Why you should say no to some new technologies
Hardware and software tools for securing new technologies can be easy to develop. But effective policy is what drives security.
Ask security professionals about new threats in the information technology security landscape today, and chances are they’ll talk about new tools, technologies, and paradigms such as cloud computing and social networking. Although it's true that those tools can bring security concerns into the enterprise along with their benefits, it is important to remember that they are often simply new vectors for delivering existing exploits.
Coming up with the technology to plug new holes opened in the security perimeter by such tools usually is pretty easy once the holes have been identified. But the security technology does little good if the new tools are not brought into the enterprise’s policy environment.
The best-secured tools remain vulnerable if appropriate security policies are not enforced. Sometimes, the appropriate policy is to say “no,” although that has to be said with the understanding that eventually the new tools will make their way into the enterprise and more realistic policies will need to be readied for them.
Related stories:
With social media, even innocuous comments can add up to a data breach
It’s time to burst the cloud’s hype bubble
Tools that were once new, such as e-mail, laptop PCs, handheld devices and wireless access, have a history of creeping into the enterprise first as toys and gadgets, then as conveniences and finally as essential productivity tools.
It seems quaint that only a few years ago, some organizations banned wireless networking or remote access. But until those tools could be secured and policies could be put in place to regulate their use, such bans made sense.
Agencies are now struggling with challenges posed by cloud computing, virtual machines and social networking. The efficiencies, economies and flexibility of those tools are compelling, but so are the security risks they can present. There is little doubt that engineers and developers will deal with these threats. Meanwhile, agency officials must be working to ensure that when those tools come into the enterprise, they are covered by existing policies and any new policies that are necessary and that they do not come into the enterprise until they are covered.
Saying no to a new tool does not make you a Luddite, so long as that decision is reversed when appropriate.
New paradigms such as cloud computing are in many ways easier to deal with than tools such as social networking. Moving computing resources to the cloud requires a decision by the enterprise to implement and should be done with planning. That should provide ample opportunity for agencies to develop the appropriate policies and ensure that those policies are pushed, along with resources, into the cloud when the time comes.
Using social networking sites and tools might be trickier. They have become common business tools so quickly that administrators are struggling to keep up with their adoption. As security concerns become more visible, the companies operating the sites are improving their policies and technologies to ensure security and privacy. However, appropriate policies for their use also will be required, no matter how secure the sites themselves become.
Until those policies are in place and can be enforced, administrators should not be shy about saying “no” to their use. They should then use the time gained to develop policies that will enable them to say, “Yes, but….”