When Ease of Access and Security Collide

A few minutes into the meeting the corporate security manager and a number of network administrators and managers joined us. We just were starting to diagram our proposed solution on a white board. The corporate security manager interrupted us and told us in no uncertain terms our solution was unacceptable. When asked for clarification, he explained he would not support a single-factor (user name and password) system. This was very interesting because the current SSP VPN was a single-factor system. He wanted to use a two-factor system.

A single-factor system is one where a user authenticates using a single factor: a password. Authentication using a two-factor system is based on a user providing a password or PIN and a smart card or token. Certainly a two-factor system provides more security. In order to gain access to a two-factor system, it would require not only knowledge of the user's password or PIN but also possession of the smart card or token. A further refinement of two-factor authentication is to replace the smart card or token with a retinal or fingerprint scanner.

The Game Changes

Clearly we had walked into the middle of an internal political squabble. We were delivering a solution based upon business rules we had been provided (ease of use based on single-factor authentication and moderate security built on SSL, remote proxy, etc.). There were other issues raised, for example, the scrubbing of metadata from the documents provided to the board members, but the major stumbling block was the lack of two-factor authentication.

When I pointed out this really was a business decision we as a third party couldn't make, I was told it was my problem and I had to figure a way to solve it. Not a great situation, but I bill by the hour, so I will find a solution.

No Access

I am not trying to beat up on a valued client. I am merely using this discussion as an introduction to a much bigger issue surrounding security. Computing is a precise science. Security from a computer science perspective revolves around denying unauthorized access to a system and keeping the system running. It involves things such as transport security, "hardening" of systems, isolating systems from the possibility of outside attack, designing systems in such a way that protects known or unknown vulnerabilities, preventing unauthorized access from internal users, and secure user identity.

For now, let's focus on unauthorized access. It is possible to design a system that is virtually hack-proof. The problem is the more secure a system is, the more difficult it is to access that system. A single server sitting in a locked data center with no network connections and only console access authorized using a personal key and a retinal scan is pretty secure. But it isn't very useful. Something such as that might be just the ticket for a network geek holed up in the data center to store his password information. It would not be an acceptable solution for the executive committee that was considering the due diligence accomplished around a proposed acquisition. Security models must be based on a balance between locking systems to the point where they are not useful and the need for "relative" ease of access.

No Security

Consider the current state of information control for the board of directors discussed above. The documents, collateral, and agendas are created using standard authoring tools and are stored on a laptop and a file share. They then are printed and mailed to the board members. The board members then are free to do whatever they want with them. They can read them at Starbucks or on an airplane or leave them in the back seat of their car when they go jogging at a local park. There are so many holes in the security here it might as well be called a sieve. This current scenario is balanced primarily on ease of use with little consideration about security.

Elimination of mailing of the materials and providing them through a secure portal would appear to offer a better level of security, but it also exposes other vulnerabilities. SSL over HTTP is reasonably secure but isn't invulnerable. Public or private key encryption offers various more secure methods of transport. However, implementing key encryption is starting to push the balance away from ease of use.

There is one fundamental fact we must consider: The board members must have access to the material. The current practice is delivery by first-class mail, which means the material may sit unprotected in a mailbox for a day or more. Delivering that material over single-factor authentication SSL is arguably more secure than using the United States Postal Service, but even that point is debatable. Hand delivery of the material by private courier probably would be the most secure method, but that isn't the current practice.

This is the dilemma we must deal with when designing computer security systems: Is it sufficient for a computer security system to provide as much or better security than we now have, or is it necessary to provide the highest level of security possible? I certainly understand the position of the security manager. If he doesn't insist on the highest level of security attainable, then he isn't doing his job. On the other hand, the board of directors has a job, too, and that job requires access to the information required.

That means someone–or some committee–needs to establish a security policy that balances the needs of the organization and the desire to lock everything down so tightly it isn't usable. The decision really isn't a compromise, although it may appear to be. It truly is a business decision made after weighing the facts.

Every organization has business secrets–information that defines the products or services it sells. One organization I am familiar with keeps its secrets on paper, locked away in a safe. Another organization keeps its trade secrets on servers secured in the data center in locked cages and with access controlled by user name and password. The secret that was locked in the safe was the one that was publicly revealed.

Does that mean electronic security is better than physical security? Of course not. It means the weakest link in any security system is the human link. Physical security can be compromised by an employee just as easily as an electronic system. Once we have provided any individual with access to information, there is a potential for compromise. We may forbid the use of USB thumb drives in the organization so employees will not inadvertently (or purposefully) remove information from the premises.

But do we forbid the use of paper and pens so they cannot copy information from a P&L statement or write down their password or PIN? No–we have developed different standards for what constitutes an electronic risk and a non-electronic risk. It is perfectly acceptable to print out a document and take it with me on a business trip, but I can't take that same data on a thumb drive. Ironically, I can take my laptop with me that has all the data I might have put on the portable storage device. Different rules for different versions of the same data.

A Reasonable Proposal

So, let's circle back to our board of directors. What would constitute a reasonable solution? I would suggest while two-factor VPN access is the preferred method, it makes sense to provide ease of use by providing a simple user name and password scenario. Requiring complex and frequently changing passwords adds some additional security.

The fact is the people who are serving on the board are high-level individuals who are used to having "mundane" tasks done for them. Very secure authentication and transport mechanisms are second nature to me (and probably you), but they aren't to many C-level and above executives. Even though we live in a computer world, I have had experience with more than one CEO who had an executive assistant print all of his e-mails for reading. (I am sure those same individuals would provide their log-in credentials and tokens to those same assistants.)

Once board members have their information in electronic format, we can apply additional security to prevent them from doing anything other than reading it on a computer screen. With information rights management, we can prevent them from printing, e-mailing, modifying, or even viewing the information after a certain date. All those restrictions are not going to make the board members very happy. It will be perceived as questioning their trustworthiness–with adverse effects.

My suggestion would be to provide the board members with secure user name and password access to the information they need in Adobe PDF format. Does this mean we are compromising security for ease of use? That is most certainly the case but also is the standard most of us are used to. I access all my banking, investment, and credit card accounts using one-factor security. I access my payroll statements online the same way and download my statements as PDFs. Before that, my pay statements were placed in a slot in the mail room where anyone could grab them. I prefer the new method.

Next Steps

Having the ability to provide iron-clad electronic security does not mean we must use that iron-clad security across the board. A properly framed security policy will avoid or short-circuit political battles such as the one I described earlier. Developing proper security methodologies are just as important as developing corporate and IT governance. In fact, security policy should be a subset of corporate governance–not IT governance. There is a lot more to security than electronic security. Let's not lose focus of the big picture by focusing on restrictive electronic measures. If all corporate information technology can provide is restrictive solutions, employees and users will find ways to avoid IT solutions. IT must enable the business process–not encumber it. TD

Please address comments, complaints, and suggestions to the author at
prolich@yahoo.com.