Recently in Governance Issues Category

User access control is a cornerstone of information security management. Everybody needs it and does it. Yet in practice it's poorly conceived, implemented and managed. It's one of those elephants in the room: a problem that is highly significant, but difficult to tackle so business is reluctant to acknowledge it. If it wasn't for compliance and internal audit the situation would be even worse. 

A number of theoretical models have been developed over the years but they don't deliver in practice. We've got ACLs, Capabilities, MAC, DAC and RBAC, none of which work in a medium or large enterprise. There are several reasons for this. 

Firstly, the models are too simple. Access control is too rich a subject to be determined by a single label or capability. Deciding whether a user can have access to an enterprise system is far from simple. It depends on who they are, what they are, how important they are, where they are, what they are doing, to whom they report, and what other access they might already possess. This requires unambiguous policy rules and reliable decision processes, supported by smart application front-ends, all of which are in short supply.

Secondly, we rarely have enough knowledge in one place to make this work. Neither systems owners nor administrators have perfect knowledge of who does what across the enterprise and what access they require, especially in an organisation that is continuously acquiring, divesting and restructuring business units.      

Thirdly, we don't pay enough attention to administration. It's too often poorly resourced and equipped. Cost savings can easily be made by streamlining processes and implementing better tools but this requires enterprise-wide cooperation and it's rarely at the top of any business unit's agenda.

Fourthly, we are constrained by legacy systems and infrastructure which complicate the problem space and restrict the solution space. Ambitious visions quickly fade into the distance.

An inescapable fact is that we can't control a complex situation with simple controls. Today's access requirements are a sophisticated blend of numerous factors. Access rights depend on multiple user characteristics that can be surprisingly hard to define, measure and monitor.

The end result is that it doesn't get done properly. Instead we fudge it. We do the minimum we can to keep it going and rarely get around to developing the rich policies, knowledge base and streamlined processes needed to build a sustainable, effective access control system.  

In fact it's much easier to close the back doors, through vulnerability management and penetration testing rather than to secure the front entrance. But compliance is catching up with the thousands of wrong profiles, toxic combinations and dead registrations. Sooner or later we will have to put aside the easy, quick wins and face up to the long-standing elephant in the room.  

I've often pointed out that information security management has become far too slow, bureaucratic and process driven. It's because of the backward-looking culture created by governance, standards and compliance. Old fashioned quality management concepts such as Deming loops and Capability Maturity Models have much to answer for.

In much the same way that security needs to learn from safety thinking (which is at least 50 years ahead in terms of understanding the nature of incidents) or modern military doctrine (which recognises the importance of speed and empowerment), so it should also learn from software development (which long ago changed its methodologies to enable faster and more responsive results).    

A good example is the Manifesto for Agile Software Development set out more than a decade ago. It succinctly states that:

"We are uncovering better ways of developing software by doing it and helping others do it. Through this work we have come to value: 

• Individuals and interactions over processes and tools  
• Working software over comprehensive documentation 
• Customer collaboration over contract negotiation  
• Responding to change over following a plan

That is, while there is value in the items on the right, we value the items on the left more"

Security professionals should note these points, because the key to effective security is not reams of policies and tick-lists, but empowerment, effective solutions, large-scale collaboration and agile response.  

You can't go through the day without reading something about Big Data. There are full page advertisements in newspapers, conferences devoted to the subject, and an array of new or rebadged products emerging every week.

Whether it's deployed for business purposes, IT operations or security monitoring, Big Data presents new security problems. Breaches are bigger. Usage is broader. And there are privacy concerns. These issues are not adequately addressed by existing corporate policies, so it's important for CISOs to start looking at fresh controls.   

This week's Qualys CSO Interchange pulled together several dozen CISOs to debate the various issues. It's the start of a dialogue that needs to be led by users, rather than vendors, standards bodies or government authorities.

What conclusions were reached? The main one for me was the need for a voluntary Code of Practice for Big Data use. Better to try and get things under control rather than wait for governments and regulators to lay down the rules.

Who could write such a Code? CSO Interchange is as qualified as anyone else, so we've decided to have a stab. Watch this space for further developments. 

