Living in downtown Toronto, I have the pleasure of avoiding streetcars as they whizz from one place to another. For something that stays on tracks, I frequently find myself crossing a road to find one of the "rockets" bearing down on me and having to leap out of the way.
A couple of months ago, I came out of my condo only to watch a Hummer attempting to make a u-turn across some streetcar tracks. What the driver didnt see, was the 36 tonne (yes.... i looked it up - see here - .. thats how much these things weigh) streetcar merrily trundling towards it. Of course, the inevitable happened.. streetcar and hummer collided..metal crunched.. tempers flared. Everyone was ok, and to my amazement the hummer faired a lot better then the streetcar.
This got me thinking recently about how we work with our people. How, as security professionals, we look to enforce security on the masses. I kinda like the analogy that was forming, so thought I`d jot down my thinking, and some conclusions.
Thinking about what happened above, lets line up the factors involved with a corporate environment:
1. City = Business Environment
2. Road = Policy
3. Streetcar & Vehicle = End point devices (desktops, laptops, etc.. etc..)
4. Tramlines = Security guidelines
5. Users = Commuters
We, as security people, would like to see all of our users (commuters) using end point devices (streetcars) and being taken from one place to another using pre-defined routes under the control of one centralized system. We`d have the controls in place that keep the users in line; we`d let them know that when they use their pc`s what the risks are (security awareness education), how best to behave for their own safety and that of their fellow users. Most users would be happy to do this since why would they bother going through the trouble of doing things themselves (like driving), when they can be transported on their business journey and protected care of the city (infrastructure). All they have to do is follow some basic rules and they'll get what where they're going in a relatively safety. The only downside for them is that they are at the mercy of the city as to what they'll see along the way, and when they're going to get to where they'e going.
Simple, safe, and relatively cost effective. The city itself keeps things flowing, and the commuters are happy unless something breaks and they have to walk!
Onto our hummer driving friend. He (we'll assume he is a "he", since I don't know many woman that drive hummers) He is part of the city, he's going to use the road to get where he's going and, for most part, is going to take the same route as his fellow users. The key difference here is that he's not going to be constricted by the tramlines. He'll be able to stop anywhere he likes, and sometimes head off road and take a look around at his leisure. He'll not have to abide by the same restrictions that apply since he really doesnt have to stick to the tramlines or the direction in which they go.
A user like this in an actual business environment is what we typically categorize as a rogue user. These are the ladies and gentleman that can cause us, the businesses, and their fellow users the biggest headaches. They have the knowledge to navigate the infrastructure without having to follow the same line as everyone else, and can be horribly disruptive when not paying attention to exactly what they're doing.
So, what's the moral of this quickly constructed caffeine fueled bit of thinking?... Keeping users on a constrained and defined path is still the best where to protect your information assets, but when designing and building an infrastructure, make sure you do so expecting that there will be the odd user that knows how to swing off the rails and try to do their own thing.
0 comments:
Post a Comment