks, but these principles are something that doesn’t change very often.

Some of them come into fashion, some of them go out of fashion, but most of them are still relevant today even though they were written a long, long time ago. Now, the one we’re going to talk about today, the 10th and final one is called separation of privilege. I’m sure that this is going to be unlike the last one, we did least common mechanism, which was weird and difficult to understand. I think separation or privilege is going to be way easier for us to understand, and the way that it’s defined in the paper is the protection mechanism should grant access based on more than one piece of information. So, Jason, my bet is this is completely relevant in all of the modern certification body of knowledge. Is that right?

Jason Dion:
Oh, yeah. We use separation of privileges all the time. And you may hear this called dual authorization, dual control, or another form of separation of privilege is actually when you are the one person authenticating, but you’re using two different forms to do it, i.e., you’re logging with a username and password and that one-time text message code that goes to your cell phone. So when I think about separation of privileges, I really think about the fact that we’re going to take this protection mechanism and it’s going to grant access based on more than one piece of information. That can be a username and a password and something like a rotating one-time-use code or a text message or a link in your email or in the older systems. We actually do this by having dual control and having two separate people doing something. So I’m sure we can all think of great examples of this that we use on a daily basis.

I’m going to give you one from a large organization. If you work in a large company and you’re about to go buy a new office building and it’s a 10 million office building, well, if KIPP is the CEO, he can’t just write a check on his own for $10 million and sign it and somebody will cash it. Instead, the CEO has to write the check and the CFO has to countersign it. And so now we have two pieces of information, Kip’s signature and the CFO’s signature before that check becomes valid and so he’ll cash your check and give them their new office building.

Such one way that we see this, at least in the financial world. Another good example of this, I always think about in one of my courses, we talk about dual control. I use this example and I talk about the fact that my wife has this macaroni and cheese recipe that’s the best family macaroni and cheese recipe. And she’s got it from her mom, and her mom gave it to her from her grandma, and it’s been passed down over the years. So if we have this super secret macaroni and cheese recipe and I don’t want anybody to get it, I can lock it up in my safe, but if I do that, a single combination or a single key would open it and somebody could steal it. But because this is a super secret macaroni and cheese recipe, we’re actually going to take the combination that opens that lock and we’re going to split it up. And so maybe it uses two padlocks and each one has a four-digit combination. My wife knows one and I know one. So if she knows it and opens it, she still can’t get the recipe without me being there, and I can’t open it without her being there. And so we both have to be there providing our piece of the combination to be able to open that lock box.

Now, I know that sounds like a kind of silly example, and we don’t actually lock up her recipe that way, but in the computing world, we actually do that a lot. We’ll take a cryptographic key, we’ll split it in half and give half of it to one user and half of it to another user so that both have to come together before we can unlock or decrypt some kind of a really important thing. For example, if you’re Coca-Cola, you want to make sure nobody knows what your secret recipe is. If you’re Colonel Sanders, nobody should know you’re 13 herbs and spices. All of that is corporate trade secrets that need to be protected, and they are under highly-guarded locking key using these types of dual authentication or dual authorization systems. So that’s my look at this when we talk about separation of privilege here.

Kip Boyle:
Yeah, I think that’ll make sense. I think it’s helpful. The one that I’m thinking of is actually from Hollywood because you know, Hollywood does a wonderful job of making it completely plain to everybody how we do our work, don’t they? I mean, it’s all beautiful.

Jason Dion:
Every time I’ve watched NCIS and we have the two hackers on the keyboard at the same time, because two people typing on a keyboard is obviously faster than one person typing on a keyboard.

Kip Boyle:
That’s right.

Jason Dion:
But you’re right, there are some examples in Hollywood. You’re probably thinking of The Hunt for Red October and the nuclear launch sequence, right?

Kip Boyle:
But yes, I am thinking of the nuclear launch sequence, but unfortunately for you being a Navy veteran, I wasn’t thinking about that movie. I was thinking about the Air Force movie, War games.

Jason Dion:
Oh okay.

Kip Boyle:
With Matthew Broderick back in 1983 is when that thing came out. And the reason why I think of it is because in the beginning of the movie, they have this little vignette that opens up the movie where Missileers are in the hardened land-based ICBM launch silo. And they have this really interesting situation where they get the launch codes and the launch officer, one of them is ready to go, and the other one hesitates. And so the gung-ho launch officer pulls his sidearm, aims it at the other launch officer and says, “Turn your key, sir.| And then you see, after that happens, they pull out the chairs, and that sort of becomes the beginning of the movie. And the justification for Whopper.

