Answer me these questions three, ‘ere true security you see.
What is your quest?
Much like the eternal quest for the Holy Grail, our quest is for perfect security. Part of that problem is simply deciding what perfect security is. The answer is that perfect security is perfect for different reasons, for different organizations. I once had a very well-known security person tell me that the only perfect security was a powered off computer, locked in a safe, sealed in a block of cement in a vault. But they forgot about the holy trinity of Information Security – Confidentiality, Integrity, and Availability (CIA). The basic premise of “Availability” means that the information is available when you need it, and goes to support the entire premise of any and all information security programs – security is an enabler that lets us do what we need to do, to meet our business goals, but to do so in a secure manner.
The first thought is to define the best security controls you can define for any given security objective. Take identity authentication, for instance. What set of security controls would absolutely let you identify yourself to the authentication in a manner such that it was obvious it was undeniably you who logged in? Anyone remember the 1997 movie “Gattaca” where the identification of the characters was determined by sampling of blood and matching DNA? You have to admit that would be a pretty solid authentication mechanism (though they did seem to find a way around it in the movie – I won’t spoil it in case you have not seen it). How about a more practical solution?
Biometrics, tokens, passwords, and PINs are all reasonable authentication mechanisms, and range from stronger to weaker. No one will successfully argue the fact that a four digit PIN is weaker than a retinal scan, a palm reader, or facial recognition software. Some form of biometric is probably the “more perfect” solution, as long as it can support unique authentication and non-repudiation. That may be appropriate for access to user account information at SmittyBanc, but does Joe’s Hat, Boot and Shoe factory really need that same level of protection? And even if someone says that they should have it, can Joe’s really afford the cost of a fully integrated facial recognition suite in lieu of built-in eight character passwords?
I once worked with a company that decided they were going to follow the PCI DSS, since they thought it was a good, well-respected security standard. The catch was that they didn’t process any credit cards. Their goal was to say that they processed all client-based information with the same level of protection as credit card data. In the end, this was more control, and more security than they truly needed in their environment. The stated goal was too high. By the time they were finished, some of their environment was pretty strong, but in other areas, the security goal was not as easily attained. After a couple years, and a couple million dollars, they gave up on the DSS and actually planned towards what they truly needed.
In each case, it depends on the use and the user. In each case, there is a security control that works best, for that specific incident. There is stronger security, and there is better security, and they may very well NOT be the same thing.
And that in itself is the issue. The security planning and management process should fall back to what really should be basic project management:
1. Define the Problem
2. Define Requirements
3. Define Specifications
4. Implement to the Specifications
The most significant piece here is defining the problem instead of the solution. Look at your data, what you want to protect, and need to protect, and everything else flows from there. Your data is the key to everything. Understand what you have, it’s value, and any regulatory requirements placed on the data. Your security program should be defined to meet the needs of your data, not some relatively arbitrary security edict. If you have not done a full analysis of what your cool data is, along with where it is stored and processed, then you are behind the curve here.
What are you going to do, bleed on me?
There does come a point in time where we have to be done with security planning and implementation, or at least recognize the point of diminishing returns. Sure, you will definitely have a stronger security posture if you build a complete, parallel, hot standby environment that is maintained by real-time backups and supported by fully automated fail over. If you need it, and have it, that is awesome. G’d onya. But if you do not “need” it, it is an expensive luxury. This is why that “defining the problem” is so important. If you don’t know where you are going, how will you know when you get there?
A long time ago, my grandpa told me a joke: Two men are fishing and a bear charges out of the woods. As the men run, one of them starts hopping along, struggling to put on a pair of running shoes. The second guy looks at him and says, “Why are you doing that, you’re not going to outrun the bear.” At which time the first guy replies, “I don’t have to outrun the bear, I only have to outrun you.”
That is not to say you compromise your operations, but you plan accordingly. Joe’s Hat, Boot and Shoe factory should not have spent $400,000 on that biometric system when the built-in password mechanisms will fully meet their actual needs, regardless of how amazingly cool that biometric system really is. So, the morale of the story is to follow your data, and NOT plan “perfect” security, but plan “appropriate” security.
What is your favorite color? At last. An easy question. Blue. No… Red.