Don't let security become a headache

Posted by Ron Miller on Feb 5, 2014 4:03:00 PM

Man with pained expression in front of his PCThe biggest job IT may face is providing security, but in a world where employees are mobile and data and content live in the cloud, that becomes an ever growing challenge for organizations.

When I spoke with Todd McKinnon recently, who is CEO and co-founder at Okta, a company that one day hopes to develop an industry standard way of dealing with compliance in the cloud, he identified three types of approaches to security: 

  • The Blockers: They are going to shut everything down they can. You have a desktop PC, and you're blocked from accessing anything outside of the office network.
  • Endorsed Services: IT has central set of endorsed services and they don't worry about anything else, even if people are using them, and they probably are.
  • Progressives: You can use whatever you want, but IT is going to try to be advisors and help you understand the best choice. It's also going to see what people are using and recommend that you don't use services that are immature around compliance. 

Whether you're working IT inside an organization or as a managed service provider providing IT services, you still face the same challenges around security, governance and compliance as people and data are on the move.

That means you very likely have to make trade-offs about your security, but what you don't want to do is hinder your user's productivity --and blocking cloud services in the age of mobile, social and the cloud is probably going to end up being counter-productive.

Just today, I watched a friend deal with a draconian security system. The system demanded a password between 15-30 characters long. It had to have a mix of upper and lower case letters, numbers and special characters. It had to have a minimum number from each category. It was such a high threshold, this person was overwhelmed simply trying to come up with a password that matched the requirements. And the system required a new password, just as complex every 60 days and you couldn't just tack on numbers on the end because you couldn't have 4 or the same characters in the new password.

That's insane on a number of levels. First of all, there was precious time wasted simply coming up with a password that matched the ridiculous criteria. Then in all likelihood, most folks because it's so long and so complex end up writing down the password somewhere because who can remember such a monstrosity. And how secure is that?

Then when you finally come up with a password that passes muster, the system required eight, count 'em eight security questions should you ever forget the password (a likely scenario) within the 60 day cycle. 

There's nothing wrong with strong security, but you can't set the bar so high that you end up making the task more about the security than what you were actually trying to do.

When you look at McKinnon's three types of IT, you very likely find yourself somewhere along that spectrum. Every organization has a different tolerance level, but remember, no matter what you decide, your users have to live with this system, and if it gets in the way of them doing their job, it's probably robbing Peter to pay Paul in the name of protecting the company assets --and that may not be as worthwhile a trade-off as you might think.

Photo Credit: (c) Can Stock Photo 

Topics: IT End User Management