April 16, 2006

Separation of Roles - an example

Having created the five parties model for digital governance, one of the things that has persisted is the difficulty in getting this implemented. Some DGCs have adopted it completely, more or less (goldmoney and Pecunix rise to mind), others only partially (e-gold for example only did parts of the physical metal side, and even that has fallen fallow) and yet others not at all. We don't mention the ones that do not ... at least in a governance post ... because it is hard to comment on their lack of governance.

So why is it so difficult to convince issuers of value to implement governance? Partly it is because the issuers of new value all hail from beyond the traditional accounting and banking spheres, so they simply don't know what's awaiting them. And, it is more information than people care to absorb, especially when the focus is on the customer's short term needs, not the defence against some hypothetical attacker. Partly of course, it is because it is not well explained.

(I think the model is really simple! The Issuer creates a new role called the Mint/co-signatory who is responsible for changes in the total value of issue. Another role created is the manager, who takes that day-to-day value increase and decrease and manages it. This means the Issuer never gets his hands dirty. The Operator runs the systems, and never does numbers, so his hands are clean, too. Finally, the User is the 5th party. She monitors all, leading to the need for open governance.)

One of the fundamentals is the centuries-old tradition of separation of roles. Here's an example of what goes wrong, talking about how 'Apparent authority' doctrine complicates credit card liability. An accounting manager went on a spending spree with her company credit card. She ordered the card, she paid the bills. When the gig was up ... $133k later ... the company argued that it gave no authority for this:

When Kathy's fraud was finally discovered, the company sued American Express, the card issuer, seeking a refund of everything it had paid over $50. But American Express (which has had considerable experience with this sort of thing) resisted, arguing apparent authority.

The company responded: "Nonsense. We never said anything or did anything to make American Express think Kathy had authority to use our card for personal purchases. Heck, we didn't even know she had a card. She ordered it herself."

But American Express prevailed, convincing the court that allowing Kathy to pay the credit card bill every month over a long period of time was enough to create apparent authority in Kathy to use the card.

Right, and that makes some sort of sense. Intiutively, the company is responsible for its employees, more or less. We can't go sticking it to the bank just because we weren't watching what was going on. But what was the one specific thing the company should have done? Here:

There are many lessons to be learned here, but the one that leaps to mind is: Don't let the same employee review the company's credit card statements and also write the checks to pay them.

Precisely. Separation of roles. There should always be at least two people responsible for controlling some asset - in this case the ability to order credit cards, run them up and pay them off.

Just how far you go with this depends on the circumstances - security should be proportional to risk. In the five parties model (5PM), I suggest that you start off with the Mint being controlled by the same person as the Operator. And the Issuer can be the Manager. That's because this is how it falls out in operational terms ... Later on as the risk grows, the security needs grow, so the Issuer needs to look at expanding the number of parties from 3 to 5. And beyond, as each of those parties simply divide internally.

But, if you do none of these things - if you implement no separation of roles, no 5PM, no governance at all - then history tells us what happens. One day, as Issuer, you'll be looking for someone to blame, and it might come as a shock to discover it is yourself.

Posted by iang at April 16, 2006 11:06 AM | TrackBack

basically, a lot of this is long term standard countermeasures to insider fraud. i have some recollection of early 80s starting to really get into threat analysis and countermeasures for insider exploits.

this somewhat all became obfuscated with the internet and the attention being paid to outsider exploits .... even thru the whole internet era, the studies have continued to show that the majority of fraud is still related to insiders. one might even conjecture the people behind serious fraud help promote the attention paid to outsiders as misdirection.

of course the other is that a lot of the internet stuff is somewhat more likely to make the popular press since the general public has more awareness of internet as opposed to the long standing backroom business processes where the majority of financial activity actually occurs.

as implied, there may be some issue with internet stuff more likely to involve people who have little or no knowledge and exerpience with real business issues and history of the serious threats, vulnerabilities, and exploits.

recent article:

