« Security Breach Count Continues To Rise
Why I love the Internet, Reason #1 »

The Answer Should Be “Why?”

4th April 2008, 07:00 am

Dark Reading had an interesting article up yesterday about a study done by Palo Alto networks that will be released next week. The study is apparently data from 20 different enterprises that was gathered during vulnerability assessments done to help with development of Palo Alto’s new firewall product.

Apparently Palo Alto discovered some disturbing but not too shocking statistics about the use of unauthorized applications by users. According to Palo Alto Vice President of Marketing, Steve Mullaney, here is some of the information in the study:

  • 80% of organizations allow the use of proxies by users
  • 50% of the organizations support the use of TOR or other encrypted communications by users
  • 90% of HTTP traffic was not for browsing, but for web based application use
  • There was little difference in this behavior between organizations with strict policies and lack policies

In short, users are bypassing technical controls and ignoring organizational policies to access the applications they want to run.

Personally, I think that the reason for this was summed up in the article nicely with the following quote from Mullaney:

“Up to now, the security guy has always been the guy who said ‘no’ to everything”

Yes this study was done by a company developing a product to combat this issues. Yes this quote was from an individual in marketing at Palo Alto. Yes Palo Alto is hoping that this study will help it sell its new next firewall product. However, this quote strikes at the heart of the reason that users usually try to circumvent current security controls.

Too often the answer to user requests is “No”. Even I have to fight the urge to immediately deny requests, especially requests that create serious security problems. Yet, saying “No” is the wrong action to take. Instead we should be asking “Why?”

When we deny requests, the assumption tends to be that the issue is resolved. Request denied. Case Closed. However, we need to remember that people just want to do their jobs, preferably in the easiest manner possible. Simple rejection, even with an explanation as to why it will not be allowed, is simply driving our users to circumvent the very controls keeping our organizations safe. After all, where there is a will, there is a way.

Yet by asking why users want this new application or feature or access we understand what they are trying to do. By asking why users are unable to achieve their objective within the current environment we understand what problems the users are experiencing. By asking why instead of telling them no, we can a better understanding of how the organizations information and information systems are being used. This understanding helps place us in a better position to protect the organizaiton.

After all, if security is everyones responsibility do we not owe it to our users to help make sure they are able to do their jobs in the most efficient and secure manner?

Category: Security  |  Comment (RSS)  |  Trackback

Leave a comment

Spam protection by WP Captcha-Free