August 5, 2007

Balancing Security and Usability: Introduction

Computer security is a balancing act. Too little security and you are at risk of lost or stolen data, data that gets mistakenly altered or just read by people who shouldn't be reading it. Too much security and people who really do need the information can't get to it, or getting to the data is just so hard, it's not worth having. These lines are not drawn clearly, and a good SysAdmin must be able to work with those who use the data and with the management of the company to find where these lines should be.

Over the next few weeks I hope to address some of the challenges new System Administrators face when trying to establish a good security policy for their organization. I also hope to provide a little insight on these challenges for those who are not in the IT profession, or not in that part of the profession. The way I see it, the more me know about each others jobs, the more understanding we can be when their are problems. So I hope you enjoy, and feel free to leave comments with your thoughts or recommendations.

Before we get started, there are a couple things. you need to realize when dealing with security, otherwise you will drive yourself crazy.

  1. There is no such thing as 100% secure. If someone wants something bad enough, they can get it.

  2. Your goal is not to make things impossible for unauthorized users to get to, its to make getting to it more work than it's worth.

  3. Security is best used in layers. The reasons for this are because:

  • There is always a way around an obstacle, having several in front of you makes it both much harder and much more discouraging to attempt.

  • It will give you, the administrator, more time to find out what is happening, and hopefully notify you of a problem before there is a total breach.

  • It leaves a better trail to follow. It is much harder to cover your tracks when you have to take a dozen routes to get to a location.

When trying to determine the security needs of your organization several things must be considered. Some of them are:

  • Who will need to access the data?

  • Where will they need to access it from? (Just the office? should users be allowed to work from home?)

  • How important is the data? (Can your business function if it is lost?)

  • What are the repercussions if the data is seen by the wrong people? (If a competitor gets it, will it cost you lots of money? if the wrong staff see it, will it cause a drop in performance or moral?)

These types of questions need to be answered before you can implement any real security. For instance, if the data you are working with can cause the downfall of your company if it got into the wrong hands, you probably don't want to make it too easily available from outside your office (or inside for that matter), but if the data is something like a general telephone listing for your company, you may want to make that easily obtainable.

Once you determine the level of security you need, you can look at the kind of security you want to use. There are several ways to protect data, and chances are, you will be using more than one. In the next installment of this series, we will discuss the effective use of password.


Bookmark this post:
StumpleUpon DiggIt! Del.icio.us Yahoo Technorati Reddit Google