Skip to content

Instantly share code, notes, and snippets.

@Ashex

Ashex/adr.md

Created May 29, 2025 15:45
Show Gist options
  • Save Ashex/27995300a20581f8023c0e5c45d0c595 to your computer and use it in GitHub Desktop.
Save Ashex/27995300a20581f8023c0e5c45d0c595 to your computer and use it in GitHub Desktop.
Download ZIP
LLM generated ADR based off guided process
Raw
adr.md

ADR: Leveraging physical means of transport for increased security

Status: Proposed

Context: We are observing a significant increase in sophisticated attacks against our platform. Adversaries are leveraging advanced techniques, including Generative AI (GenAI), to bypass our existing machine learning-based bot and fraud detection mechanisms. This creates a continuous and escalating challenge to update and retrain our detection models, which struggle to keep pace with the rapidly evolving attack behaviors.

The primary goals of this architectural change are:

  1. To establish a highly secure and reliable method for customer authentication and platform interaction.
  2. To significantly reduce the effectiveness of automated and AI-driven attacks.
  3. To enhance customer confidence and trust by providing a transparent and robust security posture.
  4. To offer an immediate, in-person support channel for customers, improving their experience compared to potentially delayed global chat support.

The proposal is to introduce physical, brick-and-mortar entry points where customers can be authenticated in person before accessing our platform via secure, dedicated connections.

Decision: We will introduce physical, brick-and-mortar locations as the primary and mandatory entry point for customer authentication and initial interaction with our platform. At these locations, customers will undergo in-person identity verification using their unique platform credentials and a government-issued identification document. Upon successful authentication, customers will be granted access to the platform via secure, on-site terminals that connect to our cloud-based services through a site-to-site VPN.

Alternatives Considered:

  1. Third-Party MFA Solutions:
    • Okta: Evaluated but deemed too costly. Recent customer data exposures at Okta also raised concerns about the security of their platform and its suitability for protecting our data.
    • FusionAuth (Self-Hosted): Considered, but the additional operational burden of hosting and maintaining this solution was assessed to outweigh the benefits.
  2. Enhancing In-House Detection Models:
    • We have been continuously improving our proprietary ML detection models with new data. However, the pace at which attackers adapt their GenAI-based models means our reactive enhancements are often insufficient to prevent circumvention.

Consequences:

Positive Consequences:

  • Significantly Enhanced Security: Expect a drastic reduction in automated attacks, bot activity, and fraud due to the robust nature of in-person authentication (physical ID, biometric, and human verification).
  • Increased Customer Trust & Confidence: The visible investment in security through physical presence and a controlled access environment is likely to increase customer trust.
  • Improved Customer Support: Direct, in-person support can resolve complex issues more efficiently and satisfactorily than remote channels.
  • Resilient Authentication Process: Security personnel, trained in behavior analysis and stationed at these physical locations, will be more resilient to manipulation and social engineering attempts, including man-in-the-middle attacks.
  • Leveraging Existing Secure Environments: Locating centers in financial districts allows us to benefit from the existing high-security infrastructure present in these areas.

Negative Consequences & Mitigations:

  • Scalability Limitations:
    • Issue: Providing access to a geographically dispersed user base will be challenging with a limited number of physical sites.
    • Mitigation: A phased rollout strategy will be implemented, starting with major regional locations where a high concentration of our customers is based. During the initial three-month launch period, shuttle services will be offered to customers in surrounding metro areas to improve accessibility.
  • Customer Inconvenience:
    • Issue: Requiring physical presence for authentication and platform access represents a higher barrier for customers compared to purely online methods. This may inconvenience users, particularly those distant from a center or with mobility challenges.
    • Mitigation: Strategic selection of easily accessible locations. (This remains a significant trade-off inherent in the decision).
  • Significant Cost:
    • Issue: There will be substantial financial investment required for setting up, staffing, and maintaining these physical brick-and-mortar locations, including secure IT infrastructure, physical security measures, and specialized personnel.
  • Implementation Time:
    • Issue: The establishment of physical locations, secure site-to-site VPNs, and the recruitment and training of specialized personnel will be a time-consuming endeavor with a considerable lead time before the system is operational.
  • Dependency on Physical Locations:
    • Issue: Business continuity could be impacted if a physical location becomes temporarily inaccessible due to unforeseen circumstances (e.g., power outages, local emergencies, damage to premises).
    • Mitigation: (Further planning for business continuity and disaster recovery for these physical sites will be necessary).
  • Potential for New Physical Security Risks:
    • Issue: The physical premises themselves could become targets for different types of threats.
    • Mitigation: Leveraging the existing security infrastructure of financial districts, implementing robust on-site security measures, and employing highly trained security personnel.

References: (None provided at this time)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment