There has been a push in the recent times for analysts to rethink security in larger systems. Thinking has always been based upon three main tenets:
- Prevention of a breach is better than a cure for it.
- Employees should only have access to what their daily job requires of them
- Humans are the weakest link in the system
These ideals have led security experts to restrict employee access, block “every hole” in their system relentlessly, and lag in the implementation of new products and procedures.
Gartner’s research Vice President Tom Scholtz, discussed these ideas at the 2015 Symposium/ITxpo in Orlando Florida. He believes these archaic ideals, and they are ideals given that they were and always have been unattainable goals, are not only ineffective but a bad practice all around.
We have witnessed an abundance of data hacks with an increase in the new coverage of these events in the past few years. Many of these data breaches have occurred in systems that use these ancient data loss prevention tactics. Another issue with the ‘old school’ security systems is the dramatic increase in mobile technology.
Locking an employee’s access has become counter productive to work being done in many situations. If an employee is willing to produce quality work in a variety of atmospheres, it is a bad business decision to not allow that. That same employee may find a tool in their daily life that can increase productivity for the whole company. In most current systems that would not be usable unless they had a system administrator take the time to vet then install the system. Although an important concept it can decrease the value of said product by the time it is in working order. Scholtz’s approach is to allow access to all information by all employees except where it is restricted by law. This would save a great deal of time and money, by decreasing security in many areas, and allow for higher security in other areas of the reallocation of said funds.
The third tenet is broken by the ability of the common user in modern times. The average 20 something employee is computer literate, so much so that a computer an illiterate adult looking for a job in almost any field will be at a distinct disadvantage. Not allowing users to make their own decisions about what risks they are willing to take is a blatant display of distrust in their employees. This concept “underestimates the value and potential of human assets” says Scholtz. Employees are the lifeblood of a company and not trusting them is a waste of the talent that they are trying to purchase. Scholtz is quoted as saying “The traditional approach is to treat 100% of people with suspicion, even though only 2% or 3% misbehave…”
He offers a solution to these problems; real time security checks and cross referencing of databases to provide a “contextual, trust-based security environment”. This environment would allow employees to decide for themselves what access they require, and what risks to take with new technological implementations. A system could check that an employee login from China was actually a valid attempt at 3am even though that employee’s office was in New York. This system would have the ability to check that said employee flew to China yesterday morning and has a valid reason to be accessing information from the other side of the world. These security measures would not be cheap and Mr. Scholtz estimates that by 2020 nearly 60% of a company’s security budget might be spent on these “highly-adaptive, context-aware detection and response systems.” This would be a stark increase from the 2012 statistics of 10%.
Bob Smock, VP of Security and Risk management at Gartner, mentions a few easily overlooked pointers about system security just before he is quoted as saying IT leaders “are not the true decision-makers” on security. The old adage that we can tell you what’s wrong and probably how to fix or better the situation, but we can’t make you act on it.
Original Article by Johanna Ambrosio Computer World on Gartner Symposium/ITxp