Providers see products. Attackers see paths.
The email provider sees an inbox. The mobile carrier sees a number. The device platform sees a trusted device. The bank sees a client account. The assistant sees a working relationship. The principal experiences them as one life. So does the attacker. Control of email can reset a platform. Control of telecoms can recover email. Control of a device account can restore messages and passwords. A convincing approach to an assistant can turn information into an exception. The weakest path can transfer authority across the rest.
Map authority, not importance
A rarely used account may carry more authority than a daily one because it can recover, approve or suppress notification elsewhere. The assessment should therefore map what each node can cause.
- Authenticate — prove identity to another service.
- Recover — bind a new credential or trusted device.
- Approve — authorize a transaction, change or contact.
- Observe — receive alerts, statements or private communications.
- Suppress — remove evidence or prevent another person seeing it.
- Delegate — give a person or application continuing access.
The highest-authority nodes are those that combine several of these powers.
The trust-perimeter review
- List high-consequence accounts, devices, numbers, people and providers.
- Record authenticators, recovery factors, trusted sessions and administrators.
- Draw every path capable of transferring control.
- Identify single points where one compromise grants several authorities.
- Check whether notifications leave the compromised path.
- Confirm that old numbers, devices, staff and providers have genuinely lost access.
- Test one recovery and one emergency communication route.
The diagram should be understandable to the principal and actionable by the people operating the environment. A technical graph no one can use under pressure is not the final product.
Prioritize by consequence
Not every account needs identical protection. A useful priority combines reach and authority.
- Tier one — can move value, disclose sensitive information, recover other tier-one accounts or impersonate the principal.
- Tier two — can materially influence operations, relationships or reputation.
- Tier three — contains useful context but limited direct authority.
Tiering should reduce noise. The office can then apply stronger recovery, monitoring, device and administrator controls to the few nodes whose failure transfers the most power.
The position
The principal does not have a collection of accounts. The principal has a distributed authority system operated by multiple companies and trusted people. Security improves when that system is finally treated as one perimeter.
