IT-security covers security of your Information Technology. A natural subset of IT-security is Information security; secure your information – in this context – as part of an IT-system. I often argue that nothing is as easy to sell as fear. Fear of anything. Fear of lacking IT security and Information Security is no different. It is an easy sell. You just open with the line “are you really sure your data is secure – because I think it might not be?” Deal! Show me! Help me!
In my opinion these are the obvious IT-security hygienic must haves:
- make sure you really authenticate users
- have order in your authorization processes
- keep your computers clean from unwanted software
But beyond the obvious IT-security must haves - the delivered “Show me”, “Help me” very seldom comes to any real practical effect – other than “you should not have data worth stealing – and if you do – you should not let anyone come near it – not even your staff”. Well Thank you Mr. IT-security expert. Really not helpful.
I have experience from business, government and military – the latter two take IT security painfully serious. That does not automatically equal that they are safe. But they spend a lot of effort aiming to be safe.
There is a tradeoff between protecting data – and making it easy for the trusted users to work with data. You must find a level in this tradeoff that reduce risk and does not come in the way of work. There is no such thing as eliminating risk. Trying to eliminate risk will paralyze you and then you will get nothing done. Decide what risk level that is acceptable – and note that this level may be different for different types of data that you have. The risk level may also vary not only on data type and data value but also on data aggregation; you want to protect the whole of the data more than the individual parts.
The basics of IT security
It is pretty simple really – think of a PC as a piece of luggage on the airport. “Sir did you pack this bag yourself? Have you watched over it all the time since you closed it? Can you assure there is nothing in here you received from others?” When it comes to your laptop – or the laptop you got from work you must say “No!” So your computer is not to be trusted. Period. This does not mean that there is anything wrong with it – but we cannot be sure. It is easy to sell this kind of fear.
When it comes to the servers for your company that are placed under lock and key – patched and maintained by educated personnel – we might say “well we sure hope we did not receive anything we did not want”. So your servers might be safe – and they are easier to trust than user-pc’s.
IT departments will try to toughen your PC up. Again with the luggage metaphor – they might make it solid – making it impossible to store anything inside. Safer – but you are not helped by a solid piece of luggage – or a computer you cannot store anything in. And anything in between fully functional and solid is possible – but they can only do so much – and almost anything they do limits the degrees of freedom you have with the computer.
The IT department is most afraid that your computer contains Trojan software that infects others at work – and increase the threat against the servers. Trojans can act as beach-heads inside your company from were hackers have a line of sight to your servers. Trojans may also be a nuance or even hold your computer for ransom – but a professional attacking Trojan says nothing - it just steal your data – for weeks – or years.
Once infected it is really hard to trust a complex IT environment again because there are so many places where the Trojans may “hide” during cleaning. The cleaning will be really expensive – and this motivates high precautions to avoid infection. But this text will not deal with that kind of IT-security. I just had to state the facts – to make sure we are on the same page. This text is how we should build systems in this corrosive and hostile environment in order to control the risk as we expose our data for authorized users.