Back to the Future: Layered Security By Brad C. Johnson

In December of 2010 I posted a "Looking forward to 2011" entry that included the following simple advice: "One thing that we have learned in the last few years is that often times, it's the simple and straightforward actions that make the most sense." That is a theme that has been consistently used in this blog because it just turns out to be true. Albert Einstein once said: "Make things as simple as possible, but not simpler. "

Related to that is this advice: do not rely on just one method of securing a resource, no matter how dynamic, exhaustive, or impressive it is. We have been a consistent supporter of this equally tried and true "Belt and Suspenders" approach to everything security. Using simple layers of security is often more dependable than expensive or complex products or strategies. Just this last week, the following news was in the headlines:

"The NCAA mistakenly left its internal SharePoint site unprotected, allowing fans, media … to have complete access to its most sensitive economic information. The leak involves years of accounting information, slideshows and much more."

How is this possible? Probably because they assumed that since this data was on the "inside" (an assumption that used to be rampant throughout the industry that essentially makes no sense anymore) that the normal or default protections would be enough.

There are a number of "Belt and Suspender" tactics that probably would have prevented this exposure from happening. None of them sophisticated or complex; yet as a collection of protection layers they would have provided an environment that would have prevented the exposure, even if one or more of them had failed.

• Internet facing firewall: have rules that are just as strict about what goes out as you have for what comes in: don’t allow file share protocols outbound
• Monitoring: similar to the firewall, be just as concerned about traffic that is leaving the network as what is coming in: detect file share requests travelling outbound
• Intrusion detection: notice that external IP addresses are accessing internal resources
• Authentication: require users to provide credentials to use SharePoint services
• Authorization: define acceptable users or groups that can access the SharePoint services

None of the above actions are hard to implement or require unique security infrastructure or expertise. Each one of them is providing a certain type of security awareness or protection that is related to but different than the others. No single one provides ultimate protection of the internal resource but as a whole, they represent a layered approach to protecting the asset; even if one or more of them are, for whatever reason, not working.

So, here we are ending 2011 just where we started the year: focusing on fundamentals; preaching about straightforward and layered security philosophies.