|
The Interpath Technologies Networking Myths Series™
Click Here to Listen to this topic as a "The ROOT Cause" podcast.
Click Here to Subscribe through 
Click Here to Subscribe through 
As a Consultant, I have had the opportunity to work in many different IT environments. In most cases, for very large multi-national corporations. One of the many areas that I have seen where there is a wide variance in efficiency or, possibly a better word, efficacy, is the area of security. As security is not the primary focus of this podcast/article series and as this particular podcast/article is meant for management rather than the techie, we will focus on a single--very common problem. I call it "Plastic Lock Security."
Plastic Lock Security is a security policy that will ONLY keep out those who obey the rules. They are not real security--but all too often they are considered to be. Imagine a door lock made of brittle plastic. It would not stop even a child from opening the door, but it makes it very clear that the door is supposed to be kept closed. It is the equivalent of a "No Enter" sign on an unlocked door. Good guys will not enter. Bad guys won't really care much about the sign. At best, it might fool them into not trying. However, it might have the same effect as "Confidential" does on a document--which is to make you want to read (open) it even more! If you obey such guides, it is effective. If you do not, it is humorous. This is the condition of many common security policies. Security by cooperation only provides security from those who cooperate. I.E. "Plastic Lock Security."
The dark side of the Plastic Lock Security force, is that it leads to a lack of cooperation when the rules interfere with business requirements--as happens far too often in this field. This leads to a corporate culture that accepts rule breaking as the price of doing business. Not a good environment for network or application security. For example, I know of a company (they no longer have this problem) that had a policy that prohibited email to any outside source. They provided consultants with an email account and felt that their email account should be used for all communication. That is their right. However, Consultants often have to maintain confidential communication with their employers. Various Consultants brought this to this client's attention to which they replied, "That is our policy." You can see how this could apply to many other situations as well.
Now, what did this rule actually accomplish? It prevented professionals from communicating for legitimate business reasons in confidence. In other words, those communications that the client has no reason to fear, were prevented. However, anyone with a reason to communicate privately could bypass this policy by using HTTPS to an email server that accepts HTTPS. So, what actual security was provided? None. It was a "Plastic Lock." It provided a sense of security without providing any actual security. A placebo.
This is just one of countless examples I have seen. Picture a similar situation with no unmonitored email access, but where USB thumb drives are allowed? What's the point?
Of course, on a slightly political note, we now have a government in the US that monitors email and web activity. That is the ultimate Plastic Lock. Do they think the Bad Guys don't have access to SSL and a Starbucks wireless connection? Or worse, your unsecured personal wireless network? Who do they think they will catch? Interesting question--right?. Actually, this may not qualify as Plastic Lock Security since I sincerely doubt that this policy was ever directed towards monitoring anyone other than the American people. (OK, enough politicking.)
The Primary Point is this--If you want to make a policy that is SECURITY based, it must be enforceable and fully enforced. If the policy is meant to INHIBIT, than it isn't really intended for security purposes and doesn't matter.
The Secondary Point is this--Plastic Lock Security causes INSECURITY by:
- Only preventing (or monitoring) legitimate users, while doing nothing to stop those presenting a true threat.
- Pressuring legitimate users themselves to break the plastic lock to get their legitimate business done, and thereby corrupting the corporate culture.
|
