Are You Playing Security ‘Elf on the Shelf’?

Monday, December 23, 2013

Steve Lowing


While your end users may act like children from time to time, your security practices shouldn’t treat them like they are. Gain visibility and control before being placed on the naughty list.

With the holidays rapidly approaching and 2013 coming to a close, I’ve been reading a variety of articles on topics such as, ‘The 10 biggest security issues of 2013,’ ‘What areas do CIOs/IT organizations under invest’ and a ‘How will security in the cloud and mobile change in 2014.’ As I read these stories, I am reminded of a little holiday tradition we have here at my house for our children – I’m sure some parents might do something similar.

Every year right after Thanksgiving, we bring out Elf on the Shelf to monitor the good and bad things that the kids are doing. In their eyes, Elf on the Shelf is real, reporting back to Santa daily to determine if the kids will be placed on the naughty or nice list. After the holiday, Elf on the Shelf disappears back to the North Pole until the next year. Simply put, the Elf serves as an adult in the room to keep kids behaving and off of Santa’s naughty list for the four weeks leading up to Christmas.  While we are not naïve in thinking this is some silver bullet for minimizing chaos, it’s a nice tradition that we have and quite frankly, the kids love it.

Elf of  ShelfI draw this parallel of security happenings to this supposed magical Elf because many companies still employ policies and practices around their endpoints and servers that don’t minimize the risk of “naughty” things happening to their sensitive data and resources.  Some companies do not address the rising use and associated risk of file sharing cloud services like Dropbox, and skybox that take corporate data offsite without IT’s knowledge. The rise of smartphone and tablet usage has driven the issue of BYOD, which also causes companies to lose control of the data access of their applications. Corporations are at an increased risk as a result of this access to data sitting on uncontrolled endpoints in addition to companies not establishing “Gold” images of what should be running at an endpoint. Businesses are increasingly living in a world where traditional security practices mean well but don’t always keep their end users off the naughty list and that can have extreme consequences.  

Security and IT professionals are all beholden to their respective business’ needs and desires to operate with efficiency. We need to be conscience of the things that are running at client and server end points lest you run the risk of being included in the ‘Top 10 biggest security issues year-end review for 2014.’ 

All joking aside, you might be asking so what do I do to keep end users on the nice list? Here are three ideas to consider putting in place as part of your IT security practice, or perhaps objectives for a New Year’s resolution.

1. Develop a risk management policy around cloud file sharing: Determine who is using cloud file sharing services.  Require two-factor authentication for accessing these services.  Require encryption for all data leaving the enterprise (not just in transit but encryption at rest). 

2. Define your Gold image for what an end user should have installed and running: Verify and enforce this Gold image for all systems and do so continuously.  Don’t just do this once a year or quarter as part of a compliance audit.  Be proactive. 

3. Layered security is always important: Know what is running and more importantly, what is in violation of policy. Of utmost importance, invest in security software that can talk to all layers.  There are several great products on the market, but not many of them talk with one another.  Use more of them that do. 

These objectives will allow you to operate your business more effectively and with lower risk - and perhaps, keep your New Year’s resolution for once. 

About the Author: Steve Lowing is Director, Product Management at Promisec.

Firewalls Enterprise Security Vulnerabilities
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.