Tuesday, July 21, 2009

Security and the Business Practice

We're often asked to provide an opinion on the security of a software product. We do a preliminary analysis of the software for common software vulnerabilities and hopefully, we don't find any. However, there have been cases when we do find one. Does that mean the business unit shouldn't use the software? Well, we ask a couple of followup questions: 1) is this software needed to run your business operations? 2) Is there another software product that does the same thing but has no software vulnerabilities. Obviously, if the answer to question 2 is "Yes", then we'd recommend purchasing that product. The worrisome situation (from a security standpoint) is when the answer to question 1 is "Yes" and the answer to question 2 is "No". One of our security paradigms is that the user be aware of any security vulnerabilities and accept the risks of using such a product. So, what does "accept the risk" mean? Well, the first thing is that the business users determine the software product is "essential" to their business process and they are aware of a potential security issue with the product. The second thing is that they devise additional procedures to compensate for the weakness. For example, a laser printer that has no access control features might require the purchase of a hardware firewall that will provide access control. The third thing is that the business process owners acknowledge they are willing to assume the risk of using such a product.

We find IT sysadmins focus more on protecting the IT asset rather than protecting the business process that uses the asset. Years ago, a friend of mine got one of the first Macs in her office. After I gushed about how cool it was, she calmly told me that "as far as I'm concerned, that Mac is a stapler. It just helps me do my job. If it weren't here, I'd still have to do my job."

That explains the dilemma that IT sysadmins are in every day. Account lockouts are an example of how protecting the IT asset conflicts with the business process. This is the process where an account is locked out when a user fails to give the correct password after 3-5 attempts. The obvious attack is to simply lock out all of the accounts at once. Why lock the account? It's the easiest thing to do from a sysadmin standpoint. Another example is the practice of restricting where people can go on the web. Presumably, it's to prevent misuse but accessing the web freely is a necessary thing for business use in most university business processes. The way to prevent misuse is to simply enforce the Acceptable Use Policy. Hold people accountable for misuse and we reduce its occurrence. IT staff shortages force sysadmins to make choices that could interrupt the business process. When that happens, people will circumvent the security process because they have a job to do and the security process gets in the way. This circumvention reduces the overall security of the business unit.

So, it comes back to accountability and the willingness of the business to enforce it. Military and high security businesses have it easy. Violate the rules and you're out. It's not so easy in the civilian world and it takes time to find that balance.

The one thing we don't want is for the IT sysadmins to cause a worse security level because of a seemingly draconian security best practice that forces users to go "underground".

1 comment: