Whip and ... whip information security in the enterprise
Hello, dear radio listeners, managers, programmers, admins and all. Today I will speak about a painful topic that occasionally causes me to have a sharp toothache, namely, about information security in an enterprise.
What is IB at a large enterprise or even a bank? Hot cocktail from the regulations, densely flavored with the prohibitions of everything and everyone and with the addition of threats of violence to taste. What does a regular system administrator do to prevent unauthorized access? Forbid everything that is not allowed. What does a regular security officer do? Prohibits in general everything that is on the border (and often abroad) of common sense and at least some possibility of the functioning of the enterprise. At the same time, a huge number of tedious descriptions of threats, regulations (boredom!) And other intimidating actions are compiled, all of which boil down to one simple thought “IF THAT, WE ALREADY WARNED!”. Thus, a situation arises where information security means risk, but it does not bear responsibility - it is borne by employees. However, managers cannot neglect this muddy topic of information security, and as a result, all processes are wrapped in information security at an enterprise, and information security becomes a narrow bottleneck, the width of which often directly affects the speed of business of an enterprise as a whole.
With the hot and burning part of the opus, I’ll finish, not for the emotions of speech, switch to constructive. Anyone who has come across this will understand and add a lot. I want to talk now about what to do with it? After all, the basis of information security in an enterprise is an extremely constructive and reasonable goal - the prevention of data leaks, which can then be delivered to this enterprise itself, and often very painful. Here it is worth considering not only (and not so much) financial risks, but rather reputational and other risks that would undoubtedly be fulfilled, someday, perhaps, * -by * -by * -by.
The main cases that are trying to close an IB in my short-sighted look, are:
')
1. Suppression of unauthorized access (unauthorized access, we are talking about information security, we will use thousands of abbreviations) to all kinds of databases, storage systems, servers (I don’t know how to cut them), rooms with servers and databases. This is the main goal in the functionality of information security, and they cope with it very well. Huge clouds of iron and software created just for this purpose, fully contribute to suppressing unauthorized access, catching and investigating information security incidents.
2. Restriction of NSD "from outside". Well, everything is clear. Together with the software and hardware complexes from the first paragraph, the solution of these typical tasks is not difficult.
3. The restriction of unauthorized access "from the inside" of the organization to all that is listed in paragraph 1. Here is somewhat more detailed, since The main threat of unauthorized access in the information security - employee of the enterprise - prevails as a potential threat. First of all, this equipment requires access to admins of all stripes, programmers and / or analysts, and sometimes directly to a business that uses some software to spin data, reports, and everything that it, the business, needs. Strangely enough, here the level of difficulties and problems created by information security is not so high. Since admins need access to their admin's magic, analysts often simply work on software that admins put, the business “said it must be, it means it is necessary” and they were given access because the information security works for the business and not vice versa. Most of all, the developers who serve the server suffer are accessed, incomprehensible software, self-written incomprehensible software, while so that the data was live. All this falls under his own hand written regulations and some other acts, orders, norms, threats, risks, which the security men themselves wrote in the course of their work. This is where the bottleneck effect works, so long as the developers, together with the managers, agree (if it is at all possible) all these endless approvals, the business is waiting. Because I myself have caught myself in the trap of a carte blanche for information security, because I have not thought through the mechanism of risk escalation and their assessment, because to understand and understand this layer of information threats, which, for a minute, include almost the entire range of IT disciplines, well, it's simply impossible.
What are the options out of the situation, I see (invented, felt):
1. The first one, which is the main one, is the possibility of accepting risks by the head of the business unit, who orders something that rested on the difficulty of coordinating IBShniki. Very often, a business needs tools that must quickly solve / test some thought / concept of a manager. These point, or acupuncture, shots can be very effective and useful for carrying out business tasks. And if another long-lasting purchase of equipment - the issue can be solved by turning to hosting, then the issue of information security arises in full growth. The data to be processed is in the internal systems and must be transferred to the external systems. There are two options here: a very long and fast, unlawful. I think you should not explain which option is more often used by people who need to complete the task.
2. Building / reducing the list of critical resources and building a VERY protected layer between all other systems and these super protected systems. Here there is where to turn in full width and power. Surely, this is often used, but the list of threats that the IS is trying to embrace is so huge that the security officers themselves would have choked (which is often the case) if at least half of them were closed according to the rules and regulations for protecting against information security. The rest of the system to limit the standard means of antivirus, domain security policies, but without prejudice to the functionality.
3. Simplification of activities to harmonize all their own limitations. After all, they will still be coordinated, because they are “necessary”, but this will save hecaliters of blood spilled in the fields of out-of-field approvals.
In conclusion, I would like to express my gratitude to those adequate, intelligent and flexible security guards whom I have not yet met.
With love, hate and understanding,
% employee%
What is IB at a large enterprise or even a bank? Hot cocktail from the regulations, densely flavored with the prohibitions of everything and everyone and with the addition of threats of violence to taste. What does a regular system administrator do to prevent unauthorized access? Forbid everything that is not allowed. What does a regular security officer do? Prohibits in general everything that is on the border (and often abroad) of common sense and at least some possibility of the functioning of the enterprise. At the same time, a huge number of tedious descriptions of threats, regulations (boredom!) And other intimidating actions are compiled, all of which boil down to one simple thought “IF THAT, WE ALREADY WARNED!”. Thus, a situation arises where information security means risk, but it does not bear responsibility - it is borne by employees. However, managers cannot neglect this muddy topic of information security, and as a result, all processes are wrapped in information security at an enterprise, and information security becomes a narrow bottleneck, the width of which often directly affects the speed of business of an enterprise as a whole.
With the hot and burning part of the opus, I’ll finish, not for the emotions of speech, switch to constructive. Anyone who has come across this will understand and add a lot. I want to talk now about what to do with it? After all, the basis of information security in an enterprise is an extremely constructive and reasonable goal - the prevention of data leaks, which can then be delivered to this enterprise itself, and often very painful. Here it is worth considering not only (and not so much) financial risks, but rather reputational and other risks that would undoubtedly be fulfilled, someday, perhaps, * -by * -by * -by.
The main cases that are trying to close an IB in my short-sighted look, are:
')
1. Suppression of unauthorized access (unauthorized access, we are talking about information security, we will use thousands of abbreviations) to all kinds of databases, storage systems, servers (I don’t know how to cut them), rooms with servers and databases. This is the main goal in the functionality of information security, and they cope with it very well. Huge clouds of iron and software created just for this purpose, fully contribute to suppressing unauthorized access, catching and investigating information security incidents.
2. Restriction of NSD "from outside". Well, everything is clear. Together with the software and hardware complexes from the first paragraph, the solution of these typical tasks is not difficult.
3. The restriction of unauthorized access "from the inside" of the organization to all that is listed in paragraph 1. Here is somewhat more detailed, since The main threat of unauthorized access in the information security - employee of the enterprise - prevails as a potential threat. First of all, this equipment requires access to admins of all stripes, programmers and / or analysts, and sometimes directly to a business that uses some software to spin data, reports, and everything that it, the business, needs. Strangely enough, here the level of difficulties and problems created by information security is not so high. Since admins need access to their admin's magic, analysts often simply work on software that admins put, the business “said it must be, it means it is necessary” and they were given access because the information security works for the business and not vice versa. Most of all, the developers who serve the server suffer are accessed, incomprehensible software, self-written incomprehensible software, while so that the data was live. All this falls under his own hand written regulations and some other acts, orders, norms, threats, risks, which the security men themselves wrote in the course of their work. This is where the bottleneck effect works, so long as the developers, together with the managers, agree (if it is at all possible) all these endless approvals, the business is waiting. Because I myself have caught myself in the trap of a carte blanche for information security, because I have not thought through the mechanism of risk escalation and their assessment, because to understand and understand this layer of information threats, which, for a minute, include almost the entire range of IT disciplines, well, it's simply impossible.
What are the options out of the situation, I see (invented, felt):
1. The first one, which is the main one, is the possibility of accepting risks by the head of the business unit, who orders something that rested on the difficulty of coordinating IBShniki. Very often, a business needs tools that must quickly solve / test some thought / concept of a manager. These point, or acupuncture, shots can be very effective and useful for carrying out business tasks. And if another long-lasting purchase of equipment - the issue can be solved by turning to hosting, then the issue of information security arises in full growth. The data to be processed is in the internal systems and must be transferred to the external systems. There are two options here: a very long and fast, unlawful. I think you should not explain which option is more often used by people who need to complete the task.
2. Building / reducing the list of critical resources and building a VERY protected layer between all other systems and these super protected systems. Here there is where to turn in full width and power. Surely, this is often used, but the list of threats that the IS is trying to embrace is so huge that the security officers themselves would have choked (which is often the case) if at least half of them were closed according to the rules and regulations for protecting against information security. The rest of the system to limit the standard means of antivirus, domain security policies, but without prejudice to the functionality.
3. Simplification of activities to harmonize all their own limitations. After all, they will still be coordinated, because they are “necessary”, but this will save hecaliters of blood spilled in the fields of out-of-field approvals.
In conclusion, I would like to express my gratitude to those adequate, intelligent and flexible security guards whom I have not yet met.
With love, hate and understanding,
% employee%
Source: https://habr.com/ru/post/251341/
All Articles