Re: Security vs. Business Process. Does Business Process trump Security Process?

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

On 3/07/2009, at 4:07 AM, randy marchany wrote:

> The recent thread on blocking email attachments reminds me of a
> discussion I had a couple of months ago on how IT sysadmins might be
> making our overall security posture worse by pursuing the wrong
> security strategy.

Great stuff Randy!

I keep telling anyone who will listen:  "Security *must* work for the
folk at the coal face".  It is all too easy to enact restrictions in
the name of security that change the behaviour of people in
undesirable ways.  The other thing I repeat with out end is "That
security is ultimately all about people".  Corollary is that unless
you have the people stuff right you can throw all the technology you
like at the problem to now avail".

The classic example of this is frequent changes of complex passwords
that result in most users writing them down somewhere easily accessible.

You will note my post in the email blocking thread. Before we started
blocking email attachments we made sure that there was another way
that people could easily transfer files.  It also solved another
problem, that of huge attachment that gave the mail system
constipation....  People soon worked out that they could use the
system to distribute a single (possibly large) file to a whole group
of people in a reasonably secure manner with a single tiny email.

Ah! one wrinkle in our 'blocking' strategy I did not mention is that
we actually quarantine files and the users get an email which they can
forward to the service desk to get the file released.  THe combination
of these two tactics to mitigate the adverse affects of our defensive
strategy and has meant that we had almost no user reaction to the
restrictions.

Here is another example of this sort of thing: currently we are
looking at technology to control p2p traffic, I am insisting that any
solution include a system with a simple web page that *staff* can use
to whitelist themselves and specific grad students who they are
responsible for.   We page would have a link to various policies
(including the university's policy on copyright and details of various
copyright deals that the university has entered into) and a button
labelled "I have read the above policies and undertake to use
university resources in keeping with the spirit of the policies"  or
something like that.

What is the point of this?  Well, in our case the limiting of p2p
traffic is mainly a legal one around the issue of copyright
infringements.  Our lawyers tell us this effectively shifts any
liability on to the staff member involved if the university can show
that they breached policy.  The reason for buying the technology is
mainly to mitigate the legal risk,  the web page allows legit use to
proceed easily without reducing the effectiveness of the legal cover
*and* without involving me in lots of work which the current system
does.

In short being very clear about exactly what risks you are trying to
mitigate really is vital.

Russell