Friday, January 12, 2007

A battle of best intentions...

I love the line in this New York Times Technology article that says It is a battle of best intentions: productivity and convenience pitted against security and more than a little anxiety. - that's so true! This article is talking about the network adminsitrators security nightmare that is Web based mail accounts. It's true that sales and marketing guys just want to be as "efficient" as they can - they are not usually really that malicious - just often, incredibly ignorant to the threats and possible costs. So forwarding information (and even attachments) of to web based mail accounts seems like a good thing to do right - surely?

It's impossible to expect anyone not actively involved in the security process at a firm and the rationale behind it to accept, or even comprehend, why the so called "barriers" are put in their way - and that sort of active involvement is impossible to implement across an entire enterprise. But as IT professionals we must undertake to spread the word any chance we get - anytime.

We should also place the responsibility for the existance of these "barriers" firmly with informed business managers - by informed I mean, completly briefed on the risks and costs of lax security, and just how easily exploits can be raised. If after comprehensive training of all these managers they still want to drop their guard so to speak, and remove any of the barriers how much more can you help them? They can make an informed decision between the cost of lowering security and the benefit to be gained.

My approach is usually to say - it's not me that wants these measures in place it's your manager. What is left unsaid, is that I (or someone in IT) are the ones responsible for scaring them into accepting nothing less. That scaring is not that hard to do. Point out the risks of your department being respoinsible for a law suit against the entire company for breaching privacy laws, vs the ability for someone to copy their digital photos of "juniors" latest school concert and see how easy it is.

But this web-based email loop hole is a bit harder to police - technically. Which points out another major premise upon which we have to base so much of our network security - it's only partly (say 70%) about I.T. implemented safe guards. The rest comes down to common sense. You can't fight off the Indians outside the fort, if they are also running around inside the fort (thanks Gavin for that analogy). So this is where your best defense - or one of the best weapons in the arsenary is the job interview. If possible, or manageable, make some sort of common sense security screening part of the interview process. Of course this won't be easy or even possible if you're recruiting 1000 people a year but for small to medium sized companies, where security is an issue (all of them right?) don't underestimate the value of the job interview, for helping implement network security. Signing network acceptable use policies is common practice now and a great starting point - from that point on you have to opportunity to continually make network and information security am integral part of the company culture.

That's my rant over with - completely off the top of my head, and all because I read a line I liked in this article.