I spend a lot of time working with big and small enterprises, helping with information security or risk management issues. What continues to amaze me is how much they differ in their security governance style and control requirements, but how similar they are in security initiatives and solutions.

I find it remarkable to find small companies aspiring to implement management systems, scorecards and maturity frameworks, as I do to find very large organisations wanting to standardise on a common set of enterprise policies, standards and governance processes. Security standards have become decoupled from requirements. It is a dangerous drift towards a monoculture of identical but unsuitable security countermeasures.

Where is the appetite for innovation and diversity? The answer is that it's been killed off by a professional development mindset that is reluctant to challenge the accepted wisdom of an established compliance regime. Real security is career-limiting. Best practices are far safer.  

This situation cannot continue. We need to encourage and empower our security managers to think, judge and develop solutions that are more in tune with real business. But a single business will find it hard to break the mould. And government, regulators, trainers and standards bodies are even more constrained. The future has to lie with academia and journalists, who are free to research, criticise and encourage new ideas.

If you're a university or research establishment, then I would encourage you take on this challenge. It's an important one, because in my opinion every single aspect of information security management (bar none) is inappropriate, and in need of substantial improvement. We must throw away the past and invent new solutions from first principles.

The starting point is to nail down those principles. What are they? There is a gap here. Watch this space for more on this topic. 

My blog postings have been very thin lately. This was due to my annual Scottish fly-fishing holiday (the highest priority in my calendar) followed by the Queen's Diamond Jubilee and a mass of catch up work. It's take me weeks to get up to date.

But breaks like this are highly welcome, not only because of the freedom, relaxation and social networking, but also because they grant you a rare chance to detach yourself from the madness and (let's face it) incompetence of everyday business, and to reflect objectively on life.

In a large enterprise this madness is largely invisible to most employees, masked by a surrounding mist of illusion, otherwise known as organisation culture. Such a phenomenon is impossible to ignore and even harder to influence. Smaller companies can be less prone to it, but any large community tends to adopt an instinctive behaviour that springs from no obvious source, and generally defies logical analysis.

We see it with banks that carry on gambling as usual. With process industries that refuse to acknowledge that Die hard 4 was perhaps an understatement. And with governments who think the answer to all ills is simply more regulation. But most worryingly we see this madness with security managers at all levels who think that the answer to a wave of advanced persistent threats is to form a committee, conduct a risk assessment, publish a policy or carry out a review.  

Yet in the past few months we've seen some amazing revelations on the threat front, from "hacktivists", government spies and organised crime. There is no longer any margin for error. The Internet is a dangerous environment for everyone. If you don't get your security absolutely right, you will be hacked sooner or later (and increasingly sooner).

It's quite clear that national intelligence services have for years been exploiting the extraordinary degree of vulnerability found in every enterprise. Recent claims, for example, that the US Government has been sponsoring cyber attacks at the highest levels for the best part of a decade should come as no surprise to any security professional. Many other states are likely to be following their lead. Yet little seems to be being done to safeguard our increasingly vulnerable critical national infrastructure from sophisticated attacks.

Let's face it all enterprises today have leaky perimeters, insecure platforms, ineffective access rights management, and error prone users. Yet we are painfully slow in recognising and addressing these weaknesses. Instead we publish reams of unreadable policy, allow business expediency to override critical vulnerabilities, and conduct lacklustre awareness campaigns.

One reason for this state of affairs is that the threat is largely invisible, which means it's easy to ignore. Espionage and fraud are covert activities by nature, and their consequences are largely outside of a typical manger's everyday experience. That doesn't mean it doesn't happen and doesn't cause damage. Take it from me: every research centre, procurement process, customer database, and call centre is a target, and many will have been compromised. We just don't open our eyes to the reality or the consequences.

Another reason is the inevitable fact that remedial action costs real money and time, so no one wants to go down that route. Given a choice, business managers will always accept a risk rather than spend money or invoke delays. Security is not just a hard sell; it's a career limiting investment. But in the absence of any real enthusiasm from business managers, security will remain little more than a tick-box requirement.  

