Moving on from the example scenario given in part 2, this instalment looks at developing the streamlining and consolidation mindset that will contribute towards improving security. To recap on some of the conclusions from the previous two parts:
- The greater the diversity of software, the greater the surface area which can be attacked, this applies to internal and external attacks. Reducing the number of systems contributes to improving security.
- Reducing the number of systems has a much wider impact than security alone. It also contributes to reduced costs across the board. When a system is eliminated, all associated back office costs are reduced.
- Reducing IT costs through streamlining releases funds which can be used for other security related projects which might otherwise not be economically viable
How many people does it take to change a light bulb? Light bulb jokes have been told to death over the years. Using it to illustrate a streamlining point of view, if an entire building has exactly the same type of light bulb in every room, the replacement bulbs will all be the same. The storage cupboard might have a minimum stock level of 20 to cover a building with 5000 operational light fittings. I will leave it to your imagination what happens next door in the office with 50 different types of light bulb. In a nutshell, standard is good, diversity is bad. The more exceptions that are added, the greater the complexity. In this simplistic example, it is more about how long it takes to change a light bulb.
Here are some thoughts to consider:
- Before committing to the expense of a new system, understand what infrastructure, operating system and database system will be required for the system to function. Make sure the requirements are aligned with the business IT environment. This may sound obvious, but the vendor’s sales representatives might not be aware of the technical requirements and if they are, it might not be considered an important part of their pitch. Also, the buying decision-maker might not know what questions to ask about the operating environment and assume that whatever he buys can be implemented by the technical teams.
- Lock down desktop permissions so that users are unable to install software themselves. This should also include most of the IT department. Allowing users to install software has much wider implications than just the proliferation of software within the workplace. It has the potential to introduce a wide range of security risks and malware to the business. Even without considering the streamlining of software, this action should be taken.
- Implement a centralised approach to purchasing software. If software-purchasing and decision-making are distributed across the business, it is inevitable that the diversity of software will increase.
Beyond application consolidation within an organisation, the same benefits can be availed by continuing emergence of software as a service, application service provisioning, cloud services etc., where the services are developed, managed and maintained by a single third-party and offered to a large number of businesses requiring the same system. With this approach the security is managed by the vendor.
Information security consultant with over 20 years’ extensive experience gained across a diverse range of private and public industry sectors including insurance, banking, telecommunications, health services, charities and more, both in the UK and internationally. Graduated in 1997 with a software engineering degree and specialising in cyber security, risk analysis, compliance reporting and access management.