New Banner 3

Services

Find out more about ProCheckUp's services including: Penetration Testing, PCI QSA and PCI DSS

More Detail

PCI DSS User Group

User Group is for merchants to come and share experiences with fellow professionals. We have regular presentations from the card schemes and acquiring banks.

Find out more & join...

Control Freaks

14 August 2014 by Jonathan Bush, ProCheckUp

I was walking through the park the other day and something caught my eye that wasn't a sunbathing student. It was in fact this lovely metal wheelie bin:

Control Freaks 1 Control Freaks 2


Kindly provided by Camden Council, for the disposal of your barbeque charcoals. I'd never seen one of these before, but I have certainly had barbeques in parks.

In a roundabout way this got me thinking about security controls. Certain things in life are inevitable; users will write down passwords, laptops and phones will get left in taxis and people in built up urban areas will seek out open space for barbequing. What mustn't be underestimated is the relentless drive of human desire. If a user of a park desires a barbeque, they will have one. They may not even think of the consequences because they are hungry and the weather is nice. If a user of your IT systems desires to work on a document at home, they will find a way to get it home; motivated by a tight deadline and the burning desire to get home before 9pm at least one night that week.A small amount of research tells me that this is in fact the first year you are allowed to barbeque in Camden's parks. I can't help but wonder over the internal debates at the council, which have led to this initiative even getting to the trial stage. In my head I imagine that there are strong objections from those who have to manage the parks and probably those charged with public safety. However, regardless of the official stance on park barbequing, I suspect that the more rebellious amongst us would dine alfresco regardless!

I'm struck by two opposing schools of thought here with regards to risk control, one more pessimistic than the other. Firstly, one could argue about the feasibility of enforcement for any given rule. Most security departments can't afford to send a chaperon with every employee to make sure that their company iPhone isn't accidently left on a train. And most users don't appreciate having someone breathing down their neck. I'm not sure a park warden for every park to enforce barbeque related policies is the most efficient use of public money either. This forces us to come up with new ways to manage problems; making it easy for the user to do the right thing.

On a more optimistic note, I'm reminded of the old idiom "security as an enabler". I occasionally use a saying which I think is a bit cheesy but seems to get reasonably good responses; what part of a car determines how fast it can go? The security centric answer is the brakes. If we accept that businesses and users are going to want and expect new ways of working, such as instant messaging on their phones or BYOD in the office, then we need to make sure the controls are in place to do this securely. Essentially, if the business wants to drive forward like a Ferrari then they need high quality brakes (some painted red callipers would look pretty smart too). The trouble with the "security is the brakes" saying is it makes security sound reactive and not proactive. Like all good analogies, it doesn't really stand up to scrutiny.

Regardless of if you're a pessimistic or optimistic security control designer, you still need to accept that the relentless march of the users is a powerful force to try and counter. What Camden Council have taught us, is that even though you might not agree with a user's decision making process, there are things you can do to ensure that those decisions are safer.

If you'd like to talk about the many different technical controls that can help a business drive forward then please get in contact. Alternatively, if you are planning a barbeque in a Camden Council park then please invite us!

Back To listing