X
Business

The Security Conundrum

The above xkcd cartoon does a great job of encapsulating the difference between a technology perspective on securing data and the realities of human nature.Keeping information secure is the top priority and responsibility of all IT departments, whether they are running extranets and vpn tunnels through their firewalls to their data, or experimenting with putting data in the cloud.
Written by Oliver Marks, Contributor

The above xkcd cartoon does a great job of encapsulating the difference between a technology perspective on securing data and the realities of human nature.

Keeping information secure is the top priority and responsibility of all IT departments, whether they are running extranets and vpn tunnels through their firewalls to their data, or experimenting with putting data in the cloud.

Two analogies: One, you could argue that modern IT infrastructure, given the inherent weaknesses of the public internet, are often not dissimilar to Medieval fortification techniques.

Two: if someone puts their mind to attacking someone else, rather depressingly there is a myriad of ways they can achieve their goal, anytime and anywhere. this is also true of those who seek to gain access to your protected information, as the above cartoon illustrates. If we take the Medieval Fortress IT analogy, many people are starting to ask hard budget questions about the value of maintaining motte and bailey style citadels - it got pretty pricey building those stone castles on the top of man made hills with a ditch around them. Even if they were successful at keeping out the hordes of barbarians, the modern IT equivalent - firewalls ring fencing on-premise hardware - have huge scaling issues. Like the castle's stone perimeter wall on the top of the hill, it's expensive and complicated to expand.

The modern military don't inhabit stone fortresses anymore - the advent of cannons ended the castle era. Curved walls helped to encourage cannon balls to bounce off, and expensive hot lead continued to be poured on the heads of the heathen hordes climbing up to try and get in, but eventually artillery grew more powerful and castles were a sitting duck to get knocked down.

Medieval style IT strategy, often planned long ago by people for whom 'change management' meant non agile waterfall software development change boards, rather than the modern term for changing the way people work, is surely on its way out in these difficult budgetary times. For all the manning of ramparts and fending off hostile attacks, centralized citadels are an attractive, easy to find target.

Modern collaboration often entails complicated cross pollination between many business entities, whether multiple divisions of the same company, the result of mergers and acquisitions or international partners. The astonishing power and productivity efficiency released by this interconnectivity is often severely restricted by coming up against the cold stone walls of IT fortresses. While many in the IT security world are adept at creating a 'performance fabric' of networks to interconnect the various internal and external software packages needed to enable peak performance by modern corporations, there are many IT professionals bound by internal rules to continue to protect their firewall ramparts with bow and arrows and buckets of boiling water. These structures are the ones which are both expensive to maintain and very restricting for their inhabitants.

The fact is (switching now to analogy number two) if someone wants to find specific information within your company, there are lots of ways they can intercept, James Bond style. Making a phone call posing as IT support to steal a user's password is like stealing the key to the castle's drawbridge.

There are countless ways to exploit human weakness which are infinitely more powerful than storming the IT ramparts. I know of an international collaboration environment planned out to give every user a unique view of only the content they are allowed to see - a hugely costly and complex matrix of users internationally. The system was conceived in offices where everyone sits in their own private cubicles or offices.

Most of the other international locations however have open plan offices, with monitors easily visible by other users, so it's easy to see the supposedly secret stuff your colleague is working on.

My point ultimately is that strategizing what information should be discretely hidden, and what can be hosted in a low cost, relatively unprotected way is rapidly becoming the battleground between line of business and IT security. And the bean counters are watching closely, anxious to maximize return on investment.

I sense a tipping point is being reached...

Editorial standards