Two-Person Integrity (TPI) is a security control mechanism that is leveraged to protect integral data or functions that have a high level of risk. Other terms for TPI include Two Party Integrity and the Two Man Rule. These policies increase the defensive capability of an organization.
Two-Person Integrity
The National Institute of Standards and Technology (NIST) defines Two-Person Integrity (TPI) as “[a] system of storage and handling designed to prohibit individual access to certain material by requiring the presence of at least two authorized persons for the task to be performed.”
NOTE: The NIST also provides a definition of Two-Person Integrity pertaining to the handling of Communication Security (COMSEC) keying material. This post is not a discussion of any COMSEC-specific security measures.
In layman’s terms, Two-Person Integrity requires two authorized individuals to be present when certain actions are undertaken. This implements an automatic check and balance system, with the second individual in a prime position to prevent a rogue bad actor or mistake from damaging the organization. Two people are required to determine if a task is completed correctly and ethically.
TPI In The Real World
In 2013 the United States’ National Security Agency (NSA) experienced a breach that would shape the future of political and privacy discussions wholesale. Edward Snowden, a contractor who was working with the NSA, exfiltrated thousands of documents, despite the fact that this was a security agency and he was merely one systems administrator. When discussing the breach with the United States’ Congress’ Intelligence Committee, the then NSA Director Keith Alexander announced that his agency was introducing a Two-Person Rule to stop such incidents from happening again.
What Needs to Be Protected
Most organizations are not hosting mass amounts of surveillance data of interest to nation-state level parties, but that does not mean that TPI is not an important consideration when creating a defensive posture. Any data or processes that can be leveraged against a company such as comprehensive client financial data, company bank accounts, or the capability to sanitize an employee’s hard drive may be things that should be handled under a TPI policy. This protects against misuse and mistakes that cause damage to an organization’s reputation and assets.
TPI is not a silver bullet to all security concerns. While it is less likely that two people make the same mistake or arrange to steal the same information together, it can happen. TPI must be utilized alongside other security protocols and tools.
Examples of Two Party Integrity
TPI policies are used in varied industries around the world.
TPI is not only applicable for information and data-based organizations. In many construction jobs, a Two Man Rule is enforced. This often requires two individuals to work in tandem to complete high-risk tasks. With a pair working together, costly mistakes can be avoided (as all work is being approved by both). In the event something goes wrong, each must be able to “remove their colleague from the hazardous area” and provide basic first aid.
Another simple example happens in businesses across the globe when they enforce a policy requiring a manager and an employee to count all the cash and deposit it in a vault at the end of a shift together.
Often, TPI mechanisms are apparent in military settings (or pop-culture depictions of military settings). Sensitive materials, such as nuclear launch codes, are protected by requiring two authorized individuals to provide different keys or pieces of information. Consider two officers needing to provide separate codes to launch a missile — this limits the chance of a rogue actor causing an international war with massive casualties. Security agencies, such as NSA post-2013, also tend to have Two Party Integrity systems, as they handle an immense amount of citizens’ sensitive data that needs to be protected.
DriveStrike implements an optional Two Party Integrity system that requires two admins to initiate consequential actions such as remote wipe or lock.
The Two Man Rule can be as simple as someone on a ladder having a spotter standing at the bottom, or as sophisticated as multiple individuals using complex Multi-Factor Authentication systems to access material.
DriveStrike and TPI
Endpoint security software that provides a means to Remote Wipe devices is a powerful tool that, in the wrong hands, can be incredibly destructive to an organization. This is why DriveStrike offers Two Party Integrity as an additional safeguard within its platform. DriveStrike’s TPI can be configured to require two administrators to approve any Remote Wipe or Remote Lock commands, as well as other sensitive actions such as adding new account users. This means that if a malicious actor wanted to Remote Wipe any device, the individual would need to gain access to two administrator accounts.
DriveStrike accounts can be further protected by enabling Two-Factor Authentication, which greatly increases the efficacy of the TPI feature.
By integrating these security mechanisms into the software, DriveStrike has made it simpler for companies to strengthen their defensive postures with the endpoint software suite itself.
Integrate Data Integrity
All organizations should consider where their data is vulnerable and shore those areas up with appropriate TPI mechanisms. The accountability that another set of eyes provides is immeasurable, and protects an organization’s data, customers, and employees. Consider instituting a Two-Person Integrity policy today!