The Security vs. Access Paradox

There is only one foolproof way to protect your networked computer systems against electronic snooping, hackers, unauthorized access, stolen passwords, denial-of-service attacks and other security breaches … unplug them.

That clearly isn’t a practical solution. In fact, most companies these days are compelled to open their systems to people inside and outside their organizations in order to do business effectively. The evolution of modern business has created increased dependence on network-based assets for everything from e-mail and customer contacts to order fulfillment and billing.

This demand creates a challenging paradox for CIOs and IT administrators.

While networks exist for the purpose of sharing information, every open avenue for network access is a potential security gap. Access and security are always at opposite ends of the scale — too much of one weighs against the other. The key to effective network administration is finding and maintaining the right balance between security and access.

The IT department typically places greater emphasis on the security side of the ledger, which is to be expected because data protection involves concepts, techniques and technologies that are not well understood by most members of the organization. Ensuring the protection of sensitive company data and applications is a responsibility that can’t be taken lightly.

What’s more, network security isn’t just an imperative business practice, it’s the law. A growing number of federal, state and industry regulations require that organizations take measures to protect data from destruction, loss, unauthorized alteration or other misuse. Failure to do so can result in stiff penalties and costly litigation.

Changing focus

Over the years, IT has traditionally focused on perimeter-based security, with firewalls, access controls, intrusion detection solutions and other measures designed to create a wall around the network. However, the rapid growth of virtualization, cloud computing, mobility and wireless technologies is making it nearly impossible to establish a hard perimeter anymore.

New technologies have fundamentally altered IT’s customer base, as well as user expectations of what IT should deliver. An increasingly mobile and outsourced user community means IT must provide network and application access to a dynamic workforce with differing needs and operating from numerous locations. In addition, the proliferation of smartphones, netbooks and hosted applications has made workers less reliant upon their employers for their technology needs.

More and more employees are making their own buying decisions about the devices and applications that help them maximize productivity, and they naturally want the IT support that will help them do their jobs.

This trend obviously imposes significant burdens on the IT department. It’s hard to manage equipment you don’t own, and harder still to secure and support a diverse collection of hardware and software that is literally changing every day. The natural inclination is to lock down the network and prohibit the use of all devices and applications not expressly sanctioned by the organization. However, this is precisely where IT must walk a fine line.

With all security policies and practices, there is naturally going to be some tradeoff between ease of use and safety. However, security measures can be counterproductive if they are too severe. Just as people will prop open a locked door when it meets their needs, users will find ways to circumvent security policies and procedures they perceive as too cumbersome or that prevent them from accessing the network resources they need.

If you don’t believe it, just take a walk around the office and see how many employees keep a copy of their network password hidden underneath their keyboard.

It’s a simple fact that if people think network security is keeping them from doing their jobs, they will seek the services and access they need from a less secure source. They will install their own software, download shareware, buy a laptop connect card or an AirCard, and get on their smartphone or iPad and start doing business. You may have a very secure network, but if your customers are constantly finding workarounds then you have won the battle but lost the war.

Cooperative effort

So how does an organization balance its security imperatives against user access needs in this era of distributed and open networked systems?

Certainly, it’s vital to have a comprehensive strategy in which a variety of measures — including firewalls, intrusion prevention, VPNs, VLANs, endpoint security, Web application security, and more — are synchronized to create a globally distributed defense. But technology is only part of the answer.

Most important, and more difficult to achieve, is the creation of comprehensive and understandable security policies developed in concert by the folks who run the network and the ones who have to use it. CIOs and IT administrators have to make a conscious effort to meet with their customers, internal and external, to find out what they need to do their jobs.

It isn’t easy. In fact, it can be a downright painful process. IT’s customers – the people who actually do the business of the business — are usually not very security-savvy. They know where to click and they know how to use the tools they need for their jobs, but they don’t understand what goes on behind the scenes. On the other hand, most network experts never really understand their customers’ jobs and what they need to work efficiently. The lack of communication and understanding between the two groups can lead to some hostility.

With two-way communication, IT can understand how network modifications can help customers do their jobs, and users can understand why certain limitations and restrictions are necessary to keep the network secure.

Through the use of questionnaires and interviews, CIOs can gain insight into the organization’s culture and its ability to meet various security standards and requirements. IT must also share complex security principles in a simple manner. Policies that are overly technical and difficult to understand can actually be a barrier to effective security.

This two-way communication provides a crucial starting point in the development of an effective security policy that provides maximum security with minimum impact on user access and productivity.

It isn’t a “one-and-done” process, however. Because organizations are constantly changing, security policies must be updated regularly to reflect new business directions, technology upgrades and resource allocations. In the end, even the most comprehensive security policy is ineffective if users won’t support or comply with it.

Striking a balance between security and access is the best way to avoid unplugging the network or customers unplugging from your IT office.

Matt Swanson is a principal consultant for Emtec Federal Services. He has over 25 years of CIO knowledge and experience inside both the federal government and business.