Here’s the thing about computers: When you open up Word, or Excel, you think you’re opening a file and making changes to it. You’re not. We’ve been taught to think of electronic files like physical documents. They’re not. You can’t interact directly with an electronic document. In fact, what you’re doing is kind of like controlling a Mars rover from a room in Pasadena. You send commands through the keyboard and mouse, and you see updated pictures on the monitor, but you can’t actually touch the Martian rock and turn it over in your hand. You need a machine to do that for you.
So what? It’s essentially the same thing, right?
The distinction is important because of the way we secure computer files. We say that a person has read or write access to a particular file, but in reality it’s the person’s user account that has the right to access the file. But a user account isn’t a real thing. It’s just a concept—an easy way to refer to a collection of access rights and settings that are packaged together and secured with some form of logon credentials.
So, the user doesn’t have access to a file, because a human being cannot interact directly with a bunch of magnetic fields on a spinning disk; the user account doesn’t have access to a file, because the user account doesn’t exist outside of an idea. What we’re doing then is granting a computer a temporary ability to access and manipulate the ones and zeros that make up the file.
Again, why is that important?
It’s important because, although I may trust you implicitly to handle my most sensitive data, I don’t trust your computer. Unless you’re under some form of mind control, you’re going to act in a predictable manner when handling my files. If you work for me, you’re not going to destroy or steal my information because that would jeopardize our relationship and your job. You have a conscience, principles, a desire for self-preservation, whatever you want to call it. Your computer, on the other hand, has no such moral qualities. It is simply a tool—a very complex tool—and, as such, can be taken over by another person and used for ill.
The very qualities that make computers so useful also make them insecure. The fact that a computer can do many things at once, often “in the background,” means that the person using it doesn’t see most of what is going on—perhaps even files being deleted, or copied and shipped off to parts unknown.
I subscribe to the practice of least-privilege administration. This means granting people the least amount of access necessary to perform their duties. Business owners often reject this idea at first because they don’t see the necessity: “I trust all my people,” they say. “As long as no one can get in from the outside, we’re fine.” They don’t understand that LPA is not about securing your data against people; it’s about securing your data against the very computers your people use to access it.
We’ll have more about LPA and information security in future posts. Subscribe (using the link at the lower right) to keep current with the latest information to help Unleash Your Business. If you have any stories about security breaches (or close calls) leave a comment below.