Tuesday, August 22, 2017

CASE STUDY: Security in Theory versus Security in Practice

Yesterday evening, as I approached my vehicle after a long (Mon)day with dry cleaning in one hand and my laptop bag in the other, I realized that my rear, driver-side tire was as flat as a pancake / crêpe. Fun times, especially since I parked on an incline!
After jacking up that side of the vehicle, and wrestling with the lug nuts, I was introduced to what I now know (thank you Google) is a security lock nut. Yes, I am mechanically challenged! 
After being unable to find anything in my vehicle that resembled a tool capable of removing said physical security safeguard, I called the dealership. Well, said nut (and the ability to remove it) is like a laser key, which is customized to each particular vehicle! Thankfully, a repair shop was across the street.
Research and interviews (e.g., my Lyft driver that evening, blogs) have shown that many drivers have lost or never received the tool(s) to remove a security lock nut, and therefore multiple individuals (such as myself) now ask: why? The answer is that this nut is a physical safeguard to negate stolen tires / rims / wheels. However, flat tires happen and people lose stuff.
So, learn from my experience. Before introducing the next great physical / logical / digital safeguard, think practically and verify whether or not that control is useful in practice / the field. Be pragmatic and kick the proverbial tires!

Thursday, August 17, 2017

Orchestration is Great, But is it Secure

DevOps / DevSecOps are all the current rage, and that is great, but how secure is your environment?

Chef, Puppet, and others offer automation and orchestration, but have those environments been secured via IAM, TVM, and architectural perspective?  While these solutions offer add-ons, a secure design and incorporating the right controls from the get go, will help dramatically.

Saturday, August 12, 2017

Process Governance & InfoSec / AppSec

Many shops spend an enormous amount of money on security solutions, external consultants, etc. only to have all that spend negated by poor processes.

It is the year 2017 and we continue to see orgs lacking the most basic processes (e.g., CAB, PMO / SDLC / DevOps, SCM).  All of the resources in the world will not provide an adequate level of protection against poor processes.

Tuesday, August 8, 2017

Enough Policy Exceptions Already

So many organizations struggle with policy exceptions.  While exceptions are a reality, the prevalence of them leads one to believe that risk management is not quite working.

While organizations try to pivot from risk to compliance focal points to enforce adherance to security / privacy best practices, the reality is that most entities are not agile, and they also lack the resources to migrate from legacy workdlows to secure processes and systems.

While the cloud and ITO / BPO of the past have promised more agility, many orgs leverage traditional internal models due to cost constraints.

GRC, risk management, and IT audit professionals have a legit argument to focus on policies, standards, and guidelines; however, for orgs to be and remain secure these days, an offensive, proactive model is more of a necessity.