February Issue of the Taos Newsletter: IT Security

Acceptable Risk: The Key to Successful Security is Knowing How Much is Enough

Taos Professional Services

Tim's article mentions the importance of Vulnerability Management as the key to managing your corporate risk from an IT perspective. There is an implicit observation here that is profound and far-reaching in its impact on how you should approach a security strategy.

When it comes to information security, companies are fighting a battle they cannot win. Most of us now recognize this fact - given the ever-increasing complexity of IT environments, the imbalance of risk and cost of failure between "us" and "them" is so high as to ensure that the odds are stacked against the good guys. Most people acknowledge this fact and adapt by doing everything they can to reduce vulnerabilities of all kinds in the hopes of reducing their chance of failure to minimal levels.

However, what is really required is the recognition that some risks may be acceptable. The complexity of IT environments and the frequency and rapidity with which vulnerabilities develop will cause the efforts in mitigating that risk to eventually outstrip any organization's ability to address all of them. Rather than striving to fix all known risks, organizations will only succeed if they identify and assess their known risks to ensure that their impact and probability are at levels that are acceptable to their business conditions.

What is profound here is that, for IT leaders, it creates a framework for success. Under the old approach, a breach is merely bad luck, but it can be construed as a failure of the organization. In this new framework, a breach is merely an instance of an accepted risk; as long as the organization is diligent in ensuring that the likelihood and impact of breaches are in line with the company's expectations, their security strategy is successful regardless of how many breaches occur.

Of course, the road to unemployment is paved with good theories - reality requires putting theories into practice effectively. In Taos' view, successful security and the application of this principle relies on our understanding a company's risks and their business needs to create solutions that adhere to this philosophy at all levels and in all areas of our work with them. Here are two specific examples of how our consultants have adopted this approach with our clients.

Example 1: Sometimes Business Conditions Inherently Create Enough Security

Our first example illustrates how Taos helped a client adopt a security solution with an acceptable level of risk that was already inherent in their existing business conditions- a level of security that did not have to be reproduced through technology.

This particular customer needed to secure vendor workstations that were used by onsite contractors or partners. These outside parties frequently worked with multiple groups within the organization. However, the internal network topology was very open and collaborative - once someone was "in", they had access to virtually any and all information on the network. The customer had two concerns:

• Partners might accidentally come across proprietary company information, and
• Partner A might come across information from partner B who happened to be Partner A's direct competitor.

To address the problem, the Taos consultant restricted access for the vendor workstations by eliminating all automounting of filesystems, and by static mounting only the necessary file systems for that vendor. Additionally, host access was restricted by setting up allow/deny ACLs for ssh and nfsmount. This was adopted as the mandatory means of connecting across systems.

However, without a disciplined process for maintaining the ACLs and for limiting unauthorized services like telnet and rsh, there was still a possibility that the measures would not be sufficient in and of themselves. On the flip side, there was also sensitivity that restricting access too much might inhibit productivity. In weighing the trade-offs, the client concluded that the solution as implemented created a sufficient level of security when compared to the risks.

The key was that the client was merely looking to prevent accidental breaches. Only through a deliberate effort might an outside party circumvent the measures that were in place. Therefore, there was an inherent business deterrent - partners and vendors would not want to be caught circumventing the measures in a premeditated manner and risk losing their business relationship with the client. This inherent deterrent was strong enough to make the client comfortable with the level of risk.

By recognizing the deterrent implicit in the business condition, the resulting solution created an accepted and identified level of risk without creating a lot of administrative overhead or prohibitive constraints on the user's productivity. In this example, Taos created a risk profile that the client deemed acceptable and that did not require any further investment of time and money to mitigate.

Balancing technology measures with business measures is just one way Taos can help clients create acceptable risk and ensure the success of their security strategy. In another example, a team of Taos consultants used a combination of preventative, detective, and corrective measures to reduce both the potential for expression of that risk and its impact to acceptable levels.

Example 2: A Combination of Preventative, Detective, and Corrective Measures

With this customer, like many others, viral infections from external machines connected to the local network were a real problem. In addition to having a variety of third parties on site at any and all times, the company had several financial auditors coming in on a regular basis. As a result, the frequency and number of onsite visitors was quite high, and any process that required them to check in with the IT group before connecting, either physically or virtually, would place an unacceptable burden on either the onsite visitors or the IT group.

The key to success for this project was to limit exposure by designating specific visitor locations with separate network connections. The Taos team was able to segment those network connections on a separate, external topology from the internal network. In so doing, it allowed external parties to connect whenever they needed without any IT interaction and allowed internal employees to connect using their normal VPN client, providing a solution acceptable to all parties.

Additionally, such an agreement set the stage for uncompromising security measures for those external parties that did not abide by the agreement. Therefore, the team was able to build an automated solution where all internal MAC addresses were stored in an internal database, and any unauthorized MAC address connecting to the internal network generated an alert to the team and an automatic shutdown of the network port in question.

In this example, establishing a key compromise with the business interests, namely designated connection points, minimized the risk in two ways: explicitly reducing exposure to a controlled area and creating a context that needed no compromise from the business interests. As a result, the Taos team was able to create an architecture that required little to no oversight, tolerable risk, and an accepted impact on the working environment. Considering key business concessions is an important element to Taos' success in developing successful security measures for our clients.

Expertise, when properly applied to preventative measures, can create acceptable risk without sacrificing productivity. IT leaders can finally develop a winning security strategy not by erroneously attempting to eliminate risk entirely, but by constraining it to a level accepted by both business and technology interests. In so doing, IT leaders can regain control of their own destiny and chart a course for measurable success.

Figure 1: A high-level logical diagram of the second customer's segmented internal network: