InformationWeek
Defining The Business Value Of Technology
October 18, 1999
TechView:Secure Minds, Not Bits
By Jeff Angus
Exaggeration or not, it's a useless observation. Very few businesses can afford to keep all of their confidential information locked up on a "secure" system--say a centralized server whose only connections to its users are diskless workstations. Companies that rigidly adhere to this notion of security are almost certainly the kind of corporate dinosaurs that well-integrated, fast-moving companies were supposed to make extinct in the 1990s. Light-footed companies have empowered workforces with more information, much of it confidential. Particularly nimble companies have even integrated their business partners with extranets so they, too, can tap the power of widely disseminated information. In the process of rolling out these technologies, IT departments generally review their security policies: Are password policies enforced by the network logon service? Are firewalls properly configured? Does the intrusion-detection system really beep pagers when something's amiss?
Unfortunately, all of these security technologies miss the point. The real key to keeping your data private is managing the behavior of your users. That's just the sort of thing that most IT departments aren't very good at. People, after all, are nondeterministic. Last year, I was visiting a company that kept much of its confidential information "locked up" in a system that was accessed through a terminal server. The system was an attempt to keep certain information out of E-mail and off diskettes by preventing users from saving the information locally. I watched in horror, however, as one employee screen-scraped part of a summary report into Excel because she wanted to check the ratio of certain values in the report. She wasn't doing anything nefarious, but in the process, she saved her worksheet (as the help desk had reminded her to do often--albeit in other contexts). Suddenly the system didn't look so secure.
Poorly articulated and incomplete policies also affect IT staffs. While I've never pretended to be a security expert, it's obvious to me that a really expensive network-monitoring system that pages the appropriate on-call IT person in the event of an apparent breach won't do much good if that person doesn't know how to respond. Should he immediately shut the network down? Phone the police? Just what is supposed to happen?
No matter what technical restrictions you put in place, you'll never secure your data unless your workforce understands what's risky and where to draw the line. No policy statement you can concoct will make your data safe enough. What's needed is a process, often repeated in ways that are appropriate for your company's culture. Users must believe in, not just know, your security policy. Strictly speaking, that's not an information technology issue, but your well-implemented security technology is for naught without it.
y favorite useless axiom is that the only secure computer is one that's never turned on. Scarcely a single IT security conference takes place without one or more speakers making this assertion. Are these speakers fear-mongering to get our attention? Of course, but the statement is only a slight exaggeration.
Featured Microsite