Jason Dion:
And I was actually thinking, I said the wrong movie. It wasn’t Hunt for Red October, I was thinking of. It was actually Crimson Tide with Denzel Washington and Gene Hackman, right? And they’re on a submarine, they’re on a nuclear submarine, and Gene Hackman, who’s the captain, gets a message, and it’s only half of the message that says, “Go launch the missiles.” And the XO, who’s Denzel Washington goes, “No, we can’t do that, sir. The message wasn’t complete.” And under the military standards, if the message isn’t complete, it could have been terminated. It could have been an exercise. You don’t know. You don’t act on that message, you’ve got to have the whole thing. So they’re waiting for it. And because they’re a submarine under the water and they’re being tracked by a Russian sub, they can’t come up to periscope debt to get the new rewrite the message.

And the captain’s like, “No, we’re going to do it.” And he tries to fire the XO and everything else. But essentially they have, if you want to launch a missile, they each had a safe in their room and they go in, they break open the thing and get their half of the code that is the authorization key to do it. Or in the case you were talking about, you have two keys and they have to be turned at the same time to launch the missile. All of those are forms of dual authentication or a separation of privilege. So that one person can’t start a nuclear war with Russia, and instead you have to have two people do it.

Kip Boyle:
Yeah, we need two people to agree we need to start a nuclear war, and thank God that hasn’t happened yet. So you know what, separation or privilege, it actually is very easy for us to describe because why? It’s such a useful design principle that it’s actually, you can see it all over the place, both in the military environment as well as in the private environment. I really love the example of the two signature checks. The countersigning of the checks is perfect for the private sector. Was there anything else you wanted to mention in this episode, Jason?

Jason Dion:
Yeah, I would say the other area that I’ve seen this used when I was working in the military, anytime we were doing a new installation of a piece of gear, we bring in a contractor who does a lot of the installations for us because our crew doesn’t have enough either experience, time, money or talent to do it, and whatever the reason is, we bring in some outside contractors. So when an outside contractor comes in and takes out your old servers and puts in a new server and they install the software, they do the updates and they do the configurations, one of the things is they actually have a signature and they go down the checklist and they sign off on it.

While they’re doing that, we have a Navy person standing next to them verifying they did the work and signing off next to them. And then once both those columns are signed on this 300-page document with all the steps they had to do, they bring it to the communications officer who reviews it and verifies that everything’s being signed and countersigned, and then they will sign it and accept the agreement. They call that a SOVT, a system operations verification and testing. And once you sign off, now the Navy owns that system and it’s no longer the contractor’s responsibility.

And at that point, if something breaks, it’s now under the Navy’s problem and not the contractors to fix. But until we both sign off on that and we’ve agreed that they’ve done all the work and we concur they do all the work and we accept it, it no longer is our problem yet, it’s still their problem because it’s still under the contractors control. And so that’s another area of this dual control or dual authorization where it can be used as a way to move it from a production or from a testing environment into a production environment or from a production environment into retirement or something like that.

Kip Boyle:
Have you ever had to sign off on one of those?

Jason Dion:
Oh, all the time. Yeah, hundreds of them. Yeah. So when I was in the Navy back in the day, I was on a large ship called the USS Wasp (LHD-1), and when I was there, we went through a 11-month overhaul period. And I was lucky enough, lucky enough, haha, yeah, to be the information systems officer on that ship. I was responsible for about 120 people. We had a network that could support 3000 users. And while I was on that, we actually went into the shipyard and ripped off every single piece of CAT 3 and CAT 5 wiring on the ship — every single server, every single computer, every single router and switch. And we did what’s called the Gig E upgrade, going from a hundred megabits per second, up to 1000 megabits and one gig and 10 gig per second using fiber lines all the way to the desktop for every single computer.

And it was a massive project, and my 120 people would never be able to do it on their own. So we brought in a team of a couple of hundred people from outside that came in and ran all the cables and ran all the wirings. And that was just a massive … It was a 30, $40 million project that I oversaw as we did this whole installation.

Kip Boyle:
Wow.

Jason Dion:
And that was just one of the big installs we did. But every piece that then had to be SOVTed, like the network, like the routers, like the servers and the domain controllers, and then all the other systems that I was responsible for, including satellite connectivity and wireless connectivity and things like that. So it’s a lot of those that you do, and that is part of that dual control and dual authorization to make sure that when I sign it, I’m now responsible for it moving forward, and it’s no longer the contract company’s job. And so a lot of the contractors will try to push it through and get you to sign things before they’re ready because they don’t want to be responsible anymore. Now it’s your problem.

