When security lacks context … AKA: that guy with a big, annoying ring of keys

Let’s talk for a minute about security, or more specifically, let’s talk about the security of your IT systems, your users, and the data that they both use to further your business. Security is really important, after all if your stuff falls into the wrong hands all kinds of trouble results. So we implement practices and systems to make sure that that does not happen. But the trouble comes in HOW we secure our crown jewels.

Because our environments have grown organically over time and not with an ideal, perfect end-state determined even before we started the business, security has – out of necessity – grown organically as well. It’s just the way it is, and there are some negative implications associated with this approach. If we were able to clearly see the end state (and every waypoint along the way) we could design and implement a security approach that provides exactly the right controls and the right visibility the entire time. But we can’t so we do the best we can with what we have.

The result is what I like to call the “jangling ring of keys” approach to security.

When a new system is added to your environment, the right thing to do is evaluate who should be able to access that system and what each individual (or role) should and should not be able to do on that system and implement security accordingly, designed specifically for that system. In essence, you put a lock on the door and issue a key to everyone that needs to go through the door. If you don’t have a key, you can’t get in. Then when another system comes online, you install another lock and issue another set of keys. Maybe once in a while you get lucky and an existing lock and existing set of keys perfectly matches the requirements of the new system, but that doesn’t happen often, and you’d better be really confident that EVERYONE with a key should actually have one.

Things get really interesting when you have authorized users that are required (or want) to come into the environment through a new door. If suddenly users must access systems remotely or with new devices that your organization may or may not control, you have another decision to make. How much control (i.e. how many new doors and new keys) is necessary for this new (and often riskier) access scenario? Your stuff has not become any less valuable so you install a new door and issue new keys and instruct your users that if they need to access the system under rule-set A, they must come in through door number 1 and use the blue key; but if they are accessing under rule-set B, they use door number 10 and the red key.

It’s a mess and the result is fundamentally a big ring of keys (like that creepy guy pushing the mop and bucket through the halls of your high school) and a bunch of stuff that each user needs to remember in order to do their jobs. Users suffer because they spend lots of time simply unlocking doors before they can do their work. IT suffers because they spend lots of time reminding people which key opens which door and when to use each. The business suffers because people aren’t doing their jobs as well, IT is focused on things that don’t enable business success, and security has become a barrier, not an enabler. It’s because security is static – a series of yes/no decisions with no correlation across them. If any single decision is a no, it doesn’t matter how many yeses there are access is denied.

But what if you could take into account the context of the access request and make an informed decision in real-time, based on risk that allows the correct access in all situations. That would be cool. Suddenly people can do their jobs better, are happier, and your business moves forward.

This concept of context-aware (sometimes called adaptive) security is a reality and can actually be easily woven into your existing security practices. It breaks down the barriers of siloed, key ring-type, static, yes/no security and replaces it with an intelligent, risk-based approach that returns the right access decisions each and every time – regardless of the moving target of who, when, where, what, why, and how.

If this sounds like an approach that would benefit you and your organization read the white paper Context-aware Security – The Who, What, When, Where and Why of Access. I’d love to get you started down the path to improved security AND business.

Anonymous