In my last article I briefly discussed the three key components, or the "3 P's," of information security, perimeter, people and policies. We will start this month with perimeter and how vulnerabilities exist both inside as well as outside your company.
I am constantly trying to develop analogies to help people understand complex security issues. In my arsenal of responses to security I tend to rely on a single analogy to illustrate a variety issues.
Imagine that your network is a building. Whether the building is large or small, simple or complex, every building has at least one door. After all, a building without anyway to get into it wouldn't be of much use to anyone. Your network is the same way. To be effective, every network must have some way for users to get onto it. This illustrates the point that network security isn't about keeping everyone out, its about letting in the people that you want in and keeping everyone else out.
I've even taken the building analogy so far as to explain the difference between potential and confirmed vulnerabilities, as well as penetration testing through a series of rock throwing analogies. Although the analogy seems overly simplistic, I've found that gets the point across.
Recently, I came to the realization that my simple analogy was just a bit too simple. Indeed, it would be nice if the digital information world was as simple as having an outside "internet" and an inside "trusted network." The truth is, your organization's building, like its network, needs multiple layers of boundaries and perimeters to function. Think about the barriers that your employees pass through every morning before they can begin working. There's the entrance to the building, it may even be a special employee only entrance. Then they may pass through doors separating different groups of employees from one another. They may even have to pass by a receptionist.
The point is that your network also requires multiple layers of complementary controls, to protect vital areas such as the network, the operating system, the application, and compartmentalized data (HR, Accounting, research, etc.). Thus, effective security must do more than keep unauthorized users out, it must also keep the authorized users where those users are authorized to be.
Maybe a better analogy is a hotel, whereby you have the traditional outside threats, but you also have multiple complex inside threats. That is, you have multiple rooms and guests, cleaning crews, public spaces, and conjoining rooms. I think the additional complexity of a hotel lends itself well to this analogy. How many times have you been on a business trip and unlocked the conjoining room to a trusted co-worker? Now the only question becomes, while you have secured your door, has your co-worker secured his?