So you got to be very careful if you’re in a position of leadership and not just sign things that are put in front of you because when you’re signing, you’re usually authorizing something, either money, time, resources, or responsibility.

Kip Boyle:
Well, so if Radar O’Reilly shows up and says, sign here, sir, make sure you read it.

Jason Dion:
Exactly, yes. 100%. But yeah, so that’s the idea of this whole idea of separation of privileges. Like I said, this can be called dual control, dual authorization, dual signature. You’ll see things like key escrow where they take a key and they split it in half. And so each half of that key becomes part of the total solution. In fact, that’s one of the things I personally do. We’ve talked before about using password managers, right, Kip. When you set up your password manager, you set up your long strong password and two-factor authentication. But if you forget that password or that two-factor authentication, what does your password manager have for you? How do you get in?

Kip Boyle:
You have this emergency secret key.

Jason Dion:
And it’s like this big long series of hexadecimal numbers, and it’s usually like 20, 30, 40 digits long. Well, one of the things I do is I actually take that and I print it off, and then I don’t store that anywhere on my computer so I don’t want it in a digital format, and I take it on a piece of paper and I literally cut it in half and I have half stored in one place and half stored in another place. And so if I need to go ahead and unlock it, I can do that. And the reason I do that is because all my passwords are in that password manager. And if I just had that sitting on my desk and somebody broke into my house and they steal that emergency key, they now have access to my bank accounts, my credit cards, my stock brokerage, and all the other things, and I don’t want that. So I’ve implemented this idea of dual authorization or dual control by splitting that one piece of information into two and then locking them up in different places.

Kip Boyle:
You’re fun at parties, aren’t you?

Jason Dion:
Oh, I’m so much fun. Let me tell you. Sometimes I’m a little paranoid. I don’t know what to tell you. I’ve been in security for 25 years at this point. Man, I’m a little paranoid, but only because I know what’s out there.

Kip Boyle:
Well, that’s just it. It’s not paranoid if they really are out to get you.

Jason Dion:
Yep. And really it just comes down to how much protection do you want for that thing, right?

Kip Boyle:
Right.

Jason Dion:
And that may be going a little too far, but again, in my case, I can do that. Maybe I put half of it at my kid’s house and half of it in my bedroom and nobody would know where it is or which kid it’s at or that kind of thing. So it gives you ability to have these things. Or you might split it and put one in a Dropbox account and one in a Google Drive account. So now somebody has to break into two accounts to put the information back together. That’s the idea of what we’re talking about here.

Kip Boyle:
Yep. I think it’s perfectly well explained. I’m not going to add another thing.

Jason Dion:
All right.

Kip Boyle:
The risk of muddying the waters.

Jason Dion:
Well, that being said, I’ll go ahead and wrap up this episode. I hope you guys have all enjoyed this SDP discussion as we’ve gone through over the last 20 weeks together or 20 episodes together. We’ve done one episode of SDP and then something else, and then one episode of SDP and then something else. And this was number 10. So this was the final SDP episode that we have. So you won’t hear us talk about SDP again on this podcast, at least not for a while. And that was a really long series. So I really appreciate you all sticking with us. If you missed any of the other parts of that series, you can go back and listen to them over at yourcyberpath.com. We have all those episodes that you can go back and learn all 10 of those service design principles and those secure design principles to make sure you understand how these things operate inside of your daily life and inside of your businesses as you move forward.

That being said, I want to thank you again for listening to Your Cyber Path podcast. If you enjoyed it, please leave us a review on your favorite podcast application, whether that’s Stitcher, Google, Podcasts, Apple Podcasts, or whatever you like to listen to us on. We’d really appreciate those reviews. It does help us get found in search and helps more people find this podcast. And the other thing I want to say is if you want to keep in touch with me or Kip, you can always do that over at yourcyberpath.com or over at akylade.com, a-k-y-l-a-d-e.com, which is a certification company that we work with and we co-founded. And we are doing all the new certifications out there for the NIST Cybersecurity Framework and Risk Management and other things like that. And I think you’ll find it very valuable. So if you want to keep in touch with us, you can find us over there at a-k-y-l-a-d-e.com, and we’ll look forward to seeing you on the next episode of Your Cyber Path.

Kip Boyle:
Thanks for being here, everybody. Bye.