Dividing Responsibilities

Previous page
Table of content
Next page

A primary rule for doing business is to never put all your eggs in one basket. Never have all your investments in one industry; never rely on a single individual for performing critical processes; and never, never assign all security responsibilities to one employee, one system, or one process. And, if you are a security professional, make sure you are never the one with all the responsibilities and power.

Two things about us humans: We are very curious and we are very good at deception. Earlier I talked about "The Rule of Trust," which ties very closely to this concept of division. Since we should never fully trust anyone with our security, we must make sure that everyone is subjected to the same degree of security checking. This includes our security professionals, our managers, and our consultants. These individuals should have to request access, be required to authenticate, and have their actions restricted and logged just like everyone else. Anyone who is not restricted by such measures is a security threat to our environment, even if "he's/she's the nicest person in the world." A common mistake organizations make is to put complete power into the hands of their best employees. If Jane is the smartest woman in the world and can fix any problem in a matter of seconds, we have a tendency to give her access to everything and monitor nothing that she does. This, however, presents an all too fatal hole in our security model and will often lead to major security problems.

During one consulting engagement, I was brought in because the head UNIX administrator was starting to cause problems. Apparently, he did not receive the raise he desired and began to act strangely and make threats. Unfortunately, this individual had access to everything UNIX-based and was also the employee enforcing and checking security. Before anything could be done, the individual erased the entire DB storing client data gathered over thousands of hours. Much of the information was time-sensitive and could not be recovered.

Separating responsibilities does not stop with personnel, however. This concept applies just as strongly to placing all our faith in one security application, or one security device. If Server X is the only thing protecting our entire company, performing filtering, content management, intrusion detection, and authentication, and running our VPN and logging, we have a security issue. No system is perfect, and no security device is unbreakable. At a minimum, we should always have something monitoring and protecting the security of our main security devices.

Practicing Division of Responsibilities

Dividing responsibilities requires that we follow some standard management practices:

  • Maintain redundant staff Even if you are not budgeted for two people trained in a specific area, make sure that there is a designated backup employee who can take over another security employee's primary responsibilities.

  • Monitor everyone equally Ensure that any security measure applied to the organization is either universally enforced or has some equivalent security measure applied to the administrators and security staff. If the security staff monitors everyone's access, make sure you have someone else in charge of monitoring them. This does not mean you have to have a duplicate guru in every area of practice, just someone who is capable of keeping an eye on the other employees. Always follow the Rule of Trust, especially with more powerful staff members.

  • Enforce security rules on everyone equally Everyone should be made aware of the rules and the fact that no one is an exception. In many organizations where Administrator X was found knee-deep in sensitive information, it is all too easy to give the excuse that administrator privileges were needed for various reasons. If, however, there are standard security measures to get through, then he/she is unlikely to bypass the required clearance. If such clearance is bypassed, then at least there is an indication and evidence that something is going on.

  • Always follow layered security practices (discussed earlier) If the firewall fails, what then? Will everyone be allowed into the network? Will we even know? Every security device should have some small external component assisting in security. Firewalls, for instance, should be behind screening routers. Even if the firewall was compromised, the router would still only allow specific traffic through. The firewall, as with all security components, should be reporting logs back to a central logging server that is separate from the firewall itself. This logging server should be able to tell when a system has been compromised, and should be capable of monitoring the important security devices.


Previous page
Table of content
Next page
Inside the Security Mind(c) Making the Tough Decisions
Inside the Security Mind: Making the Tough Decisions
ISBN: 0131118293
EAN: 2147483647
Year: 2006
Pages: 119
Authors: Kevin Day
BUY ON AMAZON
SQL Tips & Techniques (Miscellaneous)
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
C++ How to Program (5th Edition)
An Introduction to Design Patterns in C++ with Qt 4
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy