Accessibility vs. Security

17Feb08

This is a common battle that I deal with on a regular basis, and I’m sure I am not alone.  If you took a poll across the organization, most organizations anyway, users would prefer easier accessibility over more security all day long.  This is not a surprise given that we live in an ON DEMAND world where people want stuff and they want it now.  Instant access via every handheld imaginable, RPC over HTTPS access to email, clientless VPN, and the list goes on.  All of these accessibility improvements, while making things easier on the users, create serious heartburn for me.  When you improve a little on accessibility you potentially lose a lot on security.  All is not lost…..you don’t need to open the flood gates just yet.

When you are tasked with providing some new way to make data accessible make sure you understand the implications.  There will be times when there are no extra security measures that need to be taken, in which case GAME ON!  You implement and people start tossing flowers at you when you walk down the hall.  More often than not however; this new feature will have security implications that need to be addressed, and it is up to you to see they are.  Do not just sit back and say, “Oh we don’t want to do that because it isn’t secure.”  It sounds like you are blowing them off and leaves them with questions so you will hear about it again.  Instead take the time to document the security concerns and put them into people speak rather than geek speak. “I would love to give you access to the super secret database without VPN access but your username and password is not sufficient security to put in front of something with public access that contains that level of sensitive information.  To make that feature available we would need to implement a multi-factor authentication solution.”  That shows you understand what is being asked and that you understand the security concerns around it.  You may have scared him off for good or he may keep pushing in which case it is time to put together the proposal to add the security around the accessibility.

By mandating the security in order to get the accessibility the money gods are more likely to grant your wishes.  If you implement accessibility first and go back asking for money to secure it chances are you will have a tougher battle.  Use what they want as a way to increase your budget and make your life a little more secure.  In the end, your head will be on the chopping block if you start implementing things and there is a breach, so be safe and cover your you know what!

Advertisements


2 Responses to “Accessibility vs. Security”

  1. Im quite pessimists regarding web accessibility, there is no consistent method to provide web accessibility to end user (browser diff, propriety language) ,WCAG & browser vendor (big M) is making thing complicated for web designer & developer.

    security first

  2. Understand.

    I was an engineer at RSA for many years. I installed 100s of the SecurID solutions and many PKI deployments. I found SecurID a quality product with a very reliable installation model. I could not say the same for the PKI product (this in not a cut at RSA – but at all PKI installations.)

    In 2005 I decided to put the use the collective knowledge of myself (a generic security guy), crypto specialist, application specialist and network/telephony specialist. From this we created a solution that is PKI-secure (e.g., bilateral authentication not suceptible ot man-in-the-middle attacks that all token solutions are suceptible to) and easy to install. This is because we utilize webservices (WSE 3.0 authenticated, so they are secure) to deliver SMS Text Messages, Telephony one-time-passwords and certificates. The combined solution (SecureAuth) is reliable, we have deployed to over 100 financial institutions and secure (passwed with flying colors the NCUA audit).

    All the best. We have a live demo on the web. (http://www.multifa.com/demo.htm)

    Garret Grajek, CISSP
    MultiFactor Corporation
    Chief Operating Officer
    office: 949.777.6970
    mobile: 714.658.0765
    ggrajek@multifa.com


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: