November 12, 2014 at 8:14 pm
Comments posted to this topic are about the item It's Not Just Poor Coding
November 13, 2014 at 7:58 am
An interesting SharePoint feature would be the option to restrict user's access to MS Office documents in such a way that they could view / edit / save them, but not download (save as), email, print, or otherwise copy them to another location outside SharePoint. Maybe that already exists, but I'm not sure.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
November 13, 2014 at 8:34 am
Eric M Russell (11/13/2014)
An interesting SharePoint feature would be the option to restrict user's access to MS Office documents in such a way that they could view / edit / save them, but not download (save as), email, print, or otherwise copy them to another location outside SharePoint. Maybe that already exists, but I'm not sure.
Unless you are viewing them in the browser in a proprietary format then someone will just write a viewer that will save it locally for reading offline (a useful feature) then someone will take it another step further to save files just like the "Save As" feature.
This is just how people download mp3s from YouTube.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
November 13, 2014 at 8:38 am
As always, the #1 problem is human beings. Most other problems can be traced to this, and the bulk of them are combinations of corporate culture, explicit vs. implicit policies, incentives, education, caring, ownership, "generous interpretation", and so on. After that comes resources.
Most corporate cultures I've seen value speed or accuracy of results first, and those two over everything else; many of the rest value lowest cost over everything. In very few cases is security valued highly.
In many cases where the explicit policy says security is valued highly, the actual corporate culture and the actual actions taken do not correspond. The official policy (which no-one read, despite signing the "I read and understood that 273 page book [which you didn't give me any time to read, just said sign this by Friday]" statement) says blah blah secure blah; the actual work is done as quickly as possible and passed on to the next person with barely a thought for any but the most blindingly obvious, blatant, and unambiguous regulatory or legal security requirement (internal corporate requirements count even less except when they overlap these).
I've never actually seen incentives to be secure in a bonus or other incentive plan. The most I've ever seen is "the last time someone did X, they got walked out immediately upon discovery", and that was in a regulated industry. I have seen incentives to get things done on/ahead of time, to do more work than is possible to do well in the normal workday (resulting in either poor work, or working outside of the normal workday, which often involves - you guessed it - emailing files to public webmail and back), to be more productive, to get better customer service ratings, etc.
Note: Most customers don't care about security either, they just want something done yesterday with zero effort on their part. Most vendors are the same. Some government entities are an exception, and other government entities are the worst offenders I've ever seen.
Some companies try to educate employees, but it's a complex topic when taken farther, and they rarely push the "I know this is how we used to do things, but STOP!" message; again, explicit policies vs. actual implicit policies in the culture. Culture change is hard.
Few people care about security - SOX in the U.S. had a serious effect, in my opinion, solely because of the personal penalties for high ranking executives. Few other regulations in the U.S. have those kind of teeth, and that doesn't help. Worse, if company A puts in a good security setup and their people use it, and they enforce it, and company B does not, the company B almost certainly has lower costs AND higher customer satisfaction - they can charge less, respond faster, and their customers/vendors have less work to do, since it's "Here's the document", not "Let's work out how we're going to encrypt and decrypt the document. No, 'password' won't work. No, 'MyCompany" won't work as a password, either. We're trying to protect your data! Yes, I know you want it now and you don't care."
Ownership is also a huge issue - most people tend towards the "not my problem; that must be someone else's problem" attitude regarding security, especially without a good education program.
"Generous interpretation" is something I see all the time; only compounded by "reasonable" being translated as "what other companies do". It's often done by IT people, actually, and plays into all of the above points as well, plus laziness/unwillingness to understand security.
Example: "Well, if we do _this_, then we don't have to do that!" "It says you need them both." "But if we do _this_, obviously we don't have the requirement for that!" "That's not what the rules say." "Everyone does it like this!"
And perhaps most important of all, management doesn't tend to supply the resources to do security properly They explicitly say they want secure practices in lawyer-approved verbiage, but they don't also account for many jobs taking longer than they used to, they don't budget for additional training and equipment and incentives, they don't try to change the culture, and they don't account for all the other increased costs.
Regarding file transfers in specific, of late I've grown extremely fond of my Apricorn Aegis USB drive with the keypad; I can reset the PIN (which erases the prior encryption key), set a new PIN, put files on it, transfer them to an untrusted computer, and then immediately reset the PIN and wipe the drive again while the USB drive is not connected to anything at all. This is slightly more convenient than burning CD-R's and shredding them every time :).
November 13, 2014 at 8:42 am
Eric M Russell (11/13/2014)
An interesting SharePoint feature would be the option to restrict user's access to MS Office documents in such a way that they could view / edit / save them, but not download (save as), email, print, or otherwise copy them to another location outside SharePoint. Maybe that already exists, but I'm not sure.
We create a lock, they create a way to unlock it. Back and forth.
November 13, 2014 at 8:59 am
Gary Varga (11/13/2014)
Eric M Russell (11/13/2014)
An interesting SharePoint feature would be the option to restrict user's access to MS Office documents in such a way that they could view / edit / save them, but not download (save as), email, print, or otherwise copy them to another location outside SharePoint. Maybe that already exists, but I'm not sure.Unless you are viewing them in the browser in a proprietary format then someone will just write a viewer that will save it locally for reading offline (a useful feature) then someone will take it another step further to save files just like the "Save As" feature.
This is just how people download mp3s from YouTube.
You're right that anyone can find a way to copy digital content, even copyrighted material like eBooks or streaming videos, if they choose to access it using alternate means or hack around it. However, disabling the "save as" and "print" features for documents in SharePoint would mitigate (if not prevent entirely) the routine sharing of documents outside SharePoint. The network security team will also need to keep an eye on what documents are stored locally, emailed, or uploaded through the web.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
November 13, 2014 at 9:05 am
Iwas Bornready (11/13/2014)
Eric M Russell (11/13/2014)
An interesting SharePoint feature would be the option to restrict user's access to MS Office documents in such a way that they could view / edit / save them, but not download (save as), email, print, or otherwise copy them to another location outside SharePoint. Maybe that already exists, but I'm not sure.We create a lock, they create a way to unlock it. Back and forth.
Yes a lock on a document, just a lock on a file cabinette, can be broken, but employees who break locks also draw the attention to themselves and can be diciplined.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
November 13, 2014 at 9:27 am
Eric M Russell (11/13/2014)
...You're right that anyone can find a way to copy digital content, even copyrighted material like eBooks or streaming videos, if they choose to access it using alternate means or hack around it. However, disabling the "save as" and "print" features for documents in SharePoint would mitigate (if not prevent entirely) the routine sharing of documents outside SharePoint. The network security team will also need to keep an eye on what documents are stored locally, emailed, or uploaded through the web.
Importantly, it turns it into a deliberate act. There is no excuse for circumventing security. Sometimes security is best when all it means is that you totally remove the possibility of using a "by accident" defense.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
November 13, 2014 at 11:13 am
Any approach to addressing security that doesn't take into account human nature is bound to fail. I have seen too many security-minded people fall back onto "well they shouldn't do X" as a means to absolve themselves of human-based security loopholes.
In my mind, there are two high-level approaches to security, neither of which wholly addresses the situation (although people seem to gravitate to one or the other):
Restrict
This is an older mindset and one deeply ingrained in most security type people. And it's highly attractive from a conceptual basis - nip everything in the bud. But systems that are truly closed end-to-end (i.e., network and the people using it) don't really exist any more except in rare circumstances. These days, there is almost always a way around a barrier unless IT employs draconian, business-crippling lockdown tactics.
"Trust but Verify"
Lately, more of the "trust but verify" paradigm has gained traction, which does a much better job at dealing with our internet everywhere world. It acknowledges that people are going to circumvent and so can be prepared for addressing the circumventers through preventive training and/or corrective action. Even so, this is largely a retroactive strategy.
I would like to see more security people (or at least strategies) acknowledge that both exist and both should be used, instead of living in one of two fantasy worlds where either (a) we have the ability to restrict everything as needed or (b) people can be trusted.
November 13, 2014 at 11:48 am
Security is expensive. More so in time than actual monetary costs. My company is pretty well locked down (Healthcare data)...even the usb and cd drives on all of the computers have been disabled. The cost is that if I want to add someone to an email notification it takes a week at minimum. Procedure change? Two weeks if you're lucky. There are so many restrictions, checks, and balances that it's impossible to perform one simple task with fewer than 5 individuals getting involved.
Aigle de Guerre!
November 13, 2014 at 11:52 am
Meow Now (11/13/2014)
Security is expensive. More so in time than actual monetary costs. My company is pretty well locked down (Healthcare data)...even the usb and cd drives on all of the computers have been disabled. The cost is that if I want to add someone to an email notification it takes a week at minimum. Procedure change? Two weeks if you're lucky. There are so many restrictions, checks, and balances that it's impossible to perform one simple task with fewer than 5 individuals getting involved.
It's time, but without habits and acceptance (attitude), it's also stressful and a hassle.
November 14, 2014 at 10:14 am
Nadrek (11/13/2014)In many cases where the explicit policy says security is valued highly, the actual corporate culture and the actual actions taken do not correspond.
