New technologies make my head hurt. My geeky side loves to play with the latest toys and see what they can do....
My Infosec Director side (the side that pays the bills) reacts to new technologies like Dracula to a nice garlic sandwich. How can I keep my organization safe without limiting my users to outdated technologies? Here are a few tips and techniques I find helpful.
Stop and take a deep breath
Some security practitioners react to new technologies with panic and the issuance of stern edicts against using USB drives/PDAs/EVDO cards/wireless LANs, etc. Stop and take a deep breath. In most cases, users have a legitimate need to fill. It is your job to find a way for them to fill that need safely, not to keep them from being efficient. Besides, issuing stern edicts typically serves only to increase awareness of the "forbidden" (and thus much more interesting) technology and tends to drive users underground, making your job more difficult and adversarial.
Work with your users, not against them
Make sure that your users feel comfortable talking to you about new technologies. You want them to come and tell you about the neat new gizmo or software they just bought (or better yet, are thinking of buying). They will not do this if they perceive that you are going to arbitrarily stop them from using anything new. A better approach is to sit down with the user, understand what they are trying to accomplish with the new technology, and try and get them to raise the security questions themselves.
For example, when smartphones came on the scene, users fell in love with the ability to stuff their cellphone/PDA with all the important information they need while working outside the office. These little gems quickly became nightmares for security people. By sitting down with users, acknowledging all of the good things about smartphones and maneuvering them into asking about how their customer lists, passwords and other confidential information could be protected, I was able to get them to drive the process of setting security standards for the new devices. The resulting standards combine encryption, password protection and the prompt reporting of device loss and subsequent remote self destruct of data, allowing us all to sleep at night. Because the users felt included in the process of analyzing the problem and coming up with the policies, they were willing to accept the addition of some security measures that create a little bit of inconvenience.
Compare new technologies to old
Another way to deal with new technologies is to compare them with existing technologies. In many cases, from a security point of view, the new gizmo is a lot like some older gizmo, except faster, cheaper and with prettier blinking lights. This makes it easier to explain the security issues to users and can cut down on the need for more and more policies. For example, we are starting to see laptops with built in broadband class Internet connections over wireless public networks (like EVDO or WiMax) being offered for sale. Plugging one of these into a corporate network provides an attacker with a "back door," bypassing all of your expensive firewalls. If you think about it, we've had this problem before with dial up modems. By explaining this new technology to users in comparison to modems, it is easy to make them understand the risks. No new policies are needed to deal with this issue as most companies' modem policies are broad enough to deal with this new form of connectivity. You can allow the use of these connections with the proper firewall measures – just not while connected to the corporate LAN.
New technologies should be part of your awareness efforts. If your users are clamoring for the ability to use those cute little USB thumb drives to carry documents and data, you can either disable USB ports and explain why, or you can show your users how to use an encrypted thumb drive to protect data while in transit. Either option may be a legitimate strategy for your organization, or even for a subset of your organization. It depends on what your company does and how sensitive the information is. The point here is that no matter which choice you make, explaining the logic to users is going to be key in getting them to accept and comply with new policies and standards.
Know what's on the horizon
Infosec departments should be looking ahead to find out what new technologies are most likely to pop up in their organizations. Every company seems to have a few early adopters who can be counted on to buy and try every new gadget that hits the market. Make these people your buddies and keep tabs on what new technologies they are looking at and how they are using them. Remember: your mission here is to gather information, not to stamp out new and better ways of doing things.
Become a business enabler
There are going to be times when saying no to a new technology is the right answer. However, if that is the route you are going to take, make sure that you have analyzed the risks and rewards of the new technology thoroughly and that your users understand why they can't use the latest gadget. Offer some alternatives to help users get the functionality they are seeking – safely.
As a group, information security has a bad reputation as being the department that says, "No." We need to work on this and change our role from business obstacles to safe-business enablers. Working with users to introduce new technologies is one way to do this.
About the author
Al Berg, CISSP, CISM is the Director of Information Security for Liquidnet (www.liquidnet.com). Liquidnet is the leading electronic venue for institutional block equities trading. According to INC. magazine in 2004, Liquidnet was the fastest growing privately held financial services company in the US and the 4th fastest growing privately held company in the US across all industries.