cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Where are you managing organizational risk?

Level 13

In my last post, we talked about the Business going outside of your I.T. controls and self-provisioning Software as a Service solutio.... Most of you were horrified and could identify a number of internal policies that a SaaS solution wouldn’t comply with. You understood that these policies are there to protect the organization’s confidential information or intellectual property, so why is it so hard for the Business to grasp those implications?

I’ve recently just finished reading “The Phoenix Project” by Gene Kim, Kevin Behr and George Spafford. Actually, I couldn’t put it down.

One of the characters is an over-zealous Chief Security Officer who wants to tie I.T. down so tightly, to meet every point in a third-party security audit. In reality, the business actually has processes and procedures in place in the finance department that mean that these controls in the I.T. system are actually unnecessary.

In fact, it made better business sense for a human responsible for the money in the organization to watch out for these red flags instead of coding the computer systems to do it. I’m not saying that’s going to be the case in every situation, and I.T. controls certainly have their place in mitigating organizational risk, but do they have to prevent every possible risk?

The UK government’s Centre for Protection of National Infrastructure (CESG) is now advising that passwords should only be changed ‘on indication or suspicion of compromise’, throwing the old 30 day or 90 day expiry out of the window. While that seems insane, they say regular password changes force people to store them somewhere to remember them or re-use the same base with a minor variation.

Tough I.T. controls or policies can often lead to people inventing workarounds. I can bet you that someone in the organization has given their password out to a co-worker because they were away sick, and it was quicker than asking I.T. to sort out delegated access to their mailbox. Or perhaps they ran late at a meeting and someone needed to unlock their computer.

If you could wave a magic wand, what I.T. policies or controls would you relax to make life easier for you and the end users? Could you do this and retain (or even improve) the security and stability of your systems? Or is this all just crazy talk and you should be locking down your systems even more?

Let me know your thoughts!

-SCuffy

20 Comments
Level 14

I would relax the password policy.  Every 60 days is a bit much.

Level 14

I completely agree with this.  As far as passwords go, this is exactly what is happening.  You create a base password and then do a small variation during the password change.  It is the only way to keep up with what the password might be.  We have too many passwords to remember.  I could definitely see why this policy would have been changed there and why others should look into doing so.  I also believe that some of the security guidelines are a bit overboard and non-productive.  Another good one is the changing of passwords for service accounts.  This is a controlled password that should only be changed when there is a valid need. 

MVP
MVP

As much as part of me screams no...I think relaxing the time periods before a change is required would be acceptable.

Allowing a small change in the password may be workable...

A previous employer of mine required password changes every 180 days, in addition to anytime problems were suspected.  That period was determined to be the sweet spot for employees remembering how to do it, compared to how much trouble it was to retrain them and deal with a multitude of Help Desk issues.

You ask how we'd "Relax controls" to make life easier?  We're not to the point where controls are overbearing, IMHO.

My magic wand would enforce uniform policy compliance across all employees without exception.  We have plenty of policies; waving that particular wand would resolve much.

But hey, since it IS a "MAGIC WAND", with theoretically great power, why not wave it and change human nature everywhere?  If you do it properly, security wouldn't be required, right?  No one would do things deemed inappropriate by everyone.  Ha!

Level 10

This is a wonderful subject and very interesting too scuff . It controls/policies can really be tough. Sometimes we do not adhere to all of them. It all boils down to how secure we can be.

At my company I would definitely tighten the Security belt, specifically around my IT administrators. Today they have free reign across the enterprise with very little in regards to audit trails. Also, application owners are able to RDP directly to the servers for administration purposes. GASP! That concept is so foreign to me.

   I would like to be able lock down access to infrastructure and audit the steps & commands the administrators conduct when accessing said infrastructure.

Take that bad example to the next level:  I've seen one company that not only allows end users to RDP to their servers, they require them to do so to run the applications right on the servers.

Heaven forbid a server could share a nicely designed web application to a few dozen employees securely, without them using up all its resources for RDP sessions.

Level 13

Bring on fingerprint recognition for all the things! Interesting that you mention service accounts. I take it those are changed regularly in your organization?

Level 13

Totally understand! Growing up in a bank's IT department, password changing is such a habit. Mind you, we did have a large data security department that was always busy resetting passwords and unlocking accounts.

Level 13

Sounds like a happy medium. And agree, policy 'exemptions' are so frustrating, or 50 different policies all with a slight variation!

Now that would really be magic!! Sadly the greed gene is strong in some.

Level 13

Eeek. And a lot of people are worried this is where we are heading with devops. Have you looked into any auditing tools or is it not worth it because it will never happen?

Level 13

RDP is so endemic in a lot of large organisations. It was the first real attempt at 'virtualization' so we didn't have to install apps on every desktop or so people could work remotely. I think once it's in there, the RDP architecture is rarely looked at again, let alone considering alternatives. It might be a case of 'if it ain't broke, don't fix it' .. until it suffers from a security breach.

Level 20

Sometimes I wish more people would manage risk... sometimes it's crazy.

Level 21

It's not the password policy that's the problem, it's that we are still using passwords and relying only on passwords.  At this point there isn't any reason to not be moving to a two-factor model in just about every case. With a 2 factor model you wouldn't need to require passwords be changed on a regular basis.  Personally I would prefer to move to a system that uses my fingerprint and followed by an RSA token making for a 2 factor system that doesn't require me to remember a password at all.

Level 13

Yes, we get so busy managing systems or managing processes that it's easy to lose sight of why and what the actual risks are.

Level 13

I'd love for every system to support fingerprint login. Know of many Enterprises that enforce 2FA? We used to have a third party system for RSA token access to remote sessions when we were off the corporate network.

MVP
MVP

I wish that I only had 1 username and password to remember. I have some written down as I don't use them very often. But as others have said, I always have the same password but just increment a number at the end. We get forced to change our AD password every 90 days (so that's not too bad) but my accounts on the managed services devices expire after 30 days (that's a pain).

I love the security some users employ, they have a post-it note stuck to their screen with their username and password on it. Brilliant security. We have have the tightest of tight rules but it's easily infiltrated by the old post-it note.

I've seen that security employed where a remote user with one of our PC's--located inside a different business--occasionally needed to connect via a site-to-site VPN tunnel to our corporate office.  Everyone in that remote business's office regularly saw the credentials on the post-it note, and would log into our company as that user, at need.

Uffda!

Level 13

That's a whole other story - different password expirations, different password quality and length across multiple systems. No wonder passwords can be a nightmare!

Level 13

Security for the win!!