The Unintended Consequences of Sound Security Policy
- by Tanu Sood
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
Normal
0
false
false
false
EN-US
X-NONE
X-NONE
MicrosoftInternetExplorer4
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Calibri","sans-serif";
mso-bidi-font-family:"Times New Roman";}
Author: Kevin Moulton,
CISSP, CISM
Meet the Author:
Kevin Moulton,
Senior Sales Consulting Manager, Oracle
Kevin Moulton, CISSP, CISM, has
been in the security space for more than 25 years, and with Oracle for 7 years.
He manages the East Enterprise Security Sales Consulting Team. He is also a
Distinguished Toastmaster. Follow Kevin on Twitter at
twitter.com/kevin_moulton, where he sometimes tweets about security, but might
also tweet about running, beer, food, baseball, football, good books, or
whatever else grabs his attention. Kevin will be a regular contributor to this
blog so stay tuned for more posts from him.
When I speak to a room of IT administrators, I like to begin
by asking them if they have implemented a complex password policy. Generally,
they all nod their heads enthusiastically. I ask them if that password policy
requires long passwords. More nodding. I
ask if that policy requires upper and lower case letters – faster nodding –
numbers – even faster – special characters – enthusiastic nodding all around!
I then ask them if their policy also includes a requirement
for users to regularly change their passwords. Now we have smiles with the nodding! I ask them if the users have
different IDs and passwords on the many systems that they have access to. Of
course!
I then ask them if, when they walk around the building, they
see something like this:
Thanks to Jake
Ludington for the nice example.
Can these administrators be faulted for their policies?
Probably not but, in the end, end-users will find a way to get their job done
efficiently. Post-It Notes to the rescue!
I was visiting a business in New York City one day which was
a perfect example of this problem. First
I walked up to the security desk and told them where I was headed. They asked
me if they should call upstairs to have someone escort me. Is that my call? Is
that policy?
I said that I knew where I was going, so they let me go.
Having the conference room number handy, I wandered around the place in a
search of my destination. As I walked around, unescorted, I noticed the post-it
note problem in abundance. Had I been so inclined, I could have logged in on
almost any machine and into any number of systems.
When I reached my intended conference room, I mentioned my
post-it note observation to the two gentlemen with whom I was meeting. One of
them said, “You mean like this,” and he produced a post it note full of login
IDs and passwords from his breast pocket! I gave him kudos for not hanging the
list on his monitor.
We then talked for the rest of the meeting about the
difficulties faced by the employees due to the security policies. These
policies, although well-intended, made life very difficult for the end-users.
Most users had access to 8 to 12 systems, and the passwords for each expired at
a different times. The post-it note solution was understandable. Who could
remember even half of them?
What could this customer have done differently?
I am a fan of using a provisioning system, such as Oracle
Identity Manager, to manage all of the target systems. With OIM, and email
could be automatically sent to all users when it was time to change their
password. The end-users would follow a link to change their password on a web
page, and then OIM would propagate that password out to all of the systems that
the user had access to, even if the login IDs were different.
Another option would be an Enterprise Single-Sign On
Solution. With Oracle eSSO, all of a user’s credentials would be stored in a
central, encrypted credential store. The end-user would only have to login to
their machine each morning and then, as they moved to each new system, Oracle
eSSO would supply the credentials.
Good-bye post-it notes!
3M may be disappointed, but your end users will thank you.
I hear people say that this post-it note problem is not a
big deal, because the only people who would see the passwords are fellow
employees. Do you really know who is walking around your building?
What are the password policies in your business? How do the end-users respond?
