Forget File Server Security and Buy Me a Padlock
I was recently with a client whose CTO asked a difficult question. You see, he had been asked by his boss to start doing a better job securing company file servers and other network assets. Like many organizations,its security efforts had been a bit haphazard, and resource permissions weren't exactly in stellar shape -- there were access control entries for individual people who weren't with the company any more, it was difficult to determine who had access to what, and so forth.
His question to me, however, wasn't about the best way to fix things up. He wanted solid grounds to tell his boss no. Or at least, not right now.
You see, he knew that this security fixup was mainly being driven by hype and not by any real business need. He knew it would have to be done, but the directive was coming at a bad time given the company's other concerns and priorities. He knew that this task was going to be expensive, and he didn't want to spend that money right then.
It was kind of a shock, frankly. But I shrugged, and led him out of his office. "I'll show you a reason why locking down network security is kinda silly," I told him. "And this is true in most companies." I pointed to a laser printer, which had a stack of recently printed documents next to it. I pointed to a broken shredder, which had a huge pile of "confidential documents to be shredded" sitting next to it. I pointed to employees' desks, which had file cabinets without locks. "You can lock down the network, but your employees appear to print everything, and those printouts aren't secured in any way at all."
His face fell. Sure, I'd pointed out a reason why securing the network wasn't a high priority -- but I'd done so by pointing out a higher security priority: The real-world treatment of sensitive information.
Now, don't get me wrong -- I know the network should be secured. It's accessible from a broader range of locations and devices than the office. But our offices are rarely that secure. People "tailgate" when entering the office with their smart card badges. Custodial staff and other individuals -- often contractors -- have unfettered access to the office after hours when nobody is watching. And c'mon, doesn't it seem a bit silly to spend all that time on money locking down the network when users can just leave printouts of the same data lying around wherever?
I know, I know -- we have to secure the network. I'm not suggesting otherwise. I'm just also suggesting that we have someone look at the security of those same resources once they leave IT's control.
What's your company's policy in physical security? Do you have a locked-down network and a wide-open real world?
Posted by Don Jones on 12/02/2011 at 1:14 PM