Sysadmin vs trust - security models
BS7799 and IT governance expert Alan Calder explains the ABCs of business security and compliance in his weekly series for Cambridge Network members. This week he looks at security models
Here's the thing: you invest eye-watering sums of money in information security - hardware, software, processes, staff and more staff - and then a key corporate secret is stolen, a hacker corrupts essential records, or a business critical system is taken offline. And why? Because some member of staff handed over a password in exchange for a chance of winning some theatre tickets!
That leads to yet more expenditure, in eternal pursuit of the dream of security, bolstering the role and central importance of the system administrator, the hopefully paranoid believer in human fallibility.
Until the next time.
There are basically two information security models. One, the 'sysadmin' model, is founded on the certainty of irresponsible user behaviour. The other, the 'trust' model, is founded on the notion that, with a modicum of training, users can be trusted and would become part of the battle against the Malevolency outside the secure perimeter.
The Risks
The risks in any centrally enforced security model are two-fold: the weakest link is always the human one (and the system administrator is also human), and the centrally secured work environment is not necessarily the most productive one – particularly in these days of highly flexible, highly competitive, customer-focused corporate strategies.
The fact is that, in spite of all the centralised systems, approximately half of all information security incidents actually are triggered by insiders.
The Impacts
The insider-triggered security incident can be even more destructive than an externally originated one, because of the (false) sense of security the board has derived from its long term investment in all the recommended security technologies.
Survey after survey shows that the majority of employees in organizations, the actual computer users, are inadequately trained, that they don’t “get” information security, that they don’t really know what they’re supposed to do, or why, or how to do it. Computer magazines – which of course aren’t written by geeks for geeks – regularly run stories about the stupidity and incompetence of users, but contain little (nothing) about real training and awareness initiatives.
What do we do about it?
Conceptually, this is not hard: basic training and regular awareness updates for users, delivered as part of induction, with every change or upgrade in system, and on a regular, refresher basis. Of course, you need an information security infrastructure that will assure you of the confidentiality, availability and integrity of your information, but designing and delivering a real, interesting, lively training and awareness program is considerably less expensive than installing the latest information security ‘solution’ which will fail to solve the problem of the disengaged computer user.
Next week: Worms and Trojans
Alan Calder’s company provides businesses with consultancy support and advice on governance and information security. Visit http://www.itgovernance.co.uk/consulting.aspx, e-mail alan@itgovernance.co.uk or telephone + 44 845 070 1750