At my first job out of college they gave me a picture ID badge and showed me how to enter the building through the employee's entrance which had a 24-hour guard-station. A guard sat behind bulletproof glass, one would press a button to signal him then hold one's ID badge up to the window so that he could verify one's identity. That done he would "buzz" one through (i.e. press the button to unlock the door). If one was carrying a briefcase, purse, etc., it would be searched and, finally, one could enter the office. If you left home and forgot your ID you were pretty much screwed and would have to drive home and retrieve it guaranteeing a late-arrival which could be a problem if one had a meeting scheduled, etc. On the other hand, the front door just had a friendly receptionist who paid no attention whatsoever to employees entering and exiting -- she was only concerned with visitors. On more than one occasion, I saw management and lower level employees alike entering by the front door because they'd forgotten their badge and didn't want to have to go home to retrieve it. It was pretty hard to view security as anything more than window dressing in such an environment.
- Les
November 14, 2014 at 2:21 pm
Steve Jones - SSC Editor (11/13/2014)
Meow Now (11/13/2014)
Security is expensive. More so in time than actual monetary costs. My company is pretty well locked down (Healthcare data)...even the usb and cd drives on all of the computers have been disabled. The cost is that if I want to add someone to an email notification it takes a week at minimum. Procedure change? Two weeks if you're lucky. There are so many restrictions, checks, and balances that it's impossible to perform one simple task with fewer than 5 individuals getting involved.It's time, but without habits and acceptance (attitude), it's also stressful and a hassle.
More often than not - it's doubly so, because the organizations don't bother to keep track of what kind of data they really have, and what level of security is appropriate for each type. Even in an organization with high security requirements, there's NO value in securing meeting confirmation e-mails at the same level as an individual's medical record. The problem is when you don't know what you have and don't have a good way to tell them apart, EVERYTHING gets treated as if it could unlock the secrets of the universe, and no one can get anything done (regardless of your intentions).
While it's certainly not okay to bypass security protocols, organizations would be well advised to make smarter rules. Security doesn't have to be so ludicrously expensive if you only lock down only those things that are worth securing.
And yes - it IS in fact possible to implement.
----------------------------------------------------------------------------------
Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?
November 14, 2014 at 2:46 pm
lnoland (11/14/2014)
Nadrek (11/13/2014)In many cases where the explicit policy says security is valued highly, the actual corporate culture and the actual actions taken do not correspond.
At my first job out of college they gave me a picture ID badge and showed me how to enter the building through the employee's entrance which had a 24-hour guard-station. A guard sat behind bulletproof glass, one would press a button to signal him then hold one's ID badge up to the window so that he could verify one's identity. That done he would "buzz" one through (i.e. press the button to unlock the door). If one was carrying a briefcase, purse, etc., it would be searched and, finally, one could enter the office. If you left home and forgot your ID you were pretty much screwed and would have to drive home and retrieve it guaranteeing a late-arrival which could be a problem if one had a meeting scheduled, etc. On the other hand, the front door just had a friendly receptionist who paid no attention whatsoever to employees entering and exiting -- she was only concerned with visitors. On more than one occasion, I saw management and lower level employees alike entering by the front door because they'd forgotten their badge and didn't want to have to go home to retrieve it. It was pretty hard to view security as anything more than window dressing in such an environment.
- Les
That friendly receptionist probably knew everyone in the building by face and name, including your birthday and your wife's name. But don't let that type fool you, she may pretend not to notice you walking in, but she can peer directly into your soul and has an AR-15 within easy reach behind the desk.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
November 15, 2014 at 7:45 am
Steve Jones - SSC Editor (11/13/2014)
Meow Now (11/13/2014)
Security is expensive. More so in time than actual monetary costs. My company is pretty well locked down (Healthcare data)...even the usb and cd drives on all of the computers have been disabled. The cost is that if I want to add someone to an email notification it takes a week at minimum. Procedure change? Two weeks if you're lucky. There are so many restrictions, checks, and balances that it's impossible to perform one simple task with fewer than 5 individuals getting involved.It's time, but without habits and acceptance (attitude), it's also stressful and a hassle.
And that's one of the reasons things take so long in IT. Clients (internal and external) look at tasks as being so simple, but they don't understand the many different things that have to be taken into consideration. They just know that they don't like to wait for anything. In fact, the question "Why doesn't the system do this already?" is a question I've heard more than once, and it always makes me smile.
If security is not involved and top-of-mind throughout the whole process from start to finish, you're not doing it right. I honestly believe that the many different requirements we face are and the responsibility for the data we're entrusted with are some of the reasons that IT jobs pay what they do.
Viewing 15 posts - 1 through 15 (of 21 total)
You must be logged in to reply to this topic. Login to reply