IT Decision Maker

Blog archive

Forget File Server Security and Buy Me a Padlock

I was recently with a client whose CTO asked a difficult question. You see, he had been asked by his boss to start doing a better job securing company file servers and other network assets. Like many organizations,its security efforts had been a bit haphazard, and resource permissions weren't exactly in stellar shape -- there were access control entries for individual people who weren't with the company any more, it was difficult to determine who had access to what, and so forth.

His question to me, however, wasn't about the best way to fix things up. He wanted solid grounds to tell his boss no. Or at least, not right now.

You see, he knew that this security fixup was mainly being driven by hype and not by any real business need. He knew it would have to be done, but the directive was coming at a bad time given the company's other concerns and priorities. He knew that this task was going to be expensive, and he didn't want to spend that money right then.

It was kind of a shock, frankly. But I shrugged, and led him out of his office. "I'll show you a reason why locking down network security is kinda silly," I told him. "And this is true in most companies." I pointed to a laser printer, which had a stack of recently printed documents next to it. I pointed to a broken shredder, which had a huge pile of "confidential documents to be shredded" sitting next to it. I pointed to employees' desks, which had file cabinets without locks. "You can lock down the network, but your employees appear to print everything, and those printouts aren't secured in any way at all."

His face fell. Sure, I'd pointed out a reason why securing the network wasn't a high priority -- but I'd done so by pointing out a higher security priority: The real-world treatment of sensitive information.

Now, don't get me wrong -- I know the network should be secured. It's accessible from a broader range of locations and devices than the office. But our offices are rarely that secure. People "tailgate" when entering the office with their smart card badges. Custodial staff and other individuals -- often contractors -- have unfettered access to the office after hours when nobody is watching. And c'mon, doesn't it seem a bit silly to spend all that time on money locking down the network when users can just leave printouts of the same data lying around wherever?

I know, I know -- we have to secure the network. I'm not suggesting otherwise. I'm just also suggesting that we have someone look at the security of those same resources once they leave IT's control.
What's your company's policy in physical security? Do you have a locked-down network and a wide-open real world?

Posted by Don Jones on 12/02/2011 at 1:14 PM


Featured

  • How To Fix the Hyper-V Read Only Disk Problem

    DOS might seem like a relic now, but sometimes it's the only way to fix a problem that Windows seems ill-equipped to deal with -- like this one.

  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

comments powered by Disqus