Joseph Granneman


Upcoming Events

Where the Cloud Touches Down: Simplifying Data Center Infrastructure Management

Thursday, July 25, 2013
10:00 AM PT/1:00 PM ET

In most data centers, DCIM rests on a shaky foundation of manual record keeping and scattered documentation. OpManager replaces data center documentation with a single repository for data, QRCodes for asset tracking, accurate 3D mapping of asset locations, and a configuration management database (CMDB). In this webcast, sponsored by ManageEngine, you will see how a real-world datacenter mapping stored in racktables gets imported into OpManager, which then provides a 3D visualization of where assets actually are. You'll also see how the QR Code generator helps you make the link between real assets and the monitoring world, and how the layered CMDB provides a single point of view for all your configuration data.

Register Now!

A Network Computing Webinar:
SDN First Steps

Thursday, August 8, 2013
11:00 AM PT / 2:00 PM ET

This webinar will help attendees understand the overall concept of SDN and its benefits, describe the different conceptual approaches to SDN, and examine the various technologies, both proprietary and open source, that are emerging. It will also help users decide whether SDN makes sense in their environment, and outline the first steps IT can take for testing SDN technologies.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

Vendor NewsFeed

More Vendor NewsFeed »

See more from this blogger

Information Security Strategy: Stop Punishing End Users

Posted by Joseph Granneman
September 30, 2013

For many years, companies have focused their security efforts on implementing rules to lock down the end user. I learned the hard way that this strategy doesn't necessarily lead to better security.

In the past, I believed as many of you do, that implementing a security program meant taking control of as many factors in the environment as possible. In 2009, when I read a paper by Microsoft Research's Cormac Herley that criticized this tactic, I was shocked and outraged. He argued that information security programs often focus too much on policies and procedures that don’t actually reduce risk and ultimately increase costs. At the time, I was a CSO like many others -- scraping for resources in both staffing and budgets. The last thing I needed was resistance to the policies and procedures I tried to put in place.

More Insights

Webcasts

More >>

White Papers

More >>

Reports

More >>

I really thought implementing all these policies and procedures made a difference. I was under the misconception that I could prevent the majority of information security incidents by taking away capabilities and making authentication as difficult as possible. The results were predictable: Users wrote passwords on sticky notes stuck under keyboards and executives got angry when email to their children was encrypted due to false positive detection of confidential information. I eventually realized Cormac Herley had a point.

Confidentiality, integrity and availability are the core pillars of information security taught to everyone who enters the field. Yet most information security programs are only focusing on confidentiality and forgetting about availability. For example, a company I worked with implemented a host of Group Policy settings in Microsoft Active Directory. These settings, combined with the disk encryption software installed on laptop computers, yielded boot times for the users of almost 10 minutes. I found laptops with tape across the power button because employees did not want to accidentally reboot their computers.

I'm not saying that using Group Policy or full-disk encryption to secure the environment is the wrong approach. Quite the contrary -- I believe strongly in the appropriate application of both of these technologies. Where this company went wrong was in failing to measure the impact of these changes on their environment and their business. The laptop hardware was mostly older and did not support the encryption features built into modern CPUs that would have reduced boot times. Active Directory was centralized and connected with low speed, high latency WAN connections that were inadequate for the rapid deployment of Group Policies.

There were two core issues that drove this company to rapidly deploy technologies without consideration for business impact. The first is that it had to meet specific deadlines for regulatory compliance or face stiff penalties. This is one of the side effects brought on by information security regulations: Companies are rushing to be compliant but are not necessary any more secure.

[Traditional security systems aren't doing much to help us manage risk, but we keep buying them. Read Michele Chubirka's examination of this phenomenon in "Security Snake Oil For Sale."]

The second issue is the fallacy that all risks can be identified and controlled. Technology is just moving too quickly for anyone to anticipate all of the potential risks to an environment. For example, passwords have often been a victim of technological advances. Strong passwords from just a few years ago are now cracked in less than a minute on a standard PC by pattern matching every possible combination with the corresponding hash. Password change frequency policies now offer little protection unless the password is changed every two minutes. The point is: A safe practice now may not be so in less than a year.

So should we just give up? Have we lost the war? Hardly; it's just time to change our tactics.

First, we must move our emphasis from prevention to detection. We must build our information technology systems with penetration in mind. I often compare this to designing a submarine where areas are compartmentalized to contain flooding. Our information technology systems need to be built with compartmentalization in mind to limit the damage from a security breach. This also puts us in a position to detect and resolve a security breach more quickly.

Second, we must design security systems that consider the impact on the business and limit the impact on productivity. Availability is just as important as confidentiality in information security. Users will be less likely to attempt work-a-rounds when security processes are transparent to them. There may even be times when productivity can be increased by using security technologies such as single sign-on. We must consider the full user experience when designing security systems in order to be successful.

It is not too late to change course. The Cormac Herley paper is still a good read for anyone that is interested in learning more about the productivity costs of implementing bad security. I’m sure there are going to be some information security pros that react in the same way that I did in 2009. But even they will recognize that it is time to stop punishing end users with bad security controls and move to a more proactive approach. Only by adopting compartmentalized systems with proactive monitoring will companies truly be ready for the modern threat environment.

[Hear how one CISO is shifting away from a prevention strategy and investing more in better visibility and response capabilities in "A CISO's Perspective: Enhancing Visibility and Response to Provide More Effective Information Risk Management and Security" at Interop New York this week.]

Joseph Granneman has more than 20 years of technology experience, primarily focused in health care information technology. He is CIO for Rockford Orthopedic Associates in Rockford, Ill., and an active independent author, presenter and professor in the health care information technology and information security fields. Granneman has been active in many standards groups, including developing the early frameworks for Health Information Exchange as part of the Health Information Security and Privacy Security Working Group for Illinois. He was also a volunteer for the Certification Commission for Health Information Technology (CCHIT) Security Working Group, which developed the information security standards for ARRA certification of electronic medical records.


Related Reading

News

Commentary

Most Popular

Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
 
Vendor Comparisons
Network Computing’s Vendor Comparisons provide extensive details on products and services, including downloadable feature matrices. Our categories include:

Research and Reports

August 2013
Network Computing: August 2013

Video


WATCH: Bob Metcalfe Plans Ethernet's 40th

WATCH: CES 2013: It's A Wrap!

WATCH: Intel touts tablets, smartphones at CES 2013


View All Videos
Previous Page First Page Second Page Third Page Next Page

Most Popular

Stories Blogs

More Stories »

Upcoming Events

Featured Whitepapers

 
 
What's this?
More >>


Featured Reports

 
 
What's this?
More >>


BlogRoll

TechWeb Careers