[Security_sig] access control assumptions
joseph.cihula at intel.com
Thu Sep 16 17:54:15 PDT 2004
Our current assumptions are that only a small set of authorized users
will have access to the system (TOE) and that we thus do not need to
protect against a malicious, authorized (or internal) user
(A.MALICIOUS-INSIDER and A.ADMIN-ONLY).
I have two issues/questions around this:
1. Is it the case that most distributed (3-tier) apps in telcos do not
use impersonation for access control? If they do, then this really does
create a much larger set of authorized users and I think that our
assumptions would fail in such cases.
2. Is it the case that the CGL-based systems are isolated from
non-administrative personnel? Specifically, are there a class of very
unprivileged users (e.g. call center operators, customer service, field
technicians, etc.) who might require limited access to applications and
data on the CGL systems? Not only are such front-line employees much
more susceptible to compromise (bribery, distgruntled, etc.) but they
are also more susceptible to social engineering attacks that could grant
the attacker their privileges. Defending against these types of
internal users would be akin to (but more difficult than) defending
against general network attacks.
More information about the security_sig