by Mark McCullough, Senior Technical Consultant at Taos
Information security, infosec for short, is traditionally characterized by Mordac, Preventer of Information Services of Dilbert™ fame, where every improvement in security comes at the cost of usability. That model doesn’t work today.
Cloud services creates problems of identity and access management and securing access. BYOD is looming on the horizon across numerous companies. Even on-premise applications are now spun up rapidly through containers, giving little time for infosec to study them individually in depth for security. The introduction of IPv6 makes traditional exhaustive IP scans impractical.
Even core infosec concepts are falling to the new distributed model. The old model of a firm perimeter with all data inside that perimeter is falling. Today, your data may exist across multiple cloud providers, each with their own security issues
Infosec must find ways to ease the burden on users rather than create a burden. That includes use of better tools like password managers to help users choose better passwords and not have to remember them. Use of SSH keys for automation instead of hard coding passwords. None of these ideas individually should be a surprise to a system administrator, but infosec should be at the forefront, pushing these as part of their overall risk profile and mitigation strategies for the organization.
If you make a user’s life easier in many areas, they are more likely to tolerate it if you add complexity in another area. If nothing else, it shows that your end goal is to still enable the business, not create problems.
Being open to criticism is equally important because users may have an alternate solution you hadn’t thought about. One of my favorite things to ask is “What is the problem you are trying to solve?” Infosec needs to ask and be asked that question. The problem that infosec is trying to solve may lend itself to a different approach.
Prohibiting these new technologies doesn’t work: if security gets in the way, people will find a way around it, even if it means going to shadow IT. The more you tighten your grip, the more users and their data will slip through your fingers.