Feeds

Delivering a secure information infrastructure

Rats nest or house of cards? You choose

  • alert
  • submit to reddit

Protecting against web application threats using SSL

Lab I recently had the task of writing an explanatory paper about Good Practice Guide (GPG) 13, a UK-government sponsored piece of guidance around "protective monitoring" – that is, being able to keep an eye on what's going on in your IT environment in order to spot when security breaches happen.

Now, before you get all big brother, it was more about the very boring technical stuff – looking for unauthorised access to files, failed login attempts and so on. Though I would imagine that if an organisation wanted to breach staff privacy and compromise its own ethics, all manner of other good advice probably exists.

GPG 13 is nothing if not comprehensive, covering every aspect of how IT systems monitoring should take place. It checks all the right boxes in terms of people, process and technology. I have no doubt that an inordinate amount of effort has gone into ensuring its consistency, not only within the document, but also with other, equally comprehensive government guidance documents.

Indeed, there appears to be only one downside of this carefully crafted tome: that it would be completely unworkable in practice for the majority of organisations we research. The fact is that most businesses struggle to put security in place, for a variety of factors not least the downright complexity of today’s IT environments.

While we can see that the traditional view of security being "somebody else's problem" is gradually improving, that doesn't mean that security itself is becoming any easier to administer.

In fact, the evidence would suggest the opposite. Among the top issues cited in the poll above were data growth and the increased propensity for more distributed working practices. Right now, and despite the best efforts of security vendors, these areas cause issues that remain beyond the ken of many organisations to solve from a security perspective. If indeed, ‘solve’ is the right word given just how nebulous this whole area can be.

You could argue that it just means we all need to work harder and enforce policies more strongly. Indeed we’ve had plenty of feedback from the Reg audience suggesting it is possible to lock down specific IT environments. The tools are there, you tell us, they just need to be implemented in the right way. But like the fairground game, for every rat we manage to bang back into a hole, another one will pop up almost immediately. And the rats are getting smaller and faster moving, if the latest smartphone trends are anything to go by.

Meanwhile of course, the networks of tunnels they occupy are also becoming more complex. When my colleague Dale Vile conducted some recent research into exactly what is cloud computing, he did find that hosted storage was seen as a valid option, even though numerous questions around data security and privacy remain to be answered.

The point is not that these things are happening, you know that for yourselves. It’s more that we are still driven towards using traditional approaches to securing information which, with the best will in the world, don’t stand a chance of being achievable in practice. IT security relies on building frameworks with all the strengths and weaknesses of a house of cards. If you build it once and leave it well alone, it will remain standing for a goodly while. Try to change any one part of it, however, and the whole thing will come tumbling down and will need to be rebuilt from scratch.

Change comes from a variety of directions, not least from the top. You can build a fortress, but all it takes is one senior exec to want to put a nice window in the outer walls and all the efforts go to worms. This is exactly what happens in many organisations, and frankly, there may be sound business reasons for making any changes or introducing new risk. If, say, the best way of broadcasting a service is deemed to be through social networking, or if the top dog needs a set of files to go see a client and needs to access them from his/her laptop, then so be it. From a business risk perspective, the potential for security breaches needs to be weighed up against the potential for not doing business at all – and on a day-to-day basis.

I’m not saying that acceptable levels of IT security are impossible to achieve. It’s just that inch-thick best practice frameworks are never going to be an appropriate mechanism for dealing with areas of rapid change. Of course it’s easy for someone like me (who doesn’t actually have to do anything about it) to bang on about better ways of doing things, like I had all the answers, The truth is I don’t – but I do know we should be asking some pretty fundamental questions about how we approach security at all.

Returning to the rat analogy (and avoiding the temptation to mix metaphors and consider the lovely nest a rat could make out of a house of cards), it may be that we can learn from areas such as pest control. Nobody actually expects to be able to wipe rats off the face of the planet, even if it were a good idea. However, a combination of good hygiene, containment and well-documented procedures to deal with the occasional infestation might perhaps offer a better approach than trying to seal all the holes, as we currently do with IT security.

Whatever happens in IT over the next few years, what is clear is that things are not going to get any simpler. Perhaps it is time to move from onerous good-practice guides, to a far clearer understanding of achievable, workable and sustainable best practice. This doesn’t mean that we should throw away our door and window locks – these fit in the category of ‘basic hygiene’. However, just as we can’t disinfect every surface, neither should we be trying to restrict every movement for fear something might go wrong. If you have any advice in this area, do say.

The next step in data security

More from The Register

next story
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Mathematica hits the Web
Wolfram embraces the cloud, promies private cloud cut of its number-cruncher
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
Mozilla shutters Labs, tells nobody it's been dead for five months
Staffer's blog reveals all as projects languish on GitHub
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
iOS 8 Healthkit gets a bug SO Apple KILLS it. That's real healthcare!
Not fit for purpose on day of launch, says Cupertino
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.