WILS: InfoSec Needs to Focus on Access not Protection

DevCentral > Weblogs > Lori MacVittie - Two Different Socks

WILS: InfoSec Needs to Focus on Access not Protection

posted on Wednesday, August 12, 2009 3:45 AM

Back when I was developing GIS data translation software I had to fight security all the time. My desktop was so locked down I couldn’t compile the code because I didn’t even have appropriate permission to access the file system. Why? The guy in charge of security was so paranoid about someone doing something they shouldn’t that he completely missed the other half of his responsibility: ensuring people had access to data and information and systems to which they legitimately had a need to access.

The potential impact of a data/security breach is so high these days that security folks are tending to over-focus on stopping breaches and data theft and forgetting about the need to provide access to the right people at the right time to information and data they need to do their jobs.

Information security isn’t just about protecting information from being stolen, it’s about ensuring that information is available to the right people at the right time. Focusing on access makes it easier to remember that some people should have access while others should not. And in the end, protection of data and systems is really just making certain those who should not have access, don’t.

You’re either the castellan of the data center, or merely a gate guard. It’s up to you how you view your role, and ultimately how the rest of IT and the organization treats you and your job.

Technorati Tags: MacVittie,F5,information security,infosec,security,application security,access,WILS,web,internet,blog

WILS: Write It Like Seth. Seth Godin always gets his point across with brevity and wit. WILS is an ATTEMPT TO BE concise about application delivery TOPICS AND just get straight to the point. NO DILLY DALLYING AROUND.

Related blogs & articles:

WILS: Applications Should Be Like Sith Lords

Denied!

Cloud Changes Cost of Attacks

Rip and Replace Won’t Solve Twitter’s (Or Your) Security Problems

Twittergate Reveals E-Mail is Bigger Security Risk than Twitter

Why you must dive Into the Breach

Would you risk $31,000 for milliseconds of application response time?

Feedback

8/12/2009 10:27 AM
		This is one of those places where English fails us and we need to be explicit when drawing the line between security (freedom from doubt) and safety (freedom from danger). The goal is (or should be) that information (which is just data in both context and motion) is secure while - simultaneously - data is safe. That security has more to do with fidelity and freshness than access, while the safety has more to do with redundancy and forensics than access. In physical access control, the assumption is for failure and you rate a system by how long it resists attack. To presume that an access control system in the digital realm is somehow "infinitely resistant" obscures our view of what is actually valuable - namely the ability to keep static data static and moving data moving without compromising trust in the data itself or who is using it (security) and the ability to prevent the destruction or modification of that which shouldn't be destroyed or changed (safety). When you look for systems that do either of these things, you find they do exist, but they typically don't exist in concert or in those places where, in retrospect, they ought.
Ian

8/12/2009 10:30 AM
		@Ian That's a great point! So much of technology is about semantics, but it seems Information Security has more than perhaps its fair share of problems/misunderstandings/confusion due to semantics and language. Thanks! Lori
Lori MacVittie

8/18/2009 3:29 AM
		Amazon Compliance Confession About Customers, Not Itself
Lori MacVittie

9/10/2009 9:46 AM
		WILS: Automation versus Orchestration
Lori MacVittie

9/15/2009 4:16 AM
		WILS: Network Load Balancing versus Application Load Balancing
Lori MacVittie

Leave Feedback

Title
Name
Email
Url
Comments
Remember Me? Enter the code shown above:
Please add 5 and 5 and type the answer here:

My Links

DevCentral Home
DevCentral Blogs
DevCentral Forums
My Blog
Contact Me
Syndication
Login

Blog Stats

Posts		641		Comments		1204
Stories		0		Trackbacks		343

	Tag Cloud
	acceleration application delivery application security architecture BIG-IP blog cloud cloud computing dynamic infrastructure F5 HTTP infrastructure INfrastructure 2.0 integration internet load balancing MacVittie optimization performance scalability security SOA virtualization web web 2.0 more tags...

Post Categories

		General SOA
		SOA Delivery
		Randomness
		Web 2.0
		Security
		iRules
		iControl
		Development and General
		Monitoring/Management
		XML
		ISV Solutions
		Microsoft Solutions
		Performance
		Cloud Computing
		Virtualization
		WILS
		Infrastructure 2.0

Archives

		March, 2010 (11)
		February, 2010 (20)
		January, 2010 (17)
		December, 2009 (16)
		November, 2009 (20)
		October, 2009 (22)
		September, 2009 (21)
		August, 2009 (25)
		July, 2009 (18)
		June, 2009 (20)
		May, 2009 (20)
		April, 2009 (21)
		March, 2009 (23)
		February, 2009 (17)
		January, 2009 (19)
		December, 2008 (17)
		November, 2008 (18)
		October, 2008 (27)
		September, 2008 (32)
		August, 2008 (31)
		July, 2008 (30)
		June, 2008 (33)
		May, 2008 (30)
		April, 2008 (24)
		March, 2008 (5)
		February, 2008 (4)
		January, 2008 (8)
		December, 2007 (5)
		November, 2007 (6)
		October, 2007 (3)
		September, 2007 (5)
		August, 2007 (7)
		July, 2007 (7)
		June, 2007 (5)
		May, 2007 (11)
		April, 2007 (9)
		March, 2007 (7)
		February, 2007 (10)
		January, 2007 (5)
		December, 2006 (4)
		November, 2006 (8)

Application Delivery

		Infrastructure 2.0
		onizo#
		The Virtual ADC

Cloud Computing

Google Group: Cloud Computing

Random

Security

Rational Survivability

SOA

		Loosely Coupled
		Miko Matsumura's SOA Center
		SOA Enterprise Patterns

Copyright 1996 - 2007 F5 Networks, Inc. | Privacy Statement | Terms Of Use