Wednesday, November 28, 2007

The Eternal IT Security Struggle.

There seems to be a constant battle between IT and users on the topic of security.

On one side, you have IT who tries to secure systems and on the other, users who chafe at restrictions, sometimes justifiably and sometimes not.

From the IT perspective, the only really secure computer is on that’s turned off and encased in a block of concrete (You could say that being turned off and unplugged is enough, but you can always convince someone to plug it back in.), so they try to restrict every point of access that they think is unnecessary.

Looking at it from this angle, users are as much an enemy as the hacker outside your network wanting in.

Users, on the other hand, tend to think any restriction at all is bad and constantly try to find ways around the procedures that have been set in place to secure the computers and network.

So, who’s in the wrong?

Both of them.

Both of those extremes are bad. Security will *never* be absolute. Instead, the best you can do is to manage risk. That means setting sensible policies and making sure that users follow them.

It comes back to a couple of what seem to be my favorite subjects in the field – resources and requirements, and cost/benefit analysis.

First, on the resources and requirements front, which is really basic survival 101 for pretty much any situation (what do we have and what do we need?), your resources are computers, appliances, network infrastructure, people, money (with which to acquire other, needed, resources), and your requirements are the rather nebulous concept of “security”.

Yes, security is a nebulous concept. That’s where the cost/benefit analysis comes in. You have to ask yourself questions like “how rigid do the rules affecting this area need to be so that we have adequate security while allowing our staff to do their jobs without jumping through too many hoops?”

For most places, that means setting workstation passwords. In addition, you may also have password protected network shares, a whitelist (or blacklist depending on how strict your security has to be) for what your employees can access outside your network, whether or not they can use a VPN from home, etc.

The answer to those questions will vary from business to business and it would be silly to try and tell you that you absolutely *need* X, Y and Z. In fact, after you set your policies, you need to review them periodically to see if they still meet your needs.

As time goes on, you may find that you need to make some things stricter due to increased threats and new regulations or you might find that some of the rules you thought were great are actually preventing your people from doing their work and can be loosened a bit.

Security isn’t just a set of rules or a box you put on your network. It’s a constantly evolving set of procedures and resources (both in the form of equipment and people).

Part of that is listening to the people the policies apply to. Yes, sometimes users make unreasonable demands and it needs to be explained to them that the demands are unreasonable (and why) and management needs to stand by that decision. However, they are also capable of making suggestions that you might not think of because they work with things in ways that others don’t.

IT and “regular” employees need to work together. If they’re fighting each other, things aren’t getting done. I know that I’ve heard the argument of “IT is a cost center and *we’re* the ones who make money” far too often. The fact is, it’s true, salespeople do bring in money. However, without IT they wouldn’t be able to. What’s more, IT can help *save* your company money which is good for your bottom line.

The point is that everyone in the organization is both part of the problem and part of the solution. Stop drawing lines in the sand and try working together for a change. You might find that the results are much more to your liking.

Current mood: calm
Current music: Rise Against – Paper Wings

Saturday, November 24, 2007

Ghost Town in the Dark of the Night.

Have you ever walked through a town at 3am?

In most places, at that hour, almost nobody is out. It’s like the entire population of the town has disappeared, swept away by some unseen hand. It’s a strangely serene, and at the same time, somehow unsettling, feeling walking though a place that you know in the daylight to be full of people, only to find it populated solely with the ghosts of society in the darkness.

At 3am even driving is like being in some post-apocalyptic movie. The only other vehicles on the road are the occasional long-haul truckers which you can almost convince yourself are hallucinations produced by a mind wishing for company, screaming for contact with someone, anyone, and all you see is the road stretching out ahead of you until it reaches the black nothingness which your headlights fear to illuminate.

It’s like driving through a barren wasteland; especially when it’s snowing and all you can see is white until it merges with the black void beyond your field of vision, causing some sort of seemingly impossible change from one extreme to the other.

Of course it’s quiet. I mean, most “normal” people are at home in bed. The only people who are out are raging insomniacs, people up to no good, the occasional straggler from a bar, those who have to work 3rd shift and people like me who seem to frequently end up with our sleep cycles shifted by several hours for whatever reason.

(Though I will admit to occasional bouts of insomnia. Heck, there have been times when I haven’t managed to sleep for a few days or have only managed to get a few hours sleep over the course of a week or more. Thankfully those episodes are pretty rare, but they somehow find me wanting to clean and re-arrange the house in the middle of the night, much to the consternation of my cat.)

Why am I bothering to write this? Simple. Because it’s 3am and I’m sitting here, awake, and realizing that, for whatever reason, my body is not wanting to sleep at all.

In the past, in what sometimes seems like another life, I would grab my coat and go for a walk through town, possibly ending up at some all night restaurant or donut shop and watch the world go by. Heck, in college, I might even wind up wandering around town with a couple of likewise-afflicted friends.

Unfortunately I can’t do that here because there really don’t seem to be any of the aforementioned joints and dives that are open all night, and, truth be told, it seems like fewer people are out at this hour in this town than any other place I’ve ever been.

So, with that habit basically not an option (which, I have to tell you, makes me feel restless because, as odd as it may sound to some people, I really do crave the ability to wander), I tend to sit here and either read or write in the darkest hours of the night, waiting for my body to come to grips with the fact that it has to shut down for a few short hours.

Current mood: tired
Current music: Machines Of Loving Grace - Golgotha Tenement Blues

Monday, November 19, 2007

They’re killing my childhood.

It seems that they’re releasing the early seasons of Sesame Street on DVD, but are labeling them as being for adult entertainment due to things that are now controversial (Monsterpeace Theater where Cookie Monster has, and eats, a pipe for example).

That’s right. The stuff that I, along with countless others, grew up on is apparently not suitable for kids. I actually caught an episode of what they’ve turned Sesame Street into a while back. It was sad.

I have the following to say *puts on his Grover suit*


*runs away*


*takes off the Grover suit*

(Sorry. Couldn’t resist.)

Speaking of things I miss from my childhood – lawn darts (hey, it’s not my fault that people were stupid when they used them. They were fun)

This post has been brought to you by the letter 3 and the number Cat :-P

Current mood: eh
Current music: none