It doesn't have to be like that. The world of in industrial safety, for example, was in a similar state back in the 1980s. Today, to an outsider, safety in the process industries comes across as an ingrained religion. You can't walk upstairs without someone telling you to hold the handrail. You can't trail a mains lead across the floor without someone shouting "safety hazard". How did this happen? Quite simply, it was through a professional, sustained campaign sold to and driven by senior management.           

Why does this not happen for security? The answer is because few people in security have learned from the safety example and, more importantly, because nobody in security is telling the truth to their executive boards. The security community has an unfortunate habit of telling the directors that everything is fine and dandy when it's not.

A further factor might be that enterprises tend to look to banks rather than process industries for best practices in security. And another is the hard truth that few CISOs actually possess the skills and imagination to promote a change of direction to the Board.    

In the meantime we continue to observe security communities and institutes congratulating themselves on their effectiveness in promoting professional development schemes, standards and other bureaucratic treacle. Yet the truth is that all we are really doing is building and reinforcing a dangerous monoculture built on discredited practices and ancient rites.

Discuss?

You can't visit the Far East without contemplating the contrast between Eastern strategies of negotiation, and the less colourful philosophies of the Wild West.

The Thirty-Six Chinese Strategies, for example, are a wonderfully rich collection of tactics derived from military strategy that are claimed to shape the Chinese approach to business, especially business with foreigners. 

Examples include "Kill with a borrowed knife", "Conceal a dagger in a smile" and the delightfully pragmatic "If all else fails, run away".

To the Westerner these principles might appear a mite aggressive or even a slight underhand. But to the Chinese, business is no different to warfare. And this of course gives them a positive advantage in cyber warfare, which I've long pointed out is really the "art of illusion" than the "science of sabotage".

Perhaps we should adopt a similar set of principles for the Wild West. What might they be? Tossing a few ideas around with the delightful Melanie McFarland, a US business strategist based in Hong Kong, we came up with a few ideas.

Here are my Ten Western principles (of business, war or security):

• "Circle the wagons" - Retreat to a classic perimeter defence.
• "Hang 'em high" - Find a scapegoat rather than the true root cause of a problem.
• "The only good user is a dead user" - Forget the enemy it's users we really hate.
• "If you haven't fallen off a horse, you haven't been riding long enough" - Don't worry about breaches, they're just inevitable.
• "If you're not making dust, you're eating it" - It's much better to lead blindly than to follow.
• "Don't squat with your spurs on" - Never turn your weapons on yourself by mistake.
• "Don't mention the elephant in the room" - Ignore any problems that are too big to fix. SCADA systems come to mind.
• "Why do today what can be put off to tomorrow"- Procrastination makes life easier. Just ignore those uncomfortable audit actions. You know they won't bite you for a while. 
• "When you're in a hole, stop digging" - The classic No 2 rule of holes. (Don't ask what the No 1 rule was.)
• "Just tick the box" - Never mind the quality, just follow the process. 

All further suggestions are most welcome of course.

My blog posting on OODA loops prompted a response from Andrew Yeomans, pointing out that Deming loops and Boyd loops are not mutually exclusive, i.e. you can have a slow moving management system supporting a fast-moving operational cycle. Would that this were true.

Andrew is technically correct. The problem is that you cannot easily divorce the security management system from the countermeasures themselves. ISO 27000 entwines them in a seamless programme of activities, requirements and countermeasures.

One or two operational measures operate in real time. Modern measures such as secure operations centres and intrusion prevention. But in general the pace of change and the application of new controls can be slowed to a snail's pace by risk assessments, committees, business cases and budget cycles.

A good question is why we actually need management systems, especially if they introduce delay or distraction. It's a good point. Management systems were the invention/development of quality experts and auditors, and they tend to embody their aspirations. If you don't employ such people in your organisation (and many SMEs don't) then it's not logical to implement a management system.     

Management systems are an option to enforce greater discipline and control over business and functional operations. If your organisation is small or rapidly changing, they may serve to hinder more than help you.

And it's not logical to introduce heavy governance measures for a single function or subject area unless they are generally practiced across the organisation. Why would you demand a steering committee or a set of KPIs for security management if it's not done for more important business operations? 

It's been a long time since I last blogged. It's been due to excessive commitments. Freelance work has been thick and fast since the beginning of the year, reflecting an increasingly a robust market for security research and consultancy. I'm also reluctant to turn down new projects because you never know whether a downturn is around the corner.

