Four Eyes


The four-eyes principle (also known as two-man rule or no-lone-zone) stipulates that for certain very critical operations like the launch of a nuclear weapon or the handling of very sensitive cryptographic key material, at least two qualified persons must be actively involved.

I think the same principle should hold true in some IT operations work; for example some servers are running software that is both very important to keep running, and is also handling very sensitive data. Examples might be banking or healthcare services. A mistake or malice while operating this software can be very harmful. For example: causing significant downtime for a healthcare system can result in degraded level of care for patients in hospitals. Another example: leaking details of police staff can result in serious harm to those staff.

I work for a fully-remote software company which handles healthcare data and provides live services using that data. One additional challenge of fully-remote working is securing access to servers. Remote access to servers is a hard requirement: in order to do my job I must access servers that run our software. However, this means that the security of those servers is only as good as my own physical security.

There is a hole in the market for a remote ‘four-eyes’ system. My boss suggested something as ‘simple’ as an SSH server which requires two separate authorized users to access, and where every shell command must be confirmed by both users before executing. This means at least two system administrators must be compromised (or complicit) in order for a breach to occur. In theory this is significantly less likely than a single administrator being compromised.

There are packages for Go and other programming languages which implement the SSH protocol, and I think it’s possible to implement such a server. It’s something I plan to explore.