The Human/Password Problem
Have you ever wondered why enterprise security people are so downtrodden? Have you ever been baffled by the seemingly impossible arrogance of penetration testers when they laugh at corporate security postures?
Headlines like this one at PC Magazine make all that real:
Now I ask you - those of you who attended the RSA Conference 2012 - what awesome, cool, and shiny new technology did you get wowed with that helps your enterprise against that headline?
While there were certainly lots of fantastic solutions to some of IT's most complex problems, the simple ones continue to elude us. How do we solve the human problem?
The bottom line is this - people have always been, and will continue to be, your Achilles heel in the enterprise. What I find interesting is that in information security, for the last two decades, we've been solving for and attempting to cure many of the symptoms of the people problem without actually addressing the actual problem head-on.
Human nature, and our need as employees to do the least amount of work to comply with requirements the security organization sets out while getting our real jobs done still wins 9 out of 10 times.
This quote - "Why "Password1"? Because "it satisfies the default Microsoft Active Directory complexity setting," the IT security research firm [TrustWave] noted" - is at the heart of the issue. Those that pick Password1 have satisfied the requirement by having one uppercase letter, a number and greater than 8 characters, done.
You're reading this thinking to yourself - yes, rabbit, we've known about this for years, so what? - and I can't blame you for it. To you I say isn't it about time to stop treating the symptoms, and address the real issue?
Look I know we're not going to solve the issue of human nature. I know people will continue to do silly things, and exert the absolute least amount of effort necessary to comply with security... but what if at some point the end user had to do less to comply with security requirements than today? W
hat if instead of passwords that have little value because no one remembers the really complex ones, and they'll probably just be bypassed anyway, we collectively move to a scalable method of identifying people that can be used across corporate, personal and all kinds of systems?
Is it practical to think, and hope, that in our lifetime the password will go the way of the Dodo bird? I really hope the answer to the above question is yes.
So in that vein of thought, here's a challenge. Think back to all the cool technologies you've heard or seen in the last year of trade shows, webinars and vendors showing up at your company. Take out a piece of paper and draw two columns.
On the left side write "symptoms" and on the right side write "problem". Now, take all that tech and put them in either the left or right columns... and when you're done look at the right column. If I'm right, there will be maybe 1 or 2 actual things in that right-hand column.
The reason for this is simple. In Information Security it's much easier to cure the symptoms, than to try and cure the problem. Don't get me wrong, I'm not saying there is no merit in curing symptoms - I'm simply saying we need balance and to address the actual problems.
Technologies that make it inherently easier for your program managers, designers and developers to crank out more secure software help that core problem. Authentication systems that are true single sign-ons for the entire collection of corporate assets without having to remember a million passwords are an attempt to cure the root cause, not the symptoms as well. Technologies that make people more educated, smarter, and more self-aware work at the problem, not the symptoms.
So now that I have you thinking about this, let's examine your project list. Let's examine the list of things you're trying to purchase. Let's examine the 'must have' list of cool new tech you're enamored with. Let's agree that while we keep nipping the symptoms, maybe we take a whack at the root cause of the issue.
I'm certainly not suggesting wiping the human being from the equation, but I am suggesting making security more simple, usable, and transparent in the business world and every day life. So maybe for every 5 projects or purchases we make that address the symptoms we make 1 attempt to cure the core issue.
What do you think, is that doable?
Cross-posted from Following the White Rabbit