So much of security boils down to a compromise between what is desired for upmost security and what is needed for business functions. This can be exceedingly difficult given your unique business culture and methods of operation. Where I work is a prime example of one of the more difficult that I can imagine.

Our business model is extremely open and collaborative or extremely secretive, depending on the phase of the project or the nature of the project. For example, when we are competing for a job, we hold our cards close to our chest so that our competitors can’t steal our ideas. However, once we win a job, as long as it isn’t a ‘secure’ job, we become the poster child for collaboration; we share data with clients, consultants, contractors, the public, etc. We also get jobs that require security clearance, isolated networks, etc (think of Brill’s “jar” setup in the movie Enemy of the State then add sound proofing as well).

Yesterday I heard that one branch of our business has voiced concern about security in business meetings, saying its too restrictive and obtrusive and we need to get rid of it. They have come to this conclusion a couple of ways. First, we have a firewall policy of “default deny.” If it isn’t needed, it isn’t open. For years we had only 6 ports open to the world because that was all we needed. When a firewall change is needed, it must be requested, authorized, then implemented during an approved maintenance window. That all takes time.

Second, our HIPS software is also strongly “default deny” though not as extreme as the gateway firewalls. This means that new software installed probably won’t work. Sometimes software upgrades that change the behavior of software breaks it because the HIPS wasn’t expecting the new behavior and blocks it. The concerned group often tests new apps, so I’ve tried to create query rules that check with the user first before taking action. Unfortunately, now they feel it asks too many questions.

So the point of the story is that when security gets in the way of business, it becomes counter-productive and if it goes on too long, security will get the axe. Its important that security professionals maintain a relationship with the business heads as well as those doing the day to day work to ensure that security is keeping a good balance of protection and openness. Unless of course you work in a place that must have absolute security, then by all means, give the them paper and colored pencils and be done with it (maybe some courier pigeons for instant messaging if you’re feeling nice).

After publishing this post, I read this article written today by Robert Graham over at Errata Security. He explains it much better than I do!

For more information about this topic

• No Related Post