Business strategy and business processes, and the paradox of strong security
The argument is often raised that password systems need to be very robust in order to offer any real security. So good password systems are rules based systems that enforce strong and ideally very strong passwords – passwords very difficult for anyone not authorized for access to guess. According to this model:
• Strong passwords have to be of at least some minimum number of characters in length and that is usually a fairly significant length at that.
• They should contain both upper and lower case letters and be case sensitive.
• They should also include both numbers and special symbols.
• They should not include or be based directly on terms in the dictionary, names of family pets or of employee children, etc that might be easy to guess as a social engineering exercise.
• They should be unique to each situation – not reused everywhere as the one password that is used as a universal access key.
• They should be changed frequently.
• Recently used passwords should not be reused, so you do not simply replace a password with itself, or rotate between two specific passwords.
• More than just some small number of successive incorrect password entry attempts should yield a lock-out requiring a secure resetting to renew accessibility.
Add in all of these features and you have a password security system worthy of Fort Knox, right? So you end up with a situation where everyone on-staff has a lot of different passwords, each one very difficult to remember and with all of these difficult to remember password barriers to job performance changing all the time. And gardens of Post It notes spring up everywhere, stuck on every computer monitor and cubicle and office pin board listing everyone’s current passwords. And the strongest security becomes the weakest as “in principle” meets “in practice” in a head-on collision.
To follow up on this core example of security and its strengths and failings, I have seen a lot of situations where real world users prop trash cans and the like into server room doorways and other presumably secure resource areas. They do this because the password codes and biometrical scanners and the like needed for secure, controlled access are so inconvenient when real employees with legitimate access rights have to be able to get in carrying equipment, that they become unacceptable restrictions to actually performing required tasks.
I find myself coming back to that expression: “when ‘in principle’ meets ‘in practice’ in a head-on collision.” The basic issue here obviously applies to a lot of security contexts, but it applies to a much broader range of strategic and operational situations and decisions too.
Good operational practice has to be solidly grounded in well-crafted, and frequently updated strategic planning. That in turn requires ongoing feedback from ongoing practice, and its successes and failures. That means solid, consistent metrics and good communications between and within silos and other organizational divisions. Together, this all comes together as virtuous cycles of action and review and planning for continued action.
If the corporate password system just seems to generate new orders for pads of Post It notes and by the crate load, there is something wrong. If this fact is observed but only by Security or Quality Assurance personnel, and there only considered as if in a vacuum there are even bigger, more fundamental problems to be dealt with.
So I am writing here about a pressing need for consistent and even strategically transparent processes. That calls for a matching transparency in the underlying planning and review that sets operational processes and determines best practices in them.
The security examples I cite above are way too common, and call for automated processes that can reduce or remove burdens placed on individual employees as they go about their professional tasks and responsibilities. The trick is in making these processes effective while making them as unobtrusive to legitimate access as possible. And this brings me to a basic requirement in general for creating a virtuous cycle of operational execution to review to strategy and planning and back to operational execution again. You need to really understand both what you need to accomplish and with what priorities, but also the potential friction points where planning and practice can collide. The idea here is to avoid finding that that crucially important server room has in practice been wide open all this time because its expensive security safeguards are too burdensome to actually use as intended. The trick and the goal is in identifying the security paradoxes and their counterparts throughout the organization and resolving the conflicts and contradictions inherit to them.
Timothy Platt
leave a comment