My name is Bill Guthrie; I am a Virtualization Engineer/
Architect specializing in VMWare and Microsoft solutions. I have over 20 years’ experience in the IT
industry working for commercial enterprises, state and local governments,
education, health care, and finally the federal government. I have a BS in MIS and am currently pursuing
my Master’s degree with an emphasis on cybersecurity. I also possess several industry level
certifications such as MCSE and VCP, and I am currently working on my VCDX from
VMware and possibly looking at my CISSP in the near future.
In my line of work, a huge focus is put on information
security, and the discussion of security versus functionality happens quite
often. To a certain point, security and
functionality have an inverse relationship – The most secure server is one that
is off, but of course provides no functionality. Conversely, a fully functional server may well
be very unsecure. The real trick (and goal)
is to reach the point of having a server that is secure and still provides the
desired or needed functionality.
See “Information Security:
An Exercise in Risk Management” at http://www.eonetwork.org/knowledgebase/specialfeatures/Pages/CommunicatingYourMessage.aspx
There are several deterrents that commonly stand in the way
of achieving this goal. Untrained
administrators may not know the proper way to secure a system, blanket policies
might not take into account changing technologies, or activities may end up as paperwork
security or “security theater” (where the perceived security is mostly checking
the boxes for a stated standard but not really understanding the underlying
rationale).
Many organizations seem to put random or counter-intuitive
security requirements into place, such as requiring 16 character alphanumeric
passwords with special symbols, when there have been several studies that show
that passwords over 8 characters actually reduce security as users and admins
will write them down and keep them close to their work areas.
Security is an absolute necessity and should be one of the
first considerations of any organization; however a balanced and smart approach
will prove to be much more beneficial and will provide a much better security
posture. As both public and private
industry increase their information systems and applications, a trade-off
between functionality and security must be achieved.
No comments:
Post a Comment