Conventional wisdom has always told us that when it comes to deciding what users should be allowed to do, the correct choice would be to allow access only to what they need to do, or more accurately, to allow the least they can get away with. While this holds true to a certain point, it tends to be oversimplified, and leads to assumptions that the users need fewer access rights than they really require.
A system administrator who has the task to make sure that the network is secure, will obviously be inclined to give a user the minimum possible access rights. This is because if there is some security breach, he would be the first person responsible, and it is assumed that users can’t do anything wrong if you don’t allow them to. But in most cases, this is an oversimplified solution, resulting in less productivity and frustrated workers.
Take one example – FTP access. In most cases, users do not need to access external FTP servers, so such access is blocked. In reality, however, most employees do many more minor tasks than their job description states, and in this example, some user might need to use FTP.
Now, that user has two options – one would be to ask his supervisor to get his manager to send a request to the administrator to allow access to that FTP site – a process that can take several days, resulting in missed deadlines. The other solution would be to visit a website that allows accessing FTP servers from the web, which would take the user just a few minutes to search for. If that FTP site requires credentials, in the second solution, that user will be sending out his/her username and password insecurely to the third party who happens to be running such a service. So, what happened here? We blocked FTP access, thinking that it’s more secure to do so. The result? The user found a way around it which made things much worse than if they were given access in the first place.
The FTP access example is just one of the multiple wrong assumptions that people make when trying to secure their network. It rises up to the debate about whether users should be forced to change their passwords frequently. In most companies, it is taken for granted that forcing users to change their password every 30 days is a good thing. But is it really? If I know that I will be using a password for a long time, I will select a hard to guess (and hard to remember) password, but would I do the same if I knew I have to forget it and remember a new one after just a month? The truth is that most people don’t care about security – all they care about is that their PC works. So what they end up doing is choosing the simplest password they can get away with, or if they’re forced to use a complex password, they will just write it down on a post-it note and stick it next to their monitor.
The aim of this article isn’t to say that what the industry is doing is wrong, nor that we shouldn’t care about security any more – far from it. What I would suggest to anyone working to create a secure environment is not to take industry “best practices” as obvious solutions, because in most cases they’re not, and might even be worse than doing nothing! Before taking any security measure, always think about whom it will affect, what its actual effect will be, and whether it’s the right thing to do. In IT security, there’s never a one-size-fits-all solution, and the best security schemes are tailor-made for that specific scenario.