Thank you for this. great write up, and totally on point.
> * Keep it offline/airgapped.
Agreeable, but what about physical access? What about compromised individuals, or nefarious agents?
> * Store the most dangerous data on paper with hashes replicated online to insure integrity.
Interesting; i guess that reduces the accessibility of the information, so it's harder for you and harder for someone else. Interesting, and in line with your comment about the Gozer Principal (is there anything more than a tweet about that?)
> * Do not have a centralized repository of data to reduce risk of catastrophic exposure.
Also a great point too; and pretty contrary to how we typically design systems.
> what about physical access? What about compromised individuals, or nefarious agents?
Always a risk and a very hard problem to solve since someone always needs access and that person can be compromised. Detecting and preventing this is what counter-intelligence is for, but counter-intelligence is never a guarantee of security.
You can trade off usability for security to slow the speed at which an attacker can copy everything giving you more time to detect the activity. This only makes sense if they information is exceptionally important to protect. That being said, even paper can be stolen in large quantities. Jonathan Pollard managed to steal quite a bit of classified paper from the US during his tenure. The Israeli's needed multiple highspeed copying machines to keep up with his output [1].
One could imagine a system in which records are stored in multiple places and people only have access to the local files. No one agent could compromise the entire system. Then again, you might be so secure you protect the information from yourself and may not be able to "connect the dots" which is probably what you have the information for in the first place.
As Snowden suggested, "The Two Man Rule" [2] can also make enemies spies jobs harder. While it is true a determined attacker can overcome it by gaining the other parties credentials, such actions raise the risk the spy being caught.
A very silly idea:
I've been told on older nuclear armed submarines the device used to launch the missiles must be carried from one part of the sub to another to begin the launch sequence. The device was extremely heavy and awkward requiring multiple people to move it and making the movement of it very obvious and loud. Thus, they accidentally achieved an additional "Two Man Rule". Perhaps if very secret information was encrypted and then stored on heavy large objects which could only be read/decrypted at another location in the building than it would be difficult to quickly steal and decrypt many of the files. A computational version of this would be a cipher that requires massive resources (memory, CPU) to decrypt. This is likely more fantasy than reality, but at least enemies spies would have to break a sweat.
>Interesting, and in line with your comment about the Gozer Principal (is there anything more than a tweet about that?)
I've been working on a blog post on it, but I don't really have enough content to flesh it out and make it worth reading at the moment.
The two-man rule is a good idea - not fool-proof, but I suppose nothing really is.
And the story about the heavy device on nuclear subs; that's brilliant! Although I'm not sure a computational version would be a ciper that needs a lot of resources to decrypt, unless that is something that even people who have valid access need to expend resources for in order to access.
It really seems like ease of access is the enemy; that's a pretty fruitful take away.
I do hope you share your blog post about the Gozer Principal on HN when you're done, I look forward to reading that.
> * Keep it offline/airgapped.
Agreeable, but what about physical access? What about compromised individuals, or nefarious agents?
> * Store the most dangerous data on paper with hashes replicated online to insure integrity.
Interesting; i guess that reduces the accessibility of the information, so it's harder for you and harder for someone else. Interesting, and in line with your comment about the Gozer Principal (is there anything more than a tweet about that?)
> * Do not have a centralized repository of data to reduce risk of catastrophic exposure.
Also a great point too; and pretty contrary to how we typically design systems.
Thanks again!