Announcement

Collapse
No announcement yet.

Where do you draw the line between keeping customers happy and maintaining security?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Where do you draw the line between keeping customers happy and maintaining security?

    A question that comes up often along the forums, E.g. looking for a technical solution to a user behaviour issue.

    We have a client whose security policy mandates no data leaves the building except on approved devices, approved devices being Domain Member laptops and that's it. Several users ignore this and take data home on USB devices and work on it on non-Domain member machines. According to one source "they are too lazy to carry their laptops home"

    We were asked for an opinion and said in the first instance these users need re-education: the policy clearly states this is forbidden and if they continue to offend then we can create GPOs quickly to physically prevent them from doing it by locking down all access to removable storage. This was considered and rejected on the grounds of 1. Possibly upsetting users and 2. Being too draconian.

    Net result, the customer went out and bought third party software that creates an allowed list of removable storage devices on the recommendation of one of the managers. Whose iPod is on the allowed list.
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

  • #2
    Re: Where do you draw the line between keeping customers happy and maintaining securi

    Security is meant to be an enabler not an inhibitor.
    Well that is what the security guys say. I come from the point of view, lock it down until it is "safe" to use. Apparently this isn't the correct way nowadays. I disagree but such is the way of things.
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: Where do you draw the line between keeping customers happy and maintaining securi

      IMHO security shoud be nearly transparent for the end user.
      However, when there is a written security policy, then IMHO the management and HR should take actions against those users.
      Maybe this is something?
      http://www.checkpoint.com/products/d...tor/index.html
      Marcel
      Technical Consultant
      Netherlands
      http://www.phetios.com
      http://blog.nessus.nl

      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
      "No matter how secure, there is always the human factor."

      "Enjoy life today, tomorrow may never come."
      "If you're going through hell, keep going. ~Winston Churchill"

      Comment


      • #4
        Re: Where do you draw the line between keeping customers happy and maintaining securi

        There are a few factors here to consider. The importance of the data and the impact if it is lost or stolen. I am assuming these are quite high in your situation since you have got a written policy in place to prevent it from leaving the physical premises.
        One thing I've learned Is that it's not wise to leave it down to the end users to follow good security practices as mistakes will happen (Due to the very nature of us being Humans). If the company policy says that data should not leave the building on a storage device then I'd personally enforce it. Popularity amongst the end users would be the least thing on my mind. In case of any incidents, it'll probably be the IT guys with the head on the line (Depending on what the policy specifies)
        Best Advise from me would be to cover your Arse...enal
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: Where do you draw the line between keeping customers happy and maintaining securi

          For me the line is drawn where I would be most likely to be smeared if something bad happened. Might sound a bit mercenary, but I look at it like this: It's usually not up to me to determine what business information is critical or not (or at least, is shouldn't be. In some scenarios I've had to point out that certain things are important and need to be better secured). That's for the "leadership" to determine. If they say XYZ database is super sensitive, then I'm going to encrypt it, secure the server, enact IPSec polices, log access, data mine those logs etc. I'll also holler if I can't get funding or resources to do those things. Here's the dividing line: If the demands for security conflict with any other demands, I point it out and ask which demand is more important. If security gets the short straw I document everything, email everyone and will even consider asking for signed documents that state that everyone involved knows the risks that are being taken. Sounds extreme, but in some cases it's definitely worth it. I don't want an incident to happen and then fingers to be pointed at me because "you're the IT guy... why didn't you do something about it!!"

          I always give people options.
          User: "This Anti-Virus is slow..."
          Me: "Yes, I know. I've done all I can to increase performance."
          User: "I'll just turn it off..." (ignoring that if they were not administrators this couldn't happen. )
          Me: "Okay, but you know the risks. If your computer is eaten alive, don't blame me. "

          Or some variation of that conversation.
          Wesley David
          LinkedIn | Careers 2.0
          -------------------------------
          Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
          Vendor Neutral Certifications: CWNA
          Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
          Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

          Comment


          • #6
            Re: Where do you draw the line between keeping customers happy and maintaining securi

            If this is a security policy that has been written to ensure that company data is not stolen then it should be rigourously enforced. Any non-conformance should be dealt with by the HR department.

            In this situation i would speak to the customer about using products that will stop users using USB drives to load data onto. We do this where i work and we can track which documents are being transferred and by whom.

            Comment


            • #7
              Re: Where do you draw the line between keeping customers happy and maintaining securi

              it's a tough one but in my opinion not something for meer tech monkies to be deciding. This is something that the "Powers That Be" need to decide then tell the techies "it will be this" and the techies just make it happen. If the end user populace has a problem with it then they need to take it to the management type people to discuss.

              I was in on a McAfee training class the other week and they had an interesting add on for their ePolicy offering. Basically it will allow you to lock usb ports completely, ban storage devices only, encrypt and device that's plugged in, prevent certain files from being transfer or simply encrypt it when it does. Seems pretty handy to me.
              This message represents the official view of the voices in my head

              Comment


              • #8
                Re: Where do you draw the line between keeping customers happy and maintaining securi

                Yeah, a few of the AV packages are offering that now. Sophos has added it as well to the latest version, sure I saw some others.

