How organisations weaken their own security without realising

A couple of real examples about how organisational disharmony causes security problems.

I visit a lot of customers with similar requirements… “our Wired/Wireless network needs securing“.  The solution is, more or less, always the same and it’s simple enough to implement when you’ve been through the process so many times.

Simple enough says I, but it requires different parts of an IT team that are so often like oil and water, to work together seamlessly.  Yes you’ve probably guessed it, we need the Network Team, Server Team and Desktop Teams to all work together to deliver one secure solution.

In some (rare!) cases, IT Teams are multiskilled and get to work with one person who has access to, and good knowledge of, all of the systems involved.  Bliss!  One person who can read a Security Policy and who can work with me, through lots of systems, so they can see how their policy is implemented end-to-end – Clients, Switches, Wireless LAN Controllers, RADIUS Servers, SSL Certificates, Domain Security Policies, Troubleshooting Methodologies, approaches to managing change, and so on… perfect!  This is my ideal – implementations happen quicker (saves money), with fewer problems (saves money, improves end-user perception), and are more secure (because of fewer interconnects between teams where problems can occur).

In most cases however, especially in big Corporates, IT teams are split in to silos and in my experience, they seldom play nicely together.  Who, for example, should look after a RADIUS Server?  “It’s a Server, so the Server team should” is the obvious answer, but it’s used by the Network team to secure the network and as it’s Cisco ISE or HP Clearpass it’s nothing the Server team know about so it’s now the network team’s responsibility.  Fine, networks it is.  But the RADIUS server will reference AD Group Memberships – who keeps these up to date?  What if the Server guys have a tidy up and delete some groups the RADIUS Server was using?  “The network  is down” come the cries from the office floor when nobody can get access, without the network guys having done anything wrong at all.  “Change Management will stop that from happening” is the common response, but “not always effectively enough” is my experience.  I’ve seen customers run siloed change control processes for example.  One Server guy talks to another Server guy about deleting some AD Groups.  Neither know about how the RADIUS Server uses the Groups so they get deleted and they break RADIUS.  Even customers that run sensible change control processes with all of the stakeholders involved, it’s still human nature to focus on what you’re interested in.  If the Desktop Team say they want to roll out a new AV Client, will the Network Team who are running Posture Assessment via Cisco ISE remember to implement new Posture Policies?  Not always.  When the network team rollout a new Secure SSID and ask the Desktop/Server Team to push out a new Policy to ensure Clients use the new SSID correctly and securely, does it always happen perfectly? Does it even happen at all?  Not always.  In my experience, Teams are too often guilty of an inwards looking mentality – “how can we help ourselves” instead of “how can we help the teams around us”.

In today’s ever increasingly integrated world of IT Solutions, I’m starting to think that strictly siloed working practices are borderline dangerous.  Sure, you’ll always need a specialist in one thing or another, but in my experience, the more people that have a nice wide end-to-end view of how “IT solutions” operate, the more usable and more secure – the better – the solution will be.  If everybody involved has a solution-wide view, far fewer things will fall between the gaps, leaving fewer issues for Users and fewer attack vectors for hackers.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s