One of the major factors behind the growth in demand for security advice is the rapid take of information security practices by small and medium size companies. This would be a fine thing if established standards catered for smaller or immature enterprises. Unfortunately they don't. Instead the market has evolved into a one-size-fits-all approach, coupled with a commodity market in security training and services.

Companies new to information security typically request penetration tests, policy & procedure manuals and ISO 27001 compliance. None of these is appropriate as the first steps in security for an enterprise, for by themselves they do not reduce risks.

Other than the shock value from your first penetration test (which admittedly can help with budgets) the outcome is generally an incomprehensible document listing of hundreds of pages of vulnerabilities, which now happen to be shared across a small community of consultants, staff and unencrypted emails and laptops. Would it not be better to have devoted that time to tightening up platforms and application? Yes, but that would be logical, rather than "ethical".

Policy and procedure manuals are quick and easy to implement but they rarely get opened. And ISO 27001 is particularly unsuitable for smaller or newer enterprises, especially those operating in regions or cultures where paper-based procedures are rarely followed. I've blogged many times about the security challenges of the smaller enterprise. They're different from the formal demands of larger organisations, which is why the ISSA-UK has developed a special standard for small and medium sized enterprises.  

A second problem however is that there is no gradual path with recognised milestones to implementing ISO 27001. And as anyone who has read my book "Managing the Human Factor in Information Security" will have noted you can't implement a rich, complex framework of controls overnight. It has to be done in stages if you want to carry people with you.

So we have an unsatisfactory market where people are trained to apply and demand skills and standards that bear little resemblance to actual requirements. How much better it might be to start with a blank sheet of paper and a good dose of common sense, and to draw up a security programme that really reduces risks rather than ticks boxes. Getting back to that sensible state would be a huge step forward, but it would require a simultaneous behaviour change by regulators, security managers and consultancies. And that's not likely to happen. 

We all know that information security management only works if we "close the loop", i.e. that telling people to do things does not work unless you check they are actually doing it. The problem is that for far too long we have been using the wrong type of loop.

It started with ISO 27000 committee bureaucrats, who fell in love with the old-fashioned Deming loop of "Plan, Do, Check, Act". This was long after leading US military strategists had fashioned the more relevant (to security) Boyd (OODA) loop of "Observe, Orient, Decide, Act".

Now you might think these two loops sound similar. But you would be wrong. In practice, applying the Deming cycle is painfully slow. It typically translates to an annual budget-driven cycle. Deming himself also preferred the word "study" to check", which suggests that we don't spend enough time on it.

But OODA is all about speed. It's about highly competitive dog fights. It was inspired by the challenges in air combat in Vietnam. The trick is to design your environment to go faster than your opponent. And that's exactly what we need to survive in a hostile environment where competitors are aiming to exploit our intellectual property, i.e. the modern business world. 

So let's ditch PDCA and embrace OODA. It's an entirely different philosophy, and one that we all need to adopt.

Lately I've been spending more time lecturing to universities (Oxford and Surrey this week, Portsmouth the week after next). At each session I set out to present what's wrong with Information Security management today: just about everything, including the priorities, standards, methodologies, technologies and skills.

At the end of each talk I ask: "Do you agree?" The response is generally a refreshing "Yes".

Of course it might be my compelling rhetoric rather than the content that sways the audience. It's certainly hard to drum up any passion for today's slow, dry, quality-focused approach. But I suspect that I'm actually striking a chord that's long overdue to be heard.

If there's any hope for a change of direction, it lies with Academia. User organisations are too bogged down in the treacle of compliance to inspire any change. Vendors are only interested in what the users say they want. And institutions tend to be more concerned with preserving the status quo, rather than challenging the accepted wisdom.  

Thirty years ago, if you'd told me that Academia was our salvation, I would have laughed, watching researchers struggle to find practical use for Bell and LaPadula models. Fifteen years ago, you would have got the same reaction as I observed universities putting together MSc courses inspired more by the Common Criteria than industry practices. Today it's different. It's time for students and researchers to go back to first principles and design an entirely new approach to information security management, one that's more in keeping with a fast-moving, sophisticated risk environment.