Re: Who gets the magic scepter when there are three of it?

Subject: Re: Who gets the magic scepter when there are three of it?
From: Mike Stockman <mstockman -at- gmail -dot- com>
To: TECHWR-L <techwr-l -at- lists -dot- techwr-l -dot- com>
Date: Mon, 27 Sep 2010 16:44:39 -0400

2010/9/27 Jefe de redacción <editorialstandards -at- gmail -dot- com>

> I had a nice table where I described a system of authentication tokens that
> should normally be held by different people. Separation of roles.
> The table included a column of suggested persons/roles in an organization
> who should be the holders of the individual tokens, like the CSO (Chief
> Security Officer), CIO (Chief Information Officer), head system
> administrator,
> and so on.
> The new, improved system allows each of those authentication tokens
> to be split across multiple physical devices, to ensure that no one person
> can present the complete authentication for a role without
> oversight/participation
> by fellow token-split holders.
> Now, the question is what happens to the suggestions (above) when there's
> usually only one CSO, one CIO, one head of system admin, etc. in
> an organization. We can hardly suggest that the CSO keep one split of
> his token, give one to his secretary, one to the janitor...
> We know that the janitor is an independent cuss, but we think the
> secretary might be influenced by her boss (the CSO) to look the other
> way, or to lend her split-token fragment inappropriately.
Unless I misunderstand the question, it seems to me you have only three real

1) Combine two or all tokens with one person. Already rejected, because it
defeats the purpose of the divided authentication in the first place.

2) Draft one or more people off of your chart. As you say, the janitor or
secretary might be compromised, but upper-management, or a list of people
with sufficient clearance/training from other groups, may contain
trustworthy enough people. Go get one of those.

3) Hire/create a position to handle the second or third tokens. If an
organization has grown to the point where such authentication measures are
needed, they may also need these people for other reasons.

So your choices are between #2 and #3. Present them to the users and you're
done, right?

Of course, an additional option is to re-evaluate the need for split
authentication in the first place. It may still be needed, but it may also
be something an earlier CSO found exciting, but was never really warranted.

Hope this helps, and I'll be interested to see other responses to see what I


Create and publish documentation through multiple channels with Doc-To-Help.
Choose your authoring formats and get any output you may need. Try
Doc-To-Help, now with MS SharePoint integration, free for 30-days.

LavaCon 2010 in San Diego Sept 29 - Oct 2 is now open for registration.
Use referral code TECHWR-L for $50 off conference tuition!
See program at:

You are currently subscribed to TECHWR-L as archive -at- web -dot- techwr-l -dot- com -dot-

To unsubscribe send a blank email to
techwr-l-unsubscribe -at- lists -dot- techwr-l -dot- com
or visit

To subscribe, send a blank email to techwr-l-join -at- lists -dot- techwr-l -dot- com

Send administrative questions to admin -at- techwr-l -dot- com -dot- Visit for more resources and info.

Please move off-topic discussions to the Chat list, at:

Who gets the magic scepter when there are three of it?: From: Jefe de redacciÃn

Previous by Author: Redesigning an interface for the visually impaired
Next by Author: web apps - how to embed help ?
Previous by Thread: Who gets the magic scepter when there are three of it?
Next by Thread: Re: Who gets the magic scepter when there are three of it?

What this post helpful? Share it with friends and colleagues:

Sponsored Ads