Network Security Blog

As a security professional, one of the things I have to remind myself of occassionally is why I do this. It is so easy to get caught up in creating security for the sake of being secure, but that is not really what we’re here for. I’m here to make sure that my company can continue to do business, despite the fact that there are people out there who want to interfere with that business. I’m not here to make the network so secure that even the users can’t use it.

I had that illustrated to me last week; a portion of the users base want’s to install a FTP server to enable file transfer with other businesses. I started listing off ways to secure the connection, the sort of non-disclosure agreements that should be in place, the possibility of using SCP, and about a dozen other ways of securing the connection. When I brought this up to my team lead, he pointed out that these were good suggestions, but that the users wouldn’t be able to actually use the system if they were all put in place. That’s when the light went on.

Security is great, and should be part of the business decision making process, but it is not the be all and end all. A number of security professionals have pointed out that we can make a perfectly secure computer; unplug it and put it in a closet somewhere. There has to be a fine balance between securing the systems and make them usable. But the users have to be able to do their job. After all, their work pays my check.