Organization Seen Ignoring Main Culprit in Information Security Breaches

references to a few previous articles and/or studies
http://www.garlic.com/~lynn/aadsm12.htm#44 Identity Theft More Often an Inside Job
http://www.garlic.com/~lynn/aadsm17.htm#38 Study: ID theft usually an inside job
http://www.garlic.com/~lynn/aadsm18.htm#49 one more time now, Leading Cause of Data Security breaches Are Due to Insiders, Not Outsiders

of course, the above articles relate to (insider) breaches where the information may be turned around and used for identity and/or account theft. it doesn't talk about the other kinds of insider fraud like embezzlement or inflated purchase orders making payments to some relative.

so for some additional drift, a posting mentioning financial controls, payment protocols (and digital certificates)
http://www.garlic.com/~lynn/2006f.html#32 X.509 and ssh
http://www.garlic.com/~lynn/2006f.html#36 X.509 and ssh

the above references the trival scenario of corporate checks that had logo stamped on them that they weren't good for more than a certain value. what they then found was that the work around was to write a whole collection of such checks (for just under the limit).

One of the times this came up was in the mid-90s involving some PKI proponents suggesting that digital certificates could have similar limit statements in support of using PKI-based (offline) financial transactions emulating the (offline) check model. At about the same time, there was an article in the national news about a NYC public school official writing (one of these business checks with limit) 200 checks for $5000 each to funnel $1m to a front company as part of embezzelment.

The scenario that business had gone to was online transactions ... frequently implemented with a special business card (form of credit or debit card) that had backend business rules, not only about amount of individual purchases, but some implemented business rules about where the card could be used as well as what kind of purchases that the card could be used. It also had aggregated rules ... about max. money that could be spent per period (as countermeasure to embezzlement doing a large number of smaller individual transactions). Of course, there was also multi-party oversite/approval of monthly activity (but it gained not requiring detailed multi-party oversite/approval of each individual purchase) ... which obviously didn't happen in this particular example.

What some of the PKI promponents had difficulty coming to grips with was that the stale, static offline check model was being replaced with dynamic, realtime, online operation.

The stale, static offline credential, certificate, diploma, license, letters of credit, letters of introduction paradigm had served the world for centuries providing trusted information to relying parties (who otherwise didn't have any other means of accessing and/or validating the information.

The PKI digital certificate is an electronic analog of that stale, static offline paradigm. Many of the PKI proponents seem to have trouble coming to grips with modern infrastructures moving to online operations and away from the old-fashion stale, static offline method (in part because online, realtime operation can close a lot of short-comings and vulnerabilities implicit with offline).

Posted by: Lynn Wheeler at April 16, 2006 12:39 PM

Doesn't "dynamic, realtime, online", without controls at least as stringent as for the offline transactions, allow fraud and embezzlement to be perpetrated all the more rapidly?

"Apparently authority" is a very good doctrine. It deals with what the principal has told the third party about the authority of the agent to bind the principal, and sometimes (as in the above-related case) about what the third party can reasonably infer by what the principal _hasn't_ told him. The other main means of holding a principal liable for the acts of his agent is "actual authority," where the principal in fact delegated authority to his agent. A third party often has no way of learning beforehand about this other than through apparent authority, so this doctrine is not as useful for protecting third parties from people acting under the color of authority.

A third means whereby a principal can be bound by his supposed agent is "estoppel," where the agent claimed authority, the third party's belief in that authority was reasonable (even though not derived from an act or omission of the principal), and the principle benefited (unjust enrichment) from the exercise of that authority.

This trio of actual, apparent, and estoppel authority is one of the basic "patterns of integrity" that recurs in agency law, partnership law, corporate law, and government activities -- basically, it recurs any time two or more people are acting legally like one person or one person is acting legally for another -- and I suspect I'll find good analogs of it in computer security or organizational controls once I switch back to thinking about that field.

Can you tell I'm studying for my corporate law finals? :-)

Posted by: nick at April 17, 2006 11:29 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.