                I could understand this decision if it wasn't for the written policy, which they spent quite a bit of money getting us to write, being so clear on the subject.
                BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                sigpic
                Cruachan's Blog

                Comment


                • #9
                  Re: Where do you draw the line between keeping customers happy and maintaining securi

                  Originally posted by graycat View Post
                  it's a tough one but in my opinion not something for meer tech monkies to be deciding. This is something that the "Powers That Be" need to decide then tell the techies "it will be this" and the techies just make it happen. If the end user populace has a problem with it then they need to take it to the management type people to discuss.

                  I was in on a McAfee training class the other week and they had an interesting add on for their ePolicy offering. Basically it will allow you to lock usb ports completely, ban storage devices only, encrypt and device that's plugged in, prevent certain files from being transfer or simply encrypt it when it does. Seems pretty handy to me.
                  Is this the ePolicy orchestrator? Is it a free add-on do you know? Sounds interesting.

                  Comment


                  • #10
                    Re: Where do you draw the line between keeping customers happy and maintaining securi

                    It's indeed the ePolicy orchestrator.
                    Depending on the licensing it's free to use.
                    Also it's centralize the AV settings, Updates etc. Very powerful for Mcafee products.
                    Check the download site (you need your Grant Number) if it's available for your use.
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment


                    • #11
                      Re: Where do you draw the line between keeping customers happy and maintaining securi

                      @Virtual - pretty much as Dumber says.

                      We're quite lucky in that we have more than your standard basic licenses / addons so can start playing with other bits. Unfortunately we don't have that particular addon at the moment but it is going on our list of "would like" but is being trumped by the HIPS and a few other bits.

                      I just found out today we have the Rogue System Detection licence as part of something else so that will be going on this week! I pitt anyone who brings their home machines in after this!!

                      whilst on an evil kick, do you think it'd be too evil to automatically encrypt anything made by Apple (ie: iPods, iPhones etc) that get plugged in to work machines via USB?

                      [evil mode = on]
                      Bwahahahahahahahahahahahahahahahahahahaha!!!!
                      [evil mode = off]
                      This message represents the official view of the voices in my head

                      Comment


                      • #12
                        Re: Where do you draw the line between keeping customers happy and maintaining securi

                        Originally posted by graycat;162628
                        whilst on an evil kick, do you think it'd be too evil to automatically encrypt anything made by Apple (ie: iPods, iPhones etc) that get plugged in to work machines via USB?

                        [evil mode = on
                        Bwahahahahahahahahahahahahahahahahahahaha!!!!
                        [evil mode = off]
                        It's certainly tempting, whilst I have nothing against Apple kit except how overpriced it is I can't be bothered with the attitude of some Apple fans who blindly insist everything made by Apple is great and everything made by Microsoft is rubbish.

                        I had a customer a while back who had major issues with a Windows Mobile and push email, which turned out to be due to his inability to follow basic instructions on installing a certificate on the phone. He called his boss to complain about the length of time we took to fix it and stated that none of this would have happened if he'd been given an iPhone like he asked.
                        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                        sigpic
                        Cruachan's Blog

                        Comment


                        • #13
                          Re: Where do you draw the line between keeping customers happy and maintaining securi

                          Originally posted by cruachan View Post
                          It's certainly tempting, whilst I have nothing against Apple kit except how overpriced it is I can't be bothered with the attitude of some Apple fans who blindly insist everything made by Apple is great and everything made by Microsoft is rubbish.

                          I had a customer a while back who had major issues with a Windows Mobile and push email, which turned out to be due to his inability to follow basic instructions on installing a certificate on the phone. He called his boss to complain about the length of time we took to fix it and stated that none of this would have happened if he'd been given an iPhone like he asked.
                          I know exactly what you mean ..... and I'm an Apple user! Some people really do need to realise that an OS is just an application to do a job.

                          mind you, the next person I find with iTunes on their work PC ......
                          This message represents the official view of the voices in my head

                          Comment


                          • #14
                            Re: Where do you draw the line between keeping customers happy and maintaining securi

                            Just make sure you have paperwork that covers your ass If all of this extra work (due to them not listening to your expert IT opinion) gets you more money, then so be it.
                            ** Remember to give credit where credit is due and leave reputation points where appropriate **

                            Comment


                            • #15
                              Re: Where do you draw the line between keeping customers happy and maintaining securi

                              apple have some nice stuff...
                              I still want an Iphone... but probably within a few months a new one will be released...
                              Marcel
                              Technical Consultant
                              Netherlands
                              http://www.phetios.com
                              http://blog.nessus.nl

                              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                              "No matter how secure, there is always the human factor."

                              "Enjoy life today, tomorrow may never come."
                              "If you're going through hell, keep going. ~Winston Churchill"

                              Comment

                              Working...
                              X