Trust but Verify (Accountability) ◾ 175
must ensure not only that actions can be assigned to an individual but also that the individual
has the proper clearance to perform those actions. Financial organizations and government agen-
cies require accountability to be a part of their operational structure, but any organization that is
subject to compliance auditing can benefi t from the application of this tactic.
Any structure that reduces the overall time and eff ort required for compliance reporting is
benefi cial. Manual reporting is a costly, time-consuming resource hog; any degree of automa-
tion is of value. Accountability, however, provides a number of other long-term benefi ts that are
diffi cult to ignore. For example, the ability to prove compliance through accountability could
be used to reduce the overall scope of audits. Accountability can also reduce malicious conduct,
legal or regulatory sanctions, and liabilities from false accusations or claims. Every organization
stands to benefi t from these capabilities. e question is, “Will it be cost eff ective?” Given the
state of today’s audit technologies, the cost of achieving high levels of accountability for small to
medium-size businesses is prohibitive. Large enterprises, especially those with in-house applica-
tion development, will fi nd this tactic much easier to implement for two reasons: (1) the ability
to build missing functionality and (2) the ability to incorporate accountability functionality into
their applications. ese allow the gaps between existing technologies and accountability control
objects to be closed. Service providers have the most to gain from this tactic. Accountability is not
only a viable way to reduce liability, it also improves availability by discouraging illicit behaviors
and identifying operational defi ciencies. Finally, a high level of accountability is a major market
diff erentiator.
Comprehensive Accountability Identity Objectives
Accountability is an information security tactic that assures actions taken on a system can be traced
back to the individual or individuals who performed those actions. e U.S. National Institute of
Standards and Technology (NIST) defi nition notes that accountability “supports non-repudiation,
deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal
action.” is section covers accountability controls and control objectives. Accountability relies on
two functions: identity and audit. It isn’t possible to trace actions back to an individual unless the
individual has a unique identity, nor is it possible to trace actions back to an individual without
suffi ciently detailed records (i.e., audit trails, logs) of those actions.
e primary accountability attributes for identity are unique, specifi c, and exclusive. Unique
means only one occurrence of this identity exists within the system. Specifi c means that the
identity references a real person or process as opposed to a generic entity such as anonymous,
guest, or testuser1. Exclusive means the identity is used by a single entity as opposed to being
shared with multiple entities. ese three requirements should be part of your information
security policy for systemwide (domain) identities as well as local system identities, and these
policies should be backed up with the appropriate procedures for identity issuance, monitoring,
and revocation.
e goal is high assurance identity management beginning with properly vetted identity
requests, assuring the requestors are who they claim to be and have been properly authorized to
receive an identity. It continues with an incorruptible process for validating a presented identity
such as multiple factor or third-party authentication. And it concludes by assigning the appropri-
ate permissions to data and computing resources (i.e., authorization).
Ideally, the user should only need to log on once (single sign-on) and be able to gain access to
all their assigned resources. When this isn’t possible, the ideal is to be able to use the same identity
TAF-K11348-10-0301-C010.indd 175TAF-K11348-10-0301-C010.indd 175 8/18/10 3:10:34 PM8/18/10 3:10:34 PM