Maybe I’ve been watching too much college football. (I like college ball because, frankly, watching these guys capitalize on each other’s silly errors makes it non-stop interesting, and makes me feel better about my periodic screw-ups). Somewhere in all this watching I think I might even have discovered how the essence of college football reflects the essential strategy for modern IT security.
Let me explain: As I’ve seen team after team line up in dynamic and different defensive spreads for dynamic and different field situations, I keep thinking “This is the way IT security configurations should work.”
In football, defensive configurations:
- Are never one-size-fits-all propositions: The defensive lineup is heavily dependent on context. Is this a passing down? A running down? A hail-Mary down with 12 seconds on the clock?
- Come down to details: There are general rules of thumb, and there are situation-specific actions. It’s generally bad to let the receiver get between you and the quarterback. But it’s especially bad to let a dangerous open field runner slip inside for a clear catch.
- Require instant flexibility: From one down to the next you may need to go from a 6-1 run defense to a long-yardage “prevent” defense to a standard 3-4 set, and do it quickly.
- Empower the offense: Confidence in a team’s ability to stop opponents allows the offense to take risks that ultimately win games… like long field goal attempts on 4th down.
IT security configurations, by comparison:
- Are never one-size-fits-all propositions: Security settings that manage ports, connection options, and services need to be continually balanced to the needs of the business, and rely on business context to be effective (what I allow as a configuration for a web server is not what I will allow for a server containing PII or credit card data).
- Come down to details: the more prescriptive an IT security policy is, the more effective it is. “Require strong passwords” is not nearly as actionable, testable and repeatable as “Passwords must be 11 characters plus one numeric or special character.”
- Require instant flexibility: Business systems change with maddening frequency. Despite our desire for constancy, assets go from higher to lower risk, threat levels vacillate between low and high, and what was acceptable yesterday cannot be assumed to be acceptable today (this in turn requires high levels of automation, covered in a future post).
- Empower the offense: confidence in the robustness and flexibility of the organization’s IT configurations allows it to answer the “is it safe?” question with reasonable assurance and still take calculated business risks about systems to deploy and how to safeguard confidential information (without locking it down to the point of uselessness).
I don’t want to stretch the metaphor too much, but it’s the defense that wins games. If you can harden your IT security configurations continuously, flexibly, and in a way that dynamically reflects the needs of the business, you can spend more time worrying about how to succeed… and less time worrying about getting pwned.
Here’s some food for thought:
- Securosis post on secure configurations: http://securosis.com/blog/esf-controls-secure-configurations/ These guys are the real deal and irritatingly straight shooters to boot.
- Another football metaphor in “SCM: The Blocking and Tackling of IT Security.” A whitepaper from CSO. https://www.tripwire.com/register/scm-the-blocking-and-tackling-of-it-security.
- “Security Configuration Management: The Keys to The Digital Kingdom.” A webcast featuring Diana Kelly, IANS faculty member. https://www.tripwire.com/register/security-configuration-management-the-keys-to-the-digital-kingdom.