I recently read an article which suggested that as our IT
systems become more complex, they also become less secure from the sheer amount
of code, applications, management systems, and equipment involved. While I agree with the fundamental logic presented by this argument, I believe that as systems have become more complex,
we also now have more options to automate and monitor our environments than we
have ever had before. I have personally
seen the opposite trend occurring; Though it is true that systems are becoming more
complex, new technologies are allowing us to actually simplify our environments
and reduce the number of security and monitoring solutions we need to perform
our daily tasks.
However, I have recently experienced a situation where
deploying a new monitoring and security solution actually violated our security
policy. The protocol that the solution
used was one of the banned protocols that our security department has deemed to
be unsafe. This situation led to a
discussion of mitigation and the vulnerability versus benefit of the new
system. Thankfully, we were able to work
with our security department and mitigate most of the vulnerabilities that
concerned our security department and then successfully integrate the system
into our environment. This one security
and monitoring suite replaced three current systems all using different
connections, methods, and protocols, and actually reduced our overall risk exposure.
But what if we had been unlucky enough to have a security
department that practices Security Theater? Because the needed protocol was on the banned
list, we would have been summarily denied permission to implement the new
system. This would have forced us to
leave the existing systems in place and left us in a more vulnerable position.
While in this particular situation the benefit outweighed
the risk, each new system needs to be evaluated not only against the stated
security policy and requirements, but also against a risk versus benefit assessment.
Not every new system will fit the mold,
and security requirements need to evolve with changes in technology. However, if a new system clearly does not meet
requirements and does not provide a benefit that outweighs the risk, it should
be denied.
Security policies and requirements are good guidelines for
initial system selection and design, but they need to remain flexible in
today’s ever-changing IT environments. A
policy written even a year ago is probably already out of date. As needs and technologies change, a good
security department will adapt and change with them. This type of flexibility
will allow a truly secure and functional environment, not just a checkmark in a
box.
No comments:
Post a Comment