Last week I was sitting in a security and identity discussion panel at CeBIT. The MC eventually asked me, "As the sole American here, how do you feel about the immense, global betrayal of the NSA?" It was a loaded question, delivered with a wily grin. He had waited 45 minutes -- while we discussed the proper care and feeding of firewalls and information ownership -- to make it the last topic of the afternoon.
Security is bigger than the NSA; … great security isn't applied, it's baked into everyday processes and systems.
For a brief moment, my head swirled with personal feelings on the National Security Agency (NSA). I thought about how nice they'd actually been in their pavilion at RSA conference, my new radio frequency identification (RFID) enabled passport, using my virtual private network (VPN) from hotels and using remote and mobile everything to find the Internet where I could. The audience looked up from their phones when he asked the question, and I let an extra clock-cycle tick by to consider an answer. I replied, "Of course it's a betrayal, but Google and Facebook know a lot more about me, and the NSA has no profit motive." I ended with a joke about blowing the phone data intercept requirements and wanting a refund on my taxes. The crowd chuckled and I escaped being an NSA apologist.
What I didn't have time to say before Wozniak took the adjacent stage -- causing our audience to instantaneously sublimate -- is that security is bigger than the NSA. It's bigger than firewalls, mobile devices, phishing, state action or disgruntled employees. It's segmented networks, layers of security, skepticism, vigilance and begging for budget to try to keep up. A great network security practice is not applied; it's baked into everyday processes and systems.
Hardwood, steel and abstraction
If you ever have the pleasure of departing Copenhagen's beautiful airport, you'll find a great non-IT analogy for the separation of humans and security policy. Rather than posting a TSA-like agent with a flashlight at the beginning of the line to mark boarding passes with hieroglyphics, tick marks and circles, in Copenhagen you encounter automation. It's an array of slick, stainless euro-style turnstiles with glass flappy-paddles and barcode scanners with impossibly low latency. A service query decides if you pass, not a human.
Sure, there are security personnel nearby who would no doubt tackle you if you hopped a turnstile -- in a happy Danish way, of course -- but the beauty is that the system is doing one thing only and doing it consistently every single time; it's verifying you have a valid ticket, which you can't get without a passport. How many times as an admin have you wished you could shut down an unwise security request from management but gut decision-making, or worse, escalation, ruled the day? Ask the guys at Target how that's worked out for them. How then do you bake security in so that you cover the basics like conforming to policy and clear change management regardless of executive "assistance?"
Snowden and the NSA to the rescue
Months of CNN- and BBC-level security coverage have CIOs thinking about security as never before. Delivering it still falls to people like you and me who have feet on the ground and are in the green-screen and firewall management dashboards. Executive pressure to generate reports for the policy team increases awareness, but does not magically make our day-to-day security actions better.
IT managers, however, have a trick up their sleeves to both soothe executive angst and improve security in a meaningful way. Clever administrative tools may be inserted at the bottom of IT, rather than ponderous, over-arching solutions at the top. If IT admins select technology that seamlessly integrates security into the day-to-day activities of network administration, there are significantly fewer security mistakes.
We make dozens, hundreds or even thousands of configuration changes during the course of a normal business day. If our tools keep an eye on policy, enable junior admins with tracked and limited control, constantly recompute dynamic alert thresholds and make change tracking a no-brainer, we're more efficient and much more secure. Imagine effortlessly unwinding a one-off firewall policy from four months back.
Build a bridge to the big shots
After many conversations with admins from many countries, I'm convinced that security -- among all other IT operations -- is the area most shaped by our relationships with senior executives. There are really only two types of IT executives: "old-school," top-down CIOs who use the power of cc lists to force change as best they know how, and more enlightened "new-school" IT execs who partner with us, the geeks in the basement.
Enlightened execs are not afraid to admit they've been out of the game for a decade and that we know more about what we're doing, or at least more about current technology and options. They're genuinely interested in our ideas on how to secure the network and what we know about the business. They know IT security doesn't happen on the top floor. It happens with us at the keyboard in the hundreds of decisions we make every day.
Executives are finally scared, and they should be. And when they're scared they mitigate risk with budget. I'm not suggesting IT admins incite panic. New hardware and larger teams never fall from the sky, but we have a unique opportunity to engage them in meaningful dialog about something they see on TV. It's a chance to get new resources to address the long list of issues already in our security assessment slide decks.
So, walk upstairs and tell them you feel their pain. And try it with an Arkansas accent; it'll break the ice.
About the author:
Patrick Hubbard is a head geek and senior technical product marketing manager at SolarWinds. With 20 years of technical expertise and IT customer perspective, his networking management experience includes work with campus, data center, storage networks, VoIP and virtualization, with a focus on application and service delivery in both Fortune 500 companies and startups in high tech, transportation, financial services and telecom industries. He can be reached at Patrick.Hubbard@solarwinds.com.
Learn about what it takes to build a cybersecurity practice