Consider a typical company with a large IT infrastructure. On one end of the spectrum is the IT department. They are constantly being told that the goal is “five nines” (99.999%) uptime, faster systems, and greater access to data. For this reason, the IT group is focused on uptime, efficiency, and convenience.
On the other end of the spectrum is the security group. They demand that networks use multi-tiered architecture, two-factor authentication, and that data is tightly restricted based upon a model of least privilege and a need to know. These controls invariably interject administrative complexities and inefficiencies into the network and process for accessing data, thereby hindering the objectives of the IT department.
This opposition is both critical and necessary. Unfortunately, if the company does not have a mechanism to enforce the required security controls, then the company will default to the path of least resistance, and security will be left by the wayside in exchange for greater efficiency and convenience. Security is critical, but it is important to remember the following point:
Security introduces administrative and operational friction and decreases efficiency and convenience. This results in greater costs and less efficient operations.
Consider a simple example of a firewall rule change. The IT department (or whomever is responsible) decides that they need another port opened on the Internet-facing firewall for a new whiz-bang application that is being deployed. They ask the firewall administrator to open the port, understanding that it takes less than five minutes to open a port on a firewall.
The firewall administrator informs them that, as per company policy, the requester will need to follow the following steps. First, the proposed change needs to be documented, evaluated and submitted for consideration by a change control committee. A risk analysis is conducted and, if the change is approved, the change will be scheduled in the change control process which includes an implementation window as well as fall back procedures.
What could have been a five-minute change has now required multiple hours and involvement of several departments. It is likely that the change will not be made for well over a week, if not longer. This process, however, is critical to minimize the impact of the change.
The “all” or “nothing” approach to security
Companies are faced with a delicate balancing act. From a security perspective, the absolute best form of information security is to simply NOT be connected to the Internet, not use email, and implement NSA type controls. The result would be that the company would likely go out of business rather quickly as it could not function effectively.
On the other end of the spectrum is complete access to all data and systems without any controls. This is certainly an efficient model, but one that often results in a company being highlighted in the media after the inevitable data breach.
The challenge lies in balancing security and business needs in a manner that allows business to be conducted while minimizing the risk to the organization. Regardless of how little or how much security is deemed necessary, to appropriately manage the risk it is critical to remember the following:
Without a documented, approved and enforced security policy, security will eventually erode and become subordinate to business needs (efficiencies).
Consistent, enforceable policies are key
Security requires consistent, repeatable controls. It is not possible to ensure consistency or repeatability without documented processes. More important than the policies is the enforcement of the policies. If people do not feel there is a penalty for not following the rules, then the rules will slowly begin to fall by the wayside. There must be buy-in from management and enforcement must be consistent and appropriate. Finally, while we all like and trust each other, never forget the rule of security: trust but verify.