Thinking about enterprises

The below was posted to a private mailing list in which we were debating whether software sources should be drastically restricted in enterprise environments. After I made the post below, I was asked to put it in a public location for wider review and consideration.

I’d like to say I’ll do more posts like this and try to revive this blog, but who knows what the future holds.  ;)

Let’s pause for a moment and think about what an enterprise actually is before we blindly follow a control-based approach. One of the problems in our industry is that we tend to drive for stronger and stronger controls and often forget that our job is to protect the business, not to control the users.

Most enterprises have a complex history that started in small business. As a small business grows, it encounters challenges of scale and one approach to scaling is to make everything the same. However, there is a tradeoff to doing that. Yes, it is easier to manage a monoculture environment, but as with monocultures in nature, if everything is the same, it’s a lot easier to attack. There is also a massive trade-off in terms of flexibility. When all the systems are locked down, workers must follow the pre-determined workflow to get things done. Think about that that means.

As a small business, it is possible to compete against the big players because you can be flexible and adjust the work as the work demands. You may make mistakes, but since you are moving so much faster, you can often screw up and recover faster than your enterprise competitors can complete the first round. This is a huge business advantage and it is what allows, over time, a small business to grow bigger and bigger to such a point where the pain of managing the flexible infrastructure exceeds the value that flexibility can bring, and they start to lock things down.

The problem is that that growth perspective is limited. The growth of startup -> small business -> large business -> enterprise is capped by the size of the economy in which it is growing (like a goldfish in a tank). This means that, as time goes by, the top end of the market gets full of enterprises. There’s not enough cash there for them all to survive, so enterprises at a certain size and stage must begin to re-invent flexibility so they can begin to out-compete the other enterprises around them.

This is a driving factor to why workers try to bypass security controls. They’re not just sitting around trying to think of ways to make your life miserable. They have strong incentives to make their customers happy, because that’s what gets them paychecks and bonuses, and helps the enterprise to stay viable. When security controls get in the way of that, they’ll look to cloud services, downloaded software, and other types of shadow I.T. If you do not support their needs, they will work around you, and security will be viewed as a group that hampers their success. That’s when they start to resist all new suggestions and creating a very difficult environment. The desire of the security team to leverage all sorts of layered controls, but without a concept of what’s actually being protected, is what supports the concept that “Security doesn’t understand the business”, which works against us all.

The truth of the situation is that most enterprises are in life-and-death struggles with other businesses and the ability to leverage the appropriate tools is a critical element of success. In any fight, the side that brings the best weapons and knows how to use them will often be the side that wins. If you force your users to bring knives to gun fights, you’re going to run out of users awfully fast. To use a more modern example, insurgent fighters use whatever they have available, in whatever ways they can, to fight. Professional armies, however, are limited to the pre-determined set of tools, that have been vetted and supplied (often by lowest bidder). As recent history has shown, professional armies are not all that effective against insurgents – because the scope of engagement is fundamentally different.

The same scope of engagement exists between small business and enterprises, and if you hamper your users, you are putting them in a position to be beaten by everyone else. Sure, you’ll be highly successful in projects that require only the set of tools you have pre-approved … but once you’re at that stage, the work can be automated and you may well find customers leaving as they find other ways to meet their needs outside of working with your enterprise.

To succeed, you need to allow for flexibility. This means building a less rigid and more resilient security design that allows people to use downloaded software and cloud services. Perhaps the process involves a renewed recognition that bad things happen and building out recovery processes, perhaps you put more effort into monitoring and detection, perhaps you segment everything at the network level and use encryption to isolate data. There are a great many tools at our disposal that can integrate with the business without reducing the entire world to a binary “yes you can do this, no you cant do that” dichotomy.

In particular, the concept of vetting is problematic. I talk to a lot of security teams that are focused on vetting third parties – but in a lot of cases, their work doesn’t matter, because the business has already decided to proceed. It may be better to, instead of vetting from a “yes/no” perspective, vet around the concept of “if this vendor were to be breached, based on how they integrate with us, how could it hurt us and do our recovery mechanisms sufficiently protect us?” Outsourcing, whether to a service or just using software you didn’t develop, involves risk. But market-based reward also involves risk. Risk is not, in of itself, a bad thing. It just needs to be balanced against what the enterprise is trying to do. The goal is not to maximize safety. The goal is help move the business into a position to succeed, where one of the many factors that could hamper success is a lack of information security.

Remember that “keep the bad guys out” is only half of security. The other half is “while allowing the good guys to get stuff done”. We, as an industry, need to focus more on the latter.