This article is also a Podcast at iTunes under "The Root Cause."
As a Consultant, I have had the opportunity to work in many different IT environments--in most cases, for very large multi-national corporations. One of the many areas that I have seen where there is a wide variance in efficiency or, possibly a better word, efficacy, is the area of security. As security is not the primary focus of this podcast/article series we will focus only on a single--very common problem. I call it "Plastic Lock Security."
Plastic Lock Security is a security policy that will ONLY keep out those who obey the rules. It is not real security--but is all too often considered to be. Imagine a door lock made of brittle plastic. It would not stop even a child from opening the door, but it makes it very clear that the door is supposed to be kept closed. It is the equivalent of a "Do Not Enter" sign on an unlocked door. Good guys will not enter. Bad guys won't really care much about the sign. At best, it might fool them into not trying. However, it might have the same effect as "Confidential" does on a document--which is to make you want to read (open) it even more! If you obey such guides, it is effective. If you do not, it is humorous. This is the condition of many common security policies. Security by cooperation only provides security from those who cooperate--(i.e. Plastic Lock Security).
The Dark side of the Plastic Lock Security Force, is that it leads to a lack of cooperation when the rules interfere with business requirements--as happens far too often in this field. This leads to a corporate culture that accepts rule breaking as the price of doing business--not a good environment for network or application security. For example, I know of a company (they no longer have this problem) that had a policy that prohibited email to any outside source from anything other than their own email system. They provided consultants with an email account and felt that their email account should be used for all communication. That is their right. However, Consultants often have to maintain confidential communication with their employers or other clients. Various Consultants brought up this point, but were told, "That is our policy." You can see how this could apply to many other situations as well.
What did this rule actually accomplish? It prevented professionals from communicating in confidence for legitimate business reasons. In other words, those communications that the client has no reason to fear were stopped. However, anyone with a strong enough motive to communicate privately could easily bypass this policy by using HTTPS to an email server that accepts HTTPS. So, what actual security was provided? None. It was a "Plastic Lock." It provided a sense of security without providing any actual security--from bad guys. A placebo.
This is just one of countless examples I have seen. Picture a similar situation with no unmonitored email access, but where USB thumb drives are allowed? What's the point?
The Primary Point is this--If you want to make a policy that is SECURITY based, it must be enforceable and fully enforced. If the policy is meant to INHIBIT, than it isn't really intended for security purposes and doesn't help--it causes harm.
The Secondary Point is this--Plastic Lock Security causes INSECURITY by:
- Only preventing legitimate users, while doing nothing to stop those presenting a true threat.
- Pressuring legitimate users themselves to break the plastic lock to get their legitimate business done, and thereby corrupting the corporate culture.