3.8.2011

By Jim Zierrich

The most common rule of thumb in the financial sector’s information technology area is to just follow the rules and regulations so you remain in compliance with industry regulations or current policies.

As a result, compliance becomes a substitute for IT security. But are they really equal? Does being in compliance mean you have a secure IT environment?

Jim Jaeger, director of DoD & commercial cyber solutions for US security consultant General Dynamics Advanced Information Systems, claims that nearly every data breach they attended in 2010, occurred within organisations certified as compliant within the previous year. In other words, even when a company is compliant, that doesn’t account for everyone being a saint or competent all the time.

The weakest link
Though difficult for many to admit, humans are the weakest link because
we are fallible. We are not perfectly consistent in our principles personally or professionally. Intentionally or accidently, good people - your employees - can do bad things.

As a 2010 Harris Interactive poll revealed: employees frequently bypass IT security policies to do their jobs.

Indeed, as numerous data breach news reports reveal, including large financial organisations attacks by people with legitimate access to an organisation’s computers, devices and networks – of which Herve Falciani at HSBC bank is perhaps the best known example, represent a growing problem across the globe, and are increasingly difficult to thwart.

It may seem as if the solution to remaining both compliant and secure, is to tighten security to the point that productivity is impacted, not to mention the inevitable increased cost created by increased demand on IT Admin Desks, as end users find they need help to execute the simplest of tasks.

However, the solution may in fact lie in a willingness to reframe the problem of how to manage the trade-off between security and productivity. Is it possible to implement security in a way which augments productivity, while still remaining compliant? I think you can.

The shift in perspective comes when you realise that whereas security stops people from doing things because of the risk of, for example, data loss, these same controls can also enforce best practice.

Such best practices, invariably point towards the guiding principle of ‘least privilege’ access. Least privilege should not be confused with limiting access. It simply points to the management of access to IT systems, whether via Windows on the Desktop, or to databases on servers, on the basis of what is required for an employee to do their job, and no more.

Checking access
To be clear no single user,regardless of seniority, should have unchecked and complete root access on a server or admin access on a desktop, and yet, that should not restrict business as usual. At all times, privileged access needs to be elevated and brokered,determined by the employees role, function, and the time frame in which the task needs to happen. And at the same time, anything done at an administrator level, must be monitored and logged, to provide necessary audits and meet compliance requirements

Seen clearly, the principle of least privilege makes the trade-off between productivity and security more dynamic. People – employees, partners and third-party associates – get access to what they need to do their jobs, and no more. They are not given the keys to the kingdom in the form of root access for servers or administrator rights on the desktop, which opens the door for both accidental and intentional error, but neither do they have to raise their hand every time they want access to data or to use critical applications they need to do their jobs.

Like Goldilocks and the Three Bears, they are neither given too much, nor too little, but just enough to do their jobs well.