In todays wired world companies face a thorny issue, how do you fire the guy that has the keys to the computer castle? It is a tricky problem, you hired him to protect you, but now you want rid of him.

Just how dire the situation can become was well illustrated by Terry Childs in 2008 when he managed to bring the city of San Francisco’s computer network to its knees.

Computer security has long been an issue. Who should have the keys? As company reliance on computers has increased, so has the need for ever tighter control of security. It is a problem even for home users. The other day I managed to lock myself out of one of my computers. I was irked, but only mildly. I don’t keep ‘stuff’ local, I am a cloud kinda guy, I just reloaded the Operating System and I was good to go.

But passwords abound. I need one to access BNN, I need one to access my router, I need one to access my Email, one to access my bank, in fact I am swamped in the damn things. I have a site that I use as a sand box, and depending on what I am trying to do there are four different passwords involved, front end. Back end, Database, ISP Account. It all gets old.

For a company the problems are even larger. Personally I am not a fan of the ‘all your eggs in one basket’ approach. Having a security department sounds good on paper, but boy it can create havoc. In the mid 1980’s I was working on a project that involved distributed computers. I was the computer geek for the distributed computers. One day the company decided to revamp the computer security. It was deemed that I did not need ‘ultimate’ access. A couple of weeks later my pager went off at 3am, a major meltdown had occurred on one of the systems. Production from the plant had stopped. Just from the description given to me by the ‘help desk’ I knew what the issue was. However, I also knew that to fix the problem I would need access.

I explained to the person on the phone that they were talking to the wrong person. If this problem needed fixing they should call the damn security folks. After all they were the keepers of the keys. I hung up the phone and went back to sleep.

Needless to say there was a welcoming committee for me when I walked through the doors the next morning. I explained that I understood the problem, but knew that I could not fix it because of security access. So there was no point in me getting out of bed, driving to work, and fighting with the issue, when I knew it could not be fixed. Needless to say, the security folks never messed with me again.

But there is a bigger story. I question is why a company wants to put all of their eggs in one basket? It makes no sense. If you keep things compartmentalized, a breach only effects one small area. One only has to look at Al Qaeda to see this. I never thought that I would ever use them as a role model, but they have done amazingly well by decentralizing information.

Alas most companies operate in a different way. Centralization is key. Knowledge is power, and power is control. It was with great humor that I read the following press release from Pivotpoint Security. Rather than waste my bandwidth, you can enjoy the release here.

Being someone that always enjoys a good joke I downloaded the ‘free report’. I have to admit that I was somewhat surprised that I had to jump through a couple of hoops, such as giving my name and email address, but I played along. The report is in fact in plain view, you just have to know the link (oops). You can read it here.

If these people had half the brains they were born with, life would be fine. But two pages of technical garbage does not help anyone. The reason that you hired the ‘nerd’ in the first place was so you didn’t have to deal with nerding. Quite what Pivotpoint is trying to achieve here is beyond me. The average company will never understand nerding, and why would they? Most nerding issues that I have encountered are spawned from the loins of satan (AKA the accounting department). The money guys love to control the computer geeks. But what works well in accounts receivable and payable does not translate well to geekdom.

Security should always be decentralized.

Simon Barrett

 

   

 

 

 

Be Sociable, Share!