“Pick your poison” – Security or Convenience February 15, 2012
Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.Tags: access control, armed security, Chris Mark, mark consulting group, markconsultinggroup.com, risk management, security, security policy
trackback
I have discussed the challenges of security & convenience for some time. The latest news regarding the 10 year breach of Nortel gave me new fodder for the discussion.
Whether we are discussing information security, physical security, operational security (to name a few) the concepts of security & convenience are diametrically opposed. When we talk of convenience we can include operational efficiency in the discussion. Consider a companies like Nortel with a large IT infrastructure. One one side of the discussion is the IT department. They are constantly hearing about how they need 99.999 uptime and faster systems. In the payment card industry where transaction times are critical additional latency can be problematic. They also hear over and over about how someone needs more access to more data. For this reason they are focused on uptime, efficiency, and convenience. On the other side of the debate are the security folks. They demand that networks use multi-tiered architecture, two factor authentication and other controls. These controls invariably interject inefficiencies into the network thereby hindering the objectives of the IT folks. This opposition is critical and necessary. Unfortunately, if the company does not have a mechanism to enforce the security controls required, then the company will default to the ‘path of least resistance’ and security will be left by the wayside. Security is critical but it is important to remember the following point.
Security introduces administrative and operational friction and decreases efficiency and convenience.
Consider another simple example of a firewall rule change. The IT department (or whomever is responsible) decides that they need another port open on the Internet facing firewall for a new application that is being deployed. They ask the firewall administrator to open the port. This is a 5 minute change. The company however has robust security policy that requires multiple steps. Instead of simply making the change the proposed change needs to be documented, evaluated and submitted for consideration. A risk analysis is conducted and , if approved, the change will be scheduled in the change control process which includes an implementation window as well as fall back procedures. What could have been a 5 minute change has now required multiple hours and involvement of several departments. This process however is critical to minimize the impact of the change.
Now consider access control. Access control principles dictate that access to assets be based upon 1) a need to know and 2) model of least privilege. Notice that it is not based upon “title” (although titles are often associated with roles). I have worked with clients where I have told them that to meet the requirements the CEO could not have administrative privileges. Upon hearing this the CEO informed me that “he was the CEO”. That was true but if his job did not require admin privileges then it was not consistent with the principles of information security to allow him access, irrespective of his title and position.
Companies are faced with a balancing act. From a security perspective the absolute best form of information security is to not be connected to the Internet, not use email and implement NSA type controls. The result would be that the company would go out of business rather quickly as they could not function effectively. On the other end of the spectrum would be to have no security controls and focus only upon efficiency. The end result is often what we see in the Nortel situation. The challenge lies in balancing security and business needs in a manner that allows for business while minimizing the risk to the organization. Regardless of how little or how much security is deemed necessary to appropriately manage the risk it is critical to remember the following:
Without a documented, approved and enforced security policy security will eventually erode and become subordinate to business needs (efficiencies).
Security requires consistent, repeatable controls. It is not possible to ensure consistency or repeatability without documented processes. More important is the enforcement. If people do not feel there is a penalty for not following the rules then the rules will slowly begin to fall by the wayside. There must be buy in from management and enforcement must be consistent and appropriate. Finally, while we all like and trust each other, never forget the rule of security: “trust but verify.”
Global Security, Privacy, & Risk Management 
[…] “This is a clear case of a total failure of an information security program and should be a wakeup call for other corporations,” said Chris Mark, principal of the Mark Consulting Group, on the Global Security Risk Management blog. […]
[…] The intrusions reportedly began after attackers used passwords stolen from the company’s CEO, as well as six other senior executives, together with spyware. By 2004, a Nortel employee did detect unusual download patterns associated with senior executives’ accounts, and changed related passwords. The security team also began watching for signs of suspicious activity, but apparently stopped doing so after a few months. The full extent of the breach wasn’t discovered until 2010, by which time hackers had been accessing Nortel secrets–from technical papers and business plans, to research reports and employees’ emails–for nearly a decade. “This is a clear case of a total failure of an information security program and should be a wakeup call for other corporations,” said Chris Mark, principal of the Mark Consulting Group, on the Global Security & Risk Management blog. […]
[…] is a follow-up to a February 2012 post I wrote titled: “Pick Your Poison”: Security or Convenience. Recent discussions merit a […]