Saturday, October 22, 2011

Security Fascists

I know that security has become a caveat for everyone in the computing industry, but there is a point when the ridiculous nature of uber security becomes intrusive and threatening. In the past unprepared banking and investment firms were hit hard by curious hackers and more malevolent criminals intent on stealing identities and funds. The industry's response has been to enlist the services of many of these very same hackers and to give them the keys to the security kingdom. Since they were successful in breaking into networks and protected servers, the CEOs reason, why not let them harden the protective layers to make future hacking improbable, if not impossible? What seems like convoluted logic has led to the most stringent of security practices being exacted on the masses, although the first line of unfortunate victims is usually the network administrators charged with protecting their firms through their own best security practices. Usually, these new security requisites can be logical and understandable. Such good security practices as locking the server room to keep workers' paws off the servers makes good sense. Increasing the length and complexity of passwords is also a common requirement, much to the chagrin of office workers who want to keep it simple like "password" or "fido." Having passwords change frequently seems like another good idea on face value, but in reality having secretaries and mid-level managers create their own passwords is a nightmare (usually they don't reach complexity or length on the first or even second attempts). Having the network administrator charged with keeping the ever-changing password list is also not very feasible, considering everything else he has to keep straight. If all of this isn't enough to drive a sane person crazy, then the new security practices checklist arrives in the mail and is sent from the CEO to the network administrator. Sometimes 20 or more pages, the security inquiries are in fact a questionnaire that determines the level of security enforced at the site. There's only one problem: one size fits all. According to these security fascists, who are intractable when it comes to asking for dispensation or special allowances, a security threat at a small firm carries with it the same weight as one at a major banking firm. Thus, everyone who has to answer their inquiries is put to the test as to how much they can put up with until they turn to these specialists and yell uncle. Recently, a firm hired to maintain levels of compliance for credit cards insisted they be "whitelisted" for the firewall and security device located at a client's office. This was because they were having trouble doing scans on the traffic being passed at the site and they wanted to investigate the traffic more deeply. In other words the device was working too well to keep them - and by extension others - from entering or possibly hacking the site. Other new requirements for VPNs (virtual private networks used for offices to pass traffic to remote sites or for telecomputing from home) include adding special characters (like $,#and @) to passwords between routers that already have extremely high levels of encryption. It is overkill on top of overkill and there seems no end in sight for this madness. Sure, I'm for good security practices. I believe in them. It's just these new restrictions are not breeding any confidence in me that the networks I am responsible for are truly more secure. They're just more complex and more difficult to maintain for the same remuneration. If only I could charge the so-called security experts for my additional time and effort and the costs to the networks to implement their demands.

No comments: