Originally Posted on February 26, 2013:
Several weeks ago, my good friend and secretary of my Masonic lodge gave me a call with a problem. He needed to go to the bank and look through the lodge’s safety deposit box for some tax-related paperwork. Although he had the key to the box, he was not on the authorized users list. As the secretary prior to him, I was still on the authorized list, so I met him at the bank and went through the process of giving him access. ID’s were verified, signatures were collected, keys were checked, and access was granted.
As an Information Security professional, my mind immediately walked through the process from an IT perspective. My friend had a key, but he was not on the list. The bank ‘s 2-factor authentication solution worked. I arrived and got him access to the vault, but we had to be escorted through the vault door. The bank’s perimeter security was sound. The bank attendant inserted her key, and then my friend followed with his. We experienced effective division of duties and access. We retrieved the box and were led to a secure room within the facility for private viewing. Our “data” had been checked out, but its privacy was maintained and properly contained. We finished our search and returned the box under escort, and then signed out. Our “data” was checked back in and access was logged.
These processes have existed at banks for centuries, yes, I said centuries. Information Security has not invented anything truly new. We have become somewhat efficient at following best practices, best practices established through trial and error and the human condition. I would also argue that we are still not as good as the bank and I believe the “why” is fairly obvious.
My current CFO is very fond of using the phrase “People, Process, and Technology” to denote how we should approach projects and tasks at the office. It’s a sound primis. I would argue that Information security, even to this day, remains absorbed with the technology and easily loses sight of the people and the processes in the equation of good security. The banks take the other approach. Their locks work well and their vault doors are strong, but their focus is on the people and the process of securely accessing safety deposit boxes.
There is a lesson to be learned there. Go to a bank. Open a safety deposit box. Think about your firewalls and IPS’s and DLP solutions and ponder your processes and your users and where your gaps really exist. I will give you a hint – its not time to buy a new appliance!