No Easy Fix for Internal SecurityBy Channel Insider Staff | Posted 2004-08-16 Email Print
WEBINAR: Event Date: Tues, December 5, 2017 at 1:00 p.m. ET/10:00 a.m. PT
How Real-World Numbers Make the Case for SSDs in the Data Center REGISTER >
Opinion: The idea of banning portable storage media in the workplace sidesteps the fact that internal security is a human issue, not a technical one.Not too long ago, the Gartner Group raised a minor dustup in the IT community by releasing a report claiming that portable storage mediaincluding consumer devices such as cameras and MP3 players with built-in or removable memoryrepresent a new security threat to corporate networks.
While I am almost always happy to see people talking about security beyond firewalls and virus scanners, this particular case represents a classic example of the way in which the tech communityincluding the mediaregularly bungles security issues.
According to the Gartner Group, these devices have grown so easy to use, and place so much memory within such small and innocuous physical packages, that they represent a dangerous new mechanism for employees to steal data or introduce malicious code into corporate networks.
So, how should businesses address this issue?
Internal security is an enormous topic, but the first step is to recognize it as a human, rather than a technical problem. If an employee can access a specific piece of data, he or she can steal it, no matter what technological precautions you may take. Human issues require complex, nuanced responses, and they rarely have a "silver bullet" solution.
The best precaution you can take is to know your employees. Before you give someone access to your valuable data, it is entirely appropriate for you to take reasonable steps to be confident that they are trustworthy. Keep in mind, however, that it's important to be completely upfront with the applicant about those steps.
When making a new hire, ask applicants hard questions, check credit reports and really interview references; don't take anything at face value. Respect for staff's privacy is both ethical and necessary to maintain a productive work environment; nevertheless, managers must be held responsible for awareness of staff's personal qualities, interpersonal dynamics and morale. Don't snoopBig Brother in the workplace accomplishes nothing but making employees miserablebut know your people, who should be trusted, and how far.
No, striking a balance isn't easy. But keep in mind that the primary role of technology in this process should lie in maintaining appropriate limitations on access to data. Know what information individual employees need to do their jobsand what they don't.
Use network authorization and authentication systems, account restrictions and OS-level permissions to make sure staff can easily access appropriate data but nothing else. Make liberal use of internal firewalls, encryption and intrusion-detection systems to detect and block attempts to circumvent your access controls. These systems should be as transparent as possible to your employees; think of them as the digital equivalent of locks on filing cabinets and office doors.
Last, and definitely least, if removable media remain a particular concern, consider taking technical steps to prevent them from interfacing from your network. I would definitely not recommend banning cameras and MP3 players from the office, but there is nothing necessarily wrong with preventing them from being plugged into office computers or other equipment.
Keep in mind that these measures are pointless unless they also include steps for disabling CD and DVD burners, Zip drives and other writable media. This approach can require substantial investments in time and money, restricts legitimate and useful functionality, and is far from foolproof. But in high-security environments, it can provide some additional protection when used in conjunction with other precautions.
Understanding that some of the biggest threats to your network come from the inside is crucial to a realistic assessment of your security needs. Looking for a simple answer to a complex problem, however, is just asking for trouble.