IT Security Strategy: Who Is Accessing What?By Scott E. Christiansen | Posted 2008-09-02 Email Print
Today’s IT security strategies should be as flexible as the business needs, while still maintaining the proper measure of security protection and control. Security policy needs to reflect who will see and use the use the data. Filters can help manage data taxonomy while access control will allow new technologies to be added in to your environment for collaboration, while remaining secure. Change control and configuration management can also help.
Who Is Accessing What?
Through change control and configuration management, you can identify when a particular pitcher (methods of adding data) or spigot (ways of accessing data) is used. You can also identify potential cases of abuse, such as when too much liquid is going out, when a spigot has not been turned off, when someone has damaged a spigot during use, or when an employee or customer doesn’t know how to use a spigot properly.
I use the example of setting a policy for the acceptable use of an e-mail system, particularly determining when file attachments will be blocked. For instance, you could block all outgoing Microsoft Excel e-mail attachments, but you should provide employees with another method of sending those files: a publicly available FTP site, an internal/external Microsoft SharePoint site, a second-party hosted file-exchange system or some type of secure document exchange.
The type of system really doesn’t matter, as long as it is easy for employees and customers to use, and allows them to do their jobs using the pitchers and spigots you provided. But you should implement controls that allow only the actions you wish to permit, along with auditing measures to ensure that the systems are being used appropriately.
The process is the same in the Web 2.0 context, which is requiring organizations to open their glass boxes. Employees may wish to use instant messaging to communicate with outsiders, but IT may be worried about allowing publicly available IM clients inside the organization.
The solution may be implementing an IM technology that allows users outside the company to access it (Microsoft Office Communication Server 2007 has this functionality), or putting in systems that separate and filter out this type of traffic.
I recommend setting a policy that outlines the types of information considered unacceptable for employees to post on the Web, and referring to a standards document that outlines specific technology (such as company-sponsored blogs or wikis) that’s to be used for specific company-related information. By having the proper policies in place, you can lay out a blueprint of how you envision all these processes working.
If you want your security program to continue to be accepted and integrated into the business, you must ensure that you position yourself to be as flexible as the business calls for, while still maintaining the proper measures of control.