The Refrigerator Policy Continued: The Bedroom Door
Last time, I explained my mostly-a-joke security principle: The Refrigerator Policy. Today, I’d like to extend this policy by introducing: multi-layer authentication.
Multi-layer authentication is not the same thing as multi-factor authentication. Multi-factor authentication means that in order to access one resource, you need multiple factors, hence the name. Multi-layer authentication is instead more akin to hierarchical group policy, where resources are organized into nested layers, each with its own independent authentication boundary. Rather than requiring multiple credentials to unlock a single resource, you’re placing separate gates at different depths. Gaining access to one layer grants access to everything at that level, but deeper layers require passing through their own distinct “checkpoints.”
Listen, I’m no cybersecurity expert. When I explained my idea of the Refrigerator Policy to someone at work, they told me “well, yeah, but what if you want to have a lock on your safe?” And then I realized that the hidden principle at play here is just to understand layered access. You don’t need every single resource to have a separate lock, but you should definitely understand the different layers of resource access that are available.
I don’t think I’m completely off the walls with this idea. In ancient times, castles were designed with this exact idea in mind. Medieval castles used defensive structures like moats, drawbridges, a portcullis, and an inner keep as successive rings of protection. Not surprisingly, it applies in the modern era as well. Silva Consultants, a security consulting firm, writes that an absolute minimum of three layers should exist between the outside world and any type of high-value asset. They also use my exact point: “[A]n employee may fail to lock a valuable piece of equipment in a cabinet as per established procedures, but instead leaves the equipment lying out openly on a desk. If the employee’s office is locked, and access to the department is controlled, the equipment is still protected,” showing that the core security principle to design for is not to throw multiple factor authentication at every asset, but instead designing your system to fundamentally have multiple layers of access in mind 1.
Think of it this way, just because someone is in your house doesn’t mean they should have access to your bedroom. Your front door is one layer, because it keeps out the general public or your snooping neighbors. Your bedroom door can be another layer, because while you may not want to lock your kitchen from your guests (or your refrigerator), you may want to lock your bedroom. And if you have a safe inside your bedroom closet, that’s yet another layered circle of protection.
So, that brings us to the end! The point of security isn’t to put a padlock on every drawer in your house. The point is to think deliberately about which resources live at which layer, and design your architecture around that.