Is Data Security Your Enemy?

As of late, our Data Security resembles more of the TSA at airports than a legitimate IT asset.

We recently had to fight security to have access to our Orion Application Servers...you know things like advanced alerts and report scheduling. They insisted it was a poor understanding of security that led our vendor to write an application in a way that someone would need access to a server to administer it. OF course my counter is that it is a lack of understanding that the team who owns the server and the application would be denied access. They, however, were willing to give us access via an atrocious program called Password Vault.

We are now having to fight a battle to monitor our new RSA appliances, because our Security team says it compromises RSA to give us access into the appliance. I again say this is an issue of our security either just being those kids that were beat up in school and now feel big and bad with their TSA badges (Authority). Either that or they have no concept of SNMP v3.

I am curious, are we the only ones with Data Security like this? Is this a common problem or indicative of some cyber bullies on our part?

Find more posts tagged with

lem12345

syman12345

Accepted answers

All comments

tbonner

There is always a balancing act between security and usability. The most secure systems are those disconnected from the network, powered off and locked in a vault, but they are also useless. I fight our IS people almost daily, but luckily I administer the firewalls so I usually win .

It sounds like your Data Security people might be a tad over-enthusiastic, but not atypical.

RichardLetts

I think that you might need to build some personal relationships with them. the CISO here (Kirk Bailey, founder of the Agora security forum) has spoken extensively on the importance of building strong personal relationships between security folks. Part of the relationship building process might be to invite them to conversations with your NMS vendor so they can make sure their views reach the product/account managers.

In another life I worked with the security folks to get the organization PCI certification (and re-certification), and SW was a key element to that (the NCM policy engine in particular). After helping them out they are then much more willing to help me out, after all we're all on the same team: protecting access to resource regardless of if the cause was malicious, random, or care.