Internal security is more than who has access and what have they done with it. It’s more than protecting against external threats with firewalls, antivirus, intrusion detection and physical security. While all of these things are necessary, you also have to have an understanding of what it is you are protecting. Is it sensitive data? Is it PII or HIPAA data? Is it a server with proprietary source code or the file share with the dreaded salaries.xls file?
Having a fundamental understanding of what’s in the box will allow you to secure it better. Far too often the general rule has been lock everything down with no level of sophistication about what you are protecting. As a result, we treat temp files with the same level of security as client social security numbers or medical records. We believe it is this all-encompassing view of security that has made us less secure. It’s easier to violate security and compliance guidelines when you have no idea about what kind of data is being protected.
Do you know how often unauthorized changes that cause an outage are happening in your environment? How about those that don’t cause an outage? Think about this: an administrator is troubleshooting an application that requires access to a file server. As they are working through the issues with the application team, they start getting errors as the application writes to a file server. They think maybe it’s a file permission issue, so they start giving the application service account read access. It doesn’t work, so then they try write access… Still no good, so they do full control. Still no good. They move on to try something else, leaving the service account with full control of that share.
Once a change is made, no matter how bad, if undetected it starts growing credibility. In the scenario above, if you are looking to clean up file shares six months later and see that service account, you won’t just remove it. You won’t know what it is, so now starts the process of talking to application owners, developers, business owners all in an attempt to track down why this service account has full control over a share with very critical data. Of course your book of record won’t have any record of this, it was done outside the approved process. Think of all the time and energy wasted to track down the reason for this. Now think about how many times this is happening in your organization without your knowledge.
Organizations need to have tools in place to detect and alert about these types of changes and most organizations either don’t have these tools or don’t have the resources to monitor the vast amounts of data these tools generate. If you don’t have a fundamental understanding of the type of data that’s now at risk, you don’t know how critical the violation is. Let’s face it, in a large organization with thousands of file servers – both development and production, you will soon find that administrators are inundated with alerts (most of them invalid) and they will soon be ignored. Alerting needs to be more sophisticated. We need to have an understanding of the contents of the server, not just the action that’s violated a security policy.
Sometimes the hardest decision is where to start. It can be daunting to look at what is going on at your company and think that you have to figure out everything. Like any significant task, it is important to take a clearly defined, strategic approach. Understand that you will not be able identify everything at once; you have to have milestones; create expectations and work through the project in a methodical way. As you are learning more and more about your environment you can establish business as usual baselines and create alerts when those baseline thresholds are broken.
Security executives know that there are many risks that they have to mitigate. Knowing what is happening in the environment – of both data and systems, they can create policy and procedure that best serves security, while maintaining the ability for business units to operate.
So, in the end, knowing what’s in the box shouldn’t have you screaming – it should be a piece of cake…
