Thursday, January 3, 2008
Always getting back to basics
I always like to read people trying to look again to more basic issues on security. This approach permits us to find more elegant solutions and is the way to the revolutionary ideas, those that we look at later and think "oh, but it was so obvious!".I'm always discussing with my clients about why they need to deploy new controls instead of improving the processes and tools that they are already using. Amrit Williams has just written about how well companies are capable of managing their IT environment. Yes, this is a very basic thing to think about, and that's why I like it.Amrit says that "it is quite common for an organization to be blind to 15-30% of their computing devices at any given point in time". He is completely right, even more when he mentions not-so-common systems like mainframes, PDAs, Unix flavors. People tend to feel comfortable when they get the grip over their Windows environments, but that's just the beginning. I'm tired to find networks completely vulnerable on those less common platforms, while relatively secure on their Windows servers and workstations. People that are automatically controlling software deployment on Windows servers but are sharing the root password for the Linux boxes. At his post he asks the reader to try to answer these questions: "how many devices are actively deployed in my environment right now and how many of those do I actively manage?"Yes, we'll be dealing with several new problems during 2008. However, don't forget to look at the basics before going for the next solution-in-a-box trend. You can be sure that improving some basic processes can help you more on increasing your security level than adding another protection layer (and complexity to the environment).