While fundamental security principles are forgotten the world sinks into breach chaos...
Newswires, governments and major businesses around the world are buzzing this week as successive waves of embarrassment are heaped on leaders of nations and public figures alike. For me it was like an accident waiting to happen and one I have been warning corporate colleagues about for several years since first hearing about the whistleblowing site - but to little apparent avail.
The overwhelming reaction to the Wikileaks publications also comes as no real surprise; a witch hunt to find and bring to justice the founder of the Wikileaks site - a classic case of shoot the messenger - rather than looking at the real culprits and root causes of these mass breaches of commercially and diplomatically sensitive information. In our quest for ever greater efficiency, we've inadvertently put the goats in charge of the cabbage patch.
This also comes at a time when the global enterprise security market saw double-digit growth in the first half of this year and an estimated value of $15 billion by year end. But no amount of security technology or even process will help unless we first go back to basics and set up the fundamental rules that our security technology, procedures and people will work together to enforce.
Let me take you back in time… (cue wavy patterns). When I first became involved in information security some 20 years ago, the subject was mainly the province of a handful of well known academics and had its roots firmly planted and still visible in the government and military spheres. There were comparatively few security products available, apart from a few firewalls and anti-virus packages, and the majority of security was enacted via a series of operational procedures handcrafted to each system or business process. The only compass we had to follow in putting all these products, procedures and policies together was a set of core security principles – a kind of Ten Commandments list - that set out the fundamental rules and objectives we were trying to achieve. Let’s take a couple of these and test them against today's security management and mishaps:
- Default to denial - "access control where everything is denied except that which is expressly permitted". This means that rather than give everyone to right to access everything, we started with nobody getting anything and then added the rights, one by one, for specific individuals to have access to specified systems and resources based on a demonstrable business need. Now look at this in context of the thousands of spreadsheets and databases containing millions of sensitive records that circulate in, for example, a modern financial organisation...
- Need to know basis - "people are only made aware of sensitive information if they can be shown to have a fundamental business or operational need to access it". Well, that one seems to have gone right out the proverbial window in the US government's case; where literally millions of government employees are apparently allowed to access many feeds containing information pertinent to national security. You don't have to be a psychology guru or a mathematical wiz to work out that in those millions there will be at least one idiot or employee with a grudge waiting to bring the whole house of cards down - and in this case yes, yes, and err, yes.
The solution is not the product.
What seems to have happened in recent years is that the plethora of available security products has somehow given rise to the belief that buying and installing a security product is itself the solution to a security requirement. You can see evidence of this when looking at a security group's standards and procedures. More often than not these will consist of detailed standards relating to the management of a specific piece of security vendor kit, like "Security standard for Whizzbangbox V8.1 gateway"
In fact, security products are only one facet of the security structure; that also requires security policies, procedures, architecture and above all - a clear strategic objective showing how all of this works together to deliver conformance to one or more of the fundamental security principles that the organisation should have adopted.
"the new firewall is up and running"
"what kinds of access does it allow?"
"everything"
"who's permitted to access through it?"
"everyone"
You might laugh - but this satire might be closer to the truth than we would like to think. The planets revolve happily around the sun, but take the sun away and worlds would be whizzing off in all directions. So it is with security measures. Without a set of core security principles at the centre; all the security products, standards, procedures and education we put in place will gradually degrade into a patchwork of loose controls - easily circumvented. I know of organisations that put more effort into granting exceptions to the rules than they do into having a decent set of strategically driven rules and education in the first place. The result is a gradual erosion of security, much as dripping water eventually wears holes through what was once impervious rock.
What I'm about to conclude with isn't exactly new. You see it in every disaster movie or corporate crisis, where the whole world is spinning out of control with people running around and shouting what can we do? Until somebody sensible calmly announces "let’s take this back to basic principles".