Friday, February 19, 2010

What should the School District have done?

The Pennsylvania school district being sued for allegedly spying on students now claims the feature was only used to recover stolen laptops.

Recovering a stolen laptop is an objective that most people would accept as valid. But at the very least the school district implementation has created a major legal liability. Even if they 'win' the lawsuit they could easily spend a million dollars in legal costs.

What should the school district have done instead?

Disclosure: Any security mechanism that you would not want to disclose to your users is likely to be a bad idea. A mechanism that is kept secret to avoid controversy is a very, very bad idea.

Dual controls: Banks require every important operation to involve at least two people. Its not just to reduce the risk of embezzlement, its to provide protection for the personnel. If one employee could open the safe by themselves they would be a target for kidnappers and if any money did go missing they would be a suspect.

Audit Trail: Every system that could be misused should generate a tamper proof audit trail.

Security people don't just ask 'what is the worst that can happen', they think 'what is the worst that someone could be accused of'.

Adding the necessary controls does not need to create excessive overheads. Simply generate a unique access code for each end point and seal the access codes in tamper-evident bags. Make the custodian of the bags a different person to the one that has the password for the recovery system. Alternatively use a software based mechanism to enforce dual controls.

This problem has been solved for a decade in key recovery systems. There really is no excuse for not applying that technology.

No comments: