When it's your fault--the systems you manage provided the avenue of entry--it's time to hang your head and take the heat with humility. But increasingly, the source of security vulnerabilities lies in systems outside your direct control, systems that sprout up on the network without your knowledge. In organizations where distributed management of IT resources is the norm, providing a secure environment is an uphill battle.
At its core, the security issue is as much political as it is technical. Philosophers have recognized for thousands of years that security and freedom cannot be easily reconciled. If absolute safety is paramount, the cost is usually a series of strict laws constraining actions, a threat of severe punishment aimed at deterring untoward activities and an authoritative police force ready to lock you up if you misbehave. If personal freedom is more important, the comfort of security must be compromised a little or maybe a lot.
Relatively few networked organizations have come to grips with the delicate balance that defines security policies and it has gotten increasingly precarious over the past decade. IT control has become more distributed. Sometimes distributed control happens because the central IT organization has a history of arrogance; other times people become frustrated with the deployment delays associated with complex new systems and conclude they could do a better job on their own. The net result is a diffusion of responsibility and accountability, one that is nearly impossible to resolve.
In the 1980s and early '90s, the solution to our security challenges was to implement complex and expensive mainframe security systems and to use physical isolation to protect against Internet thugs. Central administrators engaged in a practice known as "mini-maxing"--minimizing their maximum regret. Today, such a solution isn't tenable. We may try to virtualize the isolation by using sophisticated firewalls, but the security comfort level is illusory given the lack of control over departmental servers, desktops and telecommuting devices.
The classic strategy for addressing these vulnerabilities lies in the form of a central security officer and a clearly defined acceptable use policy that includes severe sanctions for breaking the rules. I know of a company with a security policy that dictates immediate dismissal of any employee found guilty of attaching a modem to a desktop computer. But is it really possible to enforce this kind of restriction or clearly define all the offenses for which people will be held accountable? I don't think so.
Most large organizations with which I am familiar deal ineffectively with the political reality of distributed control of IT resources. In some cases they might like to reassert central control, but the resistance can be strong, especially if the central organization has a poor track record or if their management is dealing with skilled-labor shortages in key areas that diminish their effectiveness.
Interestingly, it may be fear of attack that results in a greater level of central control. Citizens in countries ravaged by civil war are often quite willing to give up freedom to an authoritarian police force in exchange for personal safety. Could the economic consequences of cyber-terrorists be enough to return control of information resource management functions to the central IT organization? I wouldn't bet against it.
Send your comments on this column to Dave Molta at dmolta@nwc.com.
It's every network manager's nightmare: A late-night call comes in; you're informed of a serious security compromise. Someone has stolen something you worked hard to own--a stable systems environment--and now you're the one who's owned. If you're armed with the right tools, identifying the problem and closing the hole is easy. It's much harder to answer the barrage of questions you're pummeled with over the next several days. And the biggest challenge, often left unmet, is restoring confidence for both your internal and external customers.
REPORTS
ANALYTICS
Follow 
