Selling IT on Real Security: Encryption, Secure Code, Monitoring

Securabit has conveniently consolidated the latest data breach research for you. Said research reinforces the truth that “information security” is thus far an oxymoron, or a state of mind. Because systems that involve people are generally prone to failure (see our last post), perhaps we should turn to solutions that have merit but have not garnered much attention: encryption, secure coding practices, and automated monitoring.

These solutions don’t get taken seriously. Organizations use full-disk encryption on laptop computers (good idea), but leave their servers exposed, in blissful ignorance of the truth that the network is indefensible. They continue to use and reuse bad code and pay little attention to application security, with the notable exception being Web-facing interfaces. Those are heavily tested for known vulnerabilities, but not the unknown ones—only monitoring would catch those. But to record and retain reams of logs without understanding the contents and meaning of the information in them is fruitless. Ignoring investments in technology that can consolidate, aggregate, and report threats and vulnerabilities is equally fruitless.

If we assume for the moment that encryption is a best-known-method for data protection, that poor coding practices are a root cause of software vulnerabilities, and that automated monitoring can detect, report, and sometimes even correct incidents while constraining the possibility of human error, then why do managers have so little regard for them? This is undoubtedly a complex issue, but much of the reluctance could have to do with IT management’s perceived priorities.

It’s easy for IT departments to push access control to business units. It’s easy to write policy and hope for compliance. It’s easy to deploy intrusion detection and prevention without having to pay much attention to care and feeding. Not so with encryption, code review, and monitoring. They require effort. But for all that effort, they don’t deliver any functionality to end users. Even worse (for IT management), they might unsurface IT management problems.

A colleague’s recent experience speaks volumes about the condition. She met with the IT support manager for one of her organization’s flagship applications to discuss automated monitoring—but it’s safe to say that the example can be extended to apply to encryption, secure coding practices, or any other IT security matter. At one point in the conversation, she told him that she could detect fraud by simply executing queries against a production database. His response was interesting, to say the least. She summarized it as follows: “That would degrade performance,” “We don’t need monitoring; we already have controls,” “No IT staff are available for this effort,” and “A formal project will have to be chartered in order for us to help you.”

Later in the conversation, my colleague let the manager in on the fact that she had already implemented the queries and had been monitoring user activity for weeks. He was furious, demanding that she cease immediately. Any of his stated objections might have been true, except that he reiterated the same objections as his rationale for demanding that the monitors be removed. Perhaps he truly had concerns about the need for the solution, its performance, staffing availability, or the approach that my friend took. But he had lost credibility.

End users ultimately want their information to be secure. Audit and security professionals know this. The challenge ahead is to convince IT management that security is good for IT management. Securabit has given you some ammunition. Now go out there and implement encryption, secure coding practices, and monitoring.