Moving on from the example scenario given in part 2 – this instalment looks at developing the streamlining and consolidation mindset that will contribute towards improving security. To recap on some of the conclusions from the previous two parts:
- The greater the diversity of software, the greater the attack surface. Reducing the number of systems contributes to improving security; reducing the risk of internal and external attacks.
- Reducing the number of systems has a much broader impact than security alone. It also contributes to reduced costs across the board. When decommissioning a business system, it also eliminates all associated back-office costs.
- Reducing IT costs through streamlining releases funds which for other security-related projects which might otherwise not be economically viable
How many people does it take to change a light bulb? If an entire building has precisely the same type of light bulb in every room, the replacement bulbs will all be the same. The storage cupboard might have a minimum stock level of 20 to cover a building with 5000 operational light fittings. I will leave it to your imagination what happens next door in the office with 50 different light bulbs. In a nutshell, having a standard is good, too much diversity is bad. The more exceptions added, the greater the complexity. In this simplistic example, it is more about how long it takes to change a light bulb.
Here are some thoughts to consider:
- Before committing to the expense of a new system, understand the infrastructure, operating system and database system requirements and ensure they are aligned with the business IT environment. Vendor’s sales representatives might not be aware of the technical details, and if they are, it might not be considered an essential part of their pitch. Also, the buying decision-maker might not know what questions to ask about the operating environment and assume that whatever he buys can be implemented by the technical teams.
- Lockdown desktop permissions so that users are unable to install software themselves; this should also include most of the IT department. Allowing users to install software has much broader implications than just the proliferation of software within the workplace. It has the potential to introduce a wide range of security risks and malware to the business. Even without considering the streamlining of software, this is a recommended action.
- Implement a centralised approach to purchasing software. With distributed software-purchasing and decision-making across the business, the diversity of software will inevitably increase.
Beyond application consolidation within an organisation, businesses can gain the same benefits from the continuing emergence of cloud-based services; developed, managed and maintained by a third-party and offered to a large number of companies requiring the same system. With this approach, the vendor manages the implementation of security.
Robert is an information security consultant with over 20 years of experience across a diverse range of organisations, both in the UK and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Robert is contactable directly through LinkedIn.