Security Philosophy

What should be the general philosophy when dealing with security issues? Here are some thoughts.

Perform a risk analysis
Even before one invests in security, one needs to know what are the possible threats, and risks of the environment. An analogy is to know the doors and windows of your house. Those are the places that require security first.

Less is more
A network with less access points is more secure. All access point should be added in the network keeping in mind the business ROI, convenience and security. Every desktop, laptop and network access point is a potential security threat. In general, network access points are easier to secure as they are centralized and are not too many. As long as one follows the standard procedures of locking down the network devices (access controls, privileges, firewalls, patching etc.), one can be reasonably confident that network access points are secure. More troubling piece is the desktops and laptops under user control. It is harder to control user behavior, which sites they visit, which software they download and where they carry their laptops. An organization policy is helpful in defining such behaviors, but humans are fallible and ultimately, one has to deal with lapse in judgment of people in the organization. No matter how many layers of security are present, one ultimately has to be prepared for worst case scenarios.

Simple is better
Prefer a product that is simple to manage and understand and good at doing few tasks (preferably one or two). A product with lots of bells and whistles that claims to be everything to everyone has a high probability of introducing hidden security problems. Complexity is the enemy of security and more complex the product harder it becomes to have a verifiable claim of security.

Educate users
Ignorance is the worst enemy, Education is the best friend. Status of a society is directly related to the education level of the population. Educated people are better citizens and create a better society. So is true for security, people who are educated about security risks, how to avoid those and how to handle those when they do materialize are better for the organization. Security educated people are more likely to avoid situations leading to security compromises and better equipped to deal with consequences when compromises do occur. Unfortunately, security education is not a one time thing, and it needs to be re-enforced with employees on an ongoing basis. Any effective organization has continuous training programs to improve skill levels and prepare employees for new challenges. Security awareness must be made part of such training programs, this guarantees that employees are aware of its importance and it does not become an afterthought. Security is an inherent part of the functional job responsibilities and each and every employee must know and live up to this ideal.

Be conservative
Technological innovations make our life convenient and lead to productivity increases. However, in security world, best strategy is not to rely on the bleeding edge technologies and newest products. Any technology product takes time to mature and security products are no exception. New technologies and products unless proven in the wild for considerable length of time (each organization may have different levels of comfort) are likely to evolve and fix many security issues on an ongoing basis. Unless this technology or product fulfils an immediate need or plugs a gaping hole, which otherwise can not be fixed, ripping out old wares should wait for a while.

Look for the best class of support
When security incidents do happen, can you rely on customer support of your vendors to fix the issues in their wares? It is not a good idea to skimp on best class of support when it comes to security. What good is being penny wise and pound foolish if valuable data is compromised?

Perform regular audit
What is the use of building all the security protections if no one is going to check if those protections are effective? It is important to periodically perform security audit of systems and review of logs to identify security breaches if any and keep track of user’s activities.