Security means keeping the Bad Guys out, right? Locking down the system so that it is difficult to use and turning on SELinux. And forcing users to comply with security policies they don’t understand and which interfere with their ability to get their job done.
And, of course, defense in depth – which is often a code phrase for turning on every feature of the system related to security. After all, “you can’t be too careful!”
All this may be just a bit narrowly focused…
I’d like to explore a slightly different perspective on security – one that looks at it from a business and user perspective and which takes a holistic view of security as one of many threats to system integrity. Done properly, security is simply one part of keeping the business running.
Over the next several posts we will explore different aspects of security – starting with asking the question “why do we even have IT?”
We will be exploring different aspects of security and welcome feedback and suggestions.
Next: Creating Business Value
Well, keeping bad guys out is certainly *one* facet of “security”…and an important one…but being “secure” is multi-faceted. The security of the information managed by a system is not simply concerned with validating access, but also the integrity and availability of the information itself – quite divorced from the concerns of boogeymen infiltrators getting their paws on it 😉
Dan, we’re on the same page. There are “evil hackers” out there – but not that many good ones (thankfully!).
I’m going to be fleshing out some concepts over the next few weeks around integrating security into an overall threat matrix and look forward to your thoughts.
Infiltration is a facet of security. Another facet is leaking information. Making sure user does not share sensitive information to people who should not have access to that information.
Neville, you’re right, infiltration is a major facet of security – and one that gets a lot of attention.
Leaking information is a good point. Inadvertent leaking of information is something to address – with the understanding that consideration of Business Value (see next post) needs to be balanced with the approaches taken to avoid leaking information.
An interesting question is how to deal with information sharing where it may be legitimate. For example, assume that Bob and Alice ask for a document and you choose to share it with them. Bob has a legitimate need for the document, but Carol is just curious. I don’t see any way to prevent someone from making a legitimate mistake.
And, of course, Carol may have a legitimate need for the document tomorrow…