Whip and ... whip of information security at the enterprise

Hello, dear listeners, managers, programmers, admins and all-all-all. Today I will speak about a sore subject, which from time to time causes my sharp toothache, namely, information security at the enterprise.

What is IB at a large enterprise or even a bank? A hot cocktail from regulations densely seasoned with the prohibitions of anything and everything and with the addition of threats of violence to taste. After all, what does a regular system administrator do to prevent unauthorized access? Forbids everything that is not allowed. What does an ordinary security guard do? It prohibits in general everything that is on the border (and often abroad) of common sense and at least some possibility of the functioning of the enterprise. At the same time, a huge number of tedious descriptions of threats, normative acts (boredom!) And other frightening actions are compiled, all of which come down to one simple thought: “IF THAT, WE ALSO WARNED!” Thus, a situation arises when IS identifies risks, but does not bear responsibility - it is borne by employees.

With the hot and burning part of the opus I’ll finish, I’m not talking about emotions, we switch to constructive. Everyone who has come across this will understand and add a lot. Now I want to talk about what to do about it? After all, the basis of information security at the enterprise is an extremely constructive and reasonable goal - to prevent data leaks, which can then run into this very enterprise, and often it is very painful. Here it is worth considering not only (and not so much) financial risks, but reputational and other other risks that would undoubtedly be fulfilled, someday, perhaps, * -by * -by * -by.

The main cases that IS is trying to close with itself in my short-sighted opinion are:

1. Suppression of unauthorized access (unauthorized access, we are talking about information security, we will use thousands of abbreviations) to all kinds of databases, storage systems, servers (I don’t know how to reduce it), rooms with servers and databases. This is the main goal in the functionality of information security, and they cope with it very well. The huge clouds of iron and software created just for these purposes, quite contribute to the suppression of unauthorized access, fishing and investigation of information security incidents.

2. Restriction of NSD "from outside". Well, everything is clear. Together with the hardware and software systems from the first paragraph, the solution of these typical problems is not difficult.

3. Restriction of the NSD “from the inside” of the organization to everything that is listed in paragraph 1. Here are a few more details, because the main threat of unauthorized access to information security - an employee of the enterprise - prevails as a potential threat. First of all, access to the specified equipment is necessary for administrators of all stripes, programmers and / or analysts, and sometimes directly for a business that uses some kind of software for data, reports, and all that it needs for business. Oddly enough, here the level of difficulties and problems created by information security is not so high. Because Admins need access for their admin magic, analysts often just work on the software that the admins set up, the business said it’s necessary, it’s necessary, and they have access to it because information security works for business, and not vice versa. Most affected are the developers who serve the server, access, obscure software, self-written obscure software, while the data was live. All this falls under the written regulations and any other acts, orders, norms, threats and risks that the security guards themselves wrote during their work. This is where the bottleneck effect works, so long as the developers, together with the managers, coordinate (if at all possible) all these endless approvals, then the business is standing and waiting. Because he himself was trapped in a carte blanche for information security, because he did not think out a mechanism for escalating risks and assessing them, because to penetrate and understand this layer of information threats, which, for a moment, include almost the entire range of IT disciplines, is simply impossible. norms, threats, risks, which the security men themselves wrote in the course of their labor activity. This is where the bottleneck effect works, so long as the developers, together with the managers, coordinate (if at all possible) all these endless approvals, then the business is standing and waiting. Because he himself was trapped in a carte blanche for information security, because he did not think out a mechanism for escalating risks and assessing them, because to penetrate and understand this layer of information threats, which, for a moment, include almost the entire range of IT disciplines, is simply impossible. norms, threats, risks, which the security men themselves wrote in the course of their labor activity. This is where the bottleneck effect works, so long as the developers, together with the managers, coordinate (if at all possible) all these endless approvals, then the business is standing and waiting. Because he himself was trapped in a carte blanche for information security, because he did not think out a mechanism for escalating risks and assessing them, because to penetrate and understand this layer of information threats, which, for a moment, include almost the entire range of IT disciplines, is simply impossible.

What options for a way out of a situation I see (thought up, felt):

1. The first, it’s the main one, is the possibility of taking risks by the head of the business unit, who orders something that rests on the difficulty of agreeing by the IS officers. Very often, a business needs tools that must quickly solve \ test some thought / concept of a leader. These point, or acupuncture, injections can be very effective and useful for carrying out business tasks. And if with another long dead weight - the purchase of equipment - the issue can be resolved by contacting the hosting, then the issue of information security arises in full growth. The data that needs to be processed is located in internal systems and must be transferred to external systems. There are two options here: a very long and fast illegal. I think it’s not worth explaining which option is most often used by people who need to complete a task.

2. Building \ reducing the list of critical resources and building a VERY secure layer between all other systems and these super secure systems. Here there is where to unfold in all its breadth and power. Surely, this is often used, but the list of threats that IS is trying to grasp is so huge that the security personnel themselves would drown (which often happens) if at least half of them were closed according to the rules of procedure for protecting against information security. The rest of the systems should be limited to regular means of antiviruses, domain security policies, but without impairing functionality.

3. Simplification of activities to coordinate all of their own limitations. After all, they will be agreed anyway, because “it is necessary”, but this will save hekaliters of blood spilled in the fields of out-of-band coordination.

In conclusion, I would like to express my gratitude to those adequate, comprehensible and flexible security guards whom I have not yet met.

With love, hatred and understanding,
% worker%

Also popular now: