Don Jones

Tech | Career | Musings

There’s an enormous problem inside some organizations where, whether this is just perceived or actually true, the InfoSec team “maintains” security by “just saying no to everything.”

Obviously, no business can survive if one component of itself is simply shutting down all initiatives willy-nilly. “No” isn’t a security position; it’s a death knell. And, if you work for a company where this is really, really true, you should maybe evaluate your career choices. It doesn’t make sense for good IT people to work at that kind of organization, and if the answer is always “no” anyway, they don’t actually need you. InfoSec should say, “yes – but.” Meaning, they should be taking the time to understand why something is necessary to the business, understand how it works and what its vulnerabilities are, and understand how to safely and securely introduce it to the business.

However.

Just as many IT Ops people are not experts in the InfoSec disciplines like auditing, forensics, pen testing, incident detection and response, and so on, many InfoSec people are not familiar with the intimate details of Ops technologies, what their business benefits might be, or how they work under the hood. This is why everyone needs to work as a team to make these decisions.

“Hey, we’d like to implement PowerShell Remoting. It uses WS-MAN.”

“Why?”

“It’s better!!!”

“No.”

Totally understandable conversation, actually. It should have gone like this:

“Why?”

“It’s massively lower-weight in terms of server overhead, and unlike RDP it’ll trigger less mandatory restarting of servers – so we get better availability.”

“How’s it work?”

“It runs over a single port, and we should have a requirement that that port be HTTPS. Credentials are delegated across that connection – no clear-text passwords! – and I can show you how we’d enable full-text auditing of everything admins do via that channel. It’s actually a lot more auditable and locked-down than RDP.”

“OK, let’s look.”

If you present a valid business case, and then can work together to understand how the technology works, then you’re doing it right. “We need to understand the encryption used” isn’t a challenge you need to defend. The proper response is, “yeah, we do! I don’t know a ton about encryption – can we dig into this together?” Encourage that teamwork. Nobody should be on the defensive or offensive – you’re all supposed to be working for the same team. Too many times, though, the Ops folks I’ve seen go down this road – with anything, not just PowerShell Remoting – aren’t taking a team approach, and they’re not making a business case.

And let’s say you do start the conversation right, with a business-level justification (with some numbers, please – businesses understand numbers). You do go in as a team player. If you still get needlessly rebuffed without even a fair hearing, and without a reasonable justification (“yeah, not now – we’re busy recovering from the 10M user accounts that were compromised last week, k?”), then…

Evaluate your career choices. Ask yourself why you’re so broken inside that you’d work for a dysfunctional situation.

One thought on “Security Can’t Just be “No.”

What do you think?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: