Pernicious Security
The rising tide of regulation, vulnerabilities, and exposure of IT security issues means more and more IT folks may find themselves going the way of Todd Acheson and Tom Reid who were both fired after data breaches at Ohio University were exposed. Having spent some time in IT, at professional services firms, and at vendors, I’ve heard plenty of vague allusions to getting fired or not fired by making a bad or good decision around network security. I wonder if anyone is trending this data over time? I would expect as regulation increases, so will unrequested early-retirement.
However, it raises the issue of what techniques can you deploy to protect your network against both the relentless advance of security threats and a similarly relentless onslaught by auditors. The challenge here is that these two aspects may not necessarily be in alignment. What you do to comply with your auditors may not be what is most needed on your network to improve its overall security. However auditors, because of their influence, make things happen in terms of budget allocation and staffing resources. This can lead to pernicious security. Pernicious security is security that seems like a good idea but actually takes resources away from another security initiative that would be more beneficial.
In the NAC space I have to wonder if the focus on posture validation is really where we ought to be spending our time. After all, host-security-controls themselves have the ability to stay up to date and to enforce access restrictions if they are not. Guests can be forced through a restrictive IPS device to limit the damage they can cause. However, the basic foundation of network authentication and authorization of the user is new functionality with significant new benefit: centralized network-wide audit of access, role-based access rights, and guest management. Posture is a great addition to this user foundation but viewing it as the goal itself seems incorrect. As I’ve discussed before, the NAC and authenticated networks space is hard enough without trying to solve the hardest element of it first.
Technorati Tags: NAC, regulation