Pointer to blogpost: http://www.ldap.com/1/commentary/wahl/20051130_01.shtml
Mark Wahl’s commentary is an excellent discussion of assurance in identity management. It touches on a particular type of assurance: the confidence we place in human beings’ apparent intentions, their competency, their honesty, and so forth. Their apparent halos. Their personal assurance.
Wahl notes that we tend to trust strangers more if those individuals have all the external appearances—such as clothing, glib talk, personalities, and racial/ethnic backgrounds—associated with roles, or peoples, or stations in life, that we trust. The more of those external appearances that fit into our comfort zone, the more vulnerable we are to being duped by the occasional wolf in sheep’s clothing:
• The highway robber in a cop uniform.
• “Frank Abagnale Jr, subject of the movie Catch Me If You Can, improved the effectiveness of his check fraud scam by wearing an airline pilot's uniform, pilots being regarded as ‘generally credible and respected professionals’ and so be less likely to be cashing bad checks.”
• The suits we encounter in daily life who convince us to part with our life savings, or waste a big chunk of it on some unique, useless pile of sh*t that only their company provides, and only for a limited time, and only to special customers like yourself and your lovely wife, who obviously have the intelligence and sophistication and experience with such things to recognize and truly appreciate blah blah blah……..
In other words, the social-engineering attack. The con. In one of my recent blogposts, I analyzed the notion of “reputation,” construing it as a type of personal assurance in identity management. “In the IdM context, reputation is more of an assurance or trust level—an evaluation of the extent to which someone is worthwhile to know and associate with.”
In our respective blogposts, Wahl and I were approaching the subject of personal assurance from slightly different angles. He was focusing on the assurance we place in people that we know next to nothing about, other than the fact that they look and act trustworthy—wear the suit, talk the talk, etc. By contrast, I was looking at the assurance we place in individuals about whom we think we know tons, because we have access to what we regard as reliable hearsay/gossip, which tells us that so and so is a good or bad person, an acceptable or excessive risk, etc. He was focusing on the cultural stereotypes that drive our snap judgments of personal reliability, and I was focusing on the cultural grapevine that further confirms or informs those judgments.
This got me to thinking of something I was discussing with an old acquaintance the other day. This person—his name is a common cognate of my grandfather’s Christian name—asked if I would be interested in authoring an article on the possibility of “profiling” IT personnel to measure the extent to which they posed an “insider threat”: someone who was likely to betray their employer’s trust by stealing, compromising, or damaging data, software, hardware, and other IT assets. We just engaged in general brainstorming, but didn’t agree to anything in particular. I offered a few observations, and told him that he’s free to use anything I suggested, if he wished. I assume he’s reading this blog now, and recognizes himself. He’s still welcome to take the ball and run with it.
It just occurred to me that this “insider threat profiling” topic is an application of personal assurance. Before I launch into my further thoughts, I need to come back to Wahl’s post—in particular, the following excerpt:
• “In science fiction author Philip K. Dick's novel A Scanner Darkly, the character Fred, an undercover narcotics agent, would wear a ‘scramble suit’ all the time that he was not undercover. This suit protect's the wearers identity by preventing visual identification: it would encase the wearer and project onto itself random images derived from 1.5 million possible elements of human representations: ‘As the computer looped through its banks, it projected every conceivable eye color, hair color, shape and type of nose, formation of teeth, configuration of facial bone structure--the entire shroudlike membrane took on whatever physical characteristics were projected at any nanosecond, and then switched to the next.... the wearer of a scramble suit was Everyman and in every combination (up to combinations of a million and a half sub-bits) during the course of each hour. Hence, any description of him--or her--was meaningless.’”
Hmmm…someone’s external appearance/demeanor is like a suit that they put on (consciously or otherwise), and that others use as a primary input in assessing personal reliability and integrity. Which reminds me of a teeny-tiny poem I dashed off a few years ago:
• “TAKE SHAPE//we button nerves/and join the fray/a suit's a shape/we wear all day”
We hire people and invest them with responsibilities for many reasons. One of the big reasons is that they wear a trustworthy “suit” that seems right for the role to which we plan to assign them. We’ve all heard of, and occasionally worked with, the “empty suit.” How do we submit the “suit” to a multidimensional “profiling” that allows us to fathom the depth—and angel-to-devil ratio--of the person within? Given that human beings are so complex, creative, and unpredictable, how can we even pretend to know how anybody will behave under all possible future scenarios, and whether they’ll succumb now and then to the temptation to betray their employer in order to pad their own pockets? Or just to wreak havoc for the hell of it?
The cop-out answer is to say we can’t possibly assess other people’s trustworthiness and potential for mischief. But every one of us does it all the time with everybody we know, including our closest family and friends. We do it with bosses, co-workers, customers, and business partners as well. We all rely on intuition: some of us have particularly sharp intuitions, while others are hopelessly naïve and credulous.
How can we assess the trustworthiness of IT staff? These are people in whom you’ve invested responsibility for managing your company’s most critical data, applications, systems, networks, and business processes. Identity management (IdM) systems, in particular, are the most sensitive IT assets, because they drive authentication, authorization, encryption, auditing, and other critical security services that span most applications. How much assurance can you truly place in your IdM, PKI, and trust infrastructure if you have no trust in the people who manage it?
Which brings me back to the notion of personal assurance and profiling of IT staff. Personal assurance is not something you can measure in the abstract. Temptation can bring out the worst in any person. And aren’t the temptations available to IT staff just deliciously juicy? Those temptations become ever more acute as IT personnel realize that they are the high priests and priestesses of sensitive corporate apps and systems that few others understand, and as IT people realize they can easily cover up their misdeed and erase or efface any audit trails.
To the extent that you attempt to profile individuals for their potential to pose insider threats, you must consider the interplay between character and circumstance. Who is this complex individual? And what roles are they performing with respect to places, processes, and platforms in your organization?
Who is this individual? That’s the “character” issue, and you can begin to measure character in terms of some broad personal attributes: background (i.e, resume, transcripts, etc.), aptitudes (i.e, skills, certifications, tests, inclinations, dispositions, etc.), recommendations (i.e., reputation, hearsay, references), and record (i.e., actual documented performance as attested by reliable others, not by the individual themselves).
What roles are they performing? That’s the “circumstance” issue. You can measure circumstance, hence opportunity for mischief, by looking at how much power you’ve given them—or are contemplating giving them-- over your IT environment. Absolute power corrupts absolutely.
If you have exactly one IT person who does everything, you’ve created an opportunity for absolute abuse. How much assurance do you have in that one person’s character, however measured? If they’re the only IT “insider,” and you’ve tasked no other “insider” to serve as a check/balance/whistleblower, you’ve invested that one person with absolute assurance.
Which I’m assuming they’ve earned. They’re a familiar face and name, not some anonymous schmoe you recently hired off the street without checking their references, background, criminal record, etc.