Accessibility vs. Security
This is a common battle that I deal with on a regular basis, and I’m sure I am not alone. If you took a poll across the organization, most organizations anyway, users would prefer easier accessibility over more security all day long. This is not a surprise given that we live in an ON DEMAND world where people want stuff and they want it now. Instant access via every handheld imaginable, RPC over HTTPS access to email, clientless VPN, and the list goes on. All of these accessibility improvements, while making things easier on the users, create serious heartburn for me. When you improve a little on accessibility you potentially lose a lot on security. All is not lost…..you don’t need to open the flood gates just yet.
When you are tasked with providing some new way to make data accessible make sure you understand the implications. There will be times when there are no extra security measures that need to be taken, in which case GAME ON! You implement and people start tossing flowers at you when you walk down the hall. More often than not however; this new feature will have security implications that need to be addressed, and it is up to you to see they are. Do not just sit back and say, “Oh we don’t want to do that because it isn’t secure.” It sounds like you are blowing them off and leaves them with questions so you will hear about it again. Instead take the time to document the security concerns and put them into people speak rather than geek speak. “I would love to give you access to the super secret database without VPN access but your username and password is not sufficient security to put in front of something with public access that contains that level of sensitive information. To make that feature available we would need to implement a multi-factor authentication solution.” That shows you understand what is being asked and that you understand the security concerns around it. You may have scared him off for good or he may keep pushing in which case it is time to put together the proposal to add the security around the accessibility.
By mandating the security in order to get the accessibility the money gods are more likely to grant your wishes. If you implement accessibility first and go back asking for money to secure it chances are you will have a tougher battle. Use what they want as a way to increase your budget and make your life a little more secure. In the end, your head will be on the chopping block if you start implementing things and there is a breach, so be safe and cover your you know what!
Filed under: Security, Uncategorized | 2 Comments
Tags: Accessibility, budget, multi-factor authentication, Security, VPN