UK Govt – No preventative security measures for internal users. Are they mad??

Reading the Government Service Design Manual and especially the section on Security as an Enabler, I found an interesting paragraph in there, when talking about internal users, it states:

“It is the intention of the Civil Service Reform Plan and the new Security Classification Policy that there is greater emphasis on user responsibility, reducing expensive and overbearing technical controls. This requires proper training to assist users in handling sensitive information, and auditing to verify users are acting responsibly.

Users should be trusted to carry out their roles and given the responsibility to do so securely.

Audit and verification of user behaviour should be used to ensure policy compliance instead of preventative measures which add cost and degrade productivity. Such audit and verification should be implemented by services or network infrastructure, away from the end user device.”

I find this a shocking statement. You only have to look at the press or read the annual Verizon Data Breach report to show that the threat from insiders is growing (14% in 2013) with 13% of breaches occurring from privilege misuse or abuse.

It’s very brave (or stupid) to rely on detective controls and therefore close the stable door, only once the horse has bolted. Surely the cost and ‘degraded productivity’ should be measured against the increased risk and reduced compliance.

I would argue that to use security as an enabler, you must ensure that you do have the appropriate mix of preventative AND detective controls in place before you can enable those services that are going to provide the real benefits and savings.

What makes a good presentation

Working in the field that I do I have to present and receive lots of presentations. A few months ago I started to get really frustrated with the poor quality of people’s presentations. Sometimes, this was their speaking, sometimes it was their slides or materials. I decided that I wanted to change the way that I approached the whole issue of presenting.

Therefore, I have spent the last few months trying to improve my presentation skills, both in terms of speaking and the material that I use. One of the great inspirations for my change has been Garr Reynolds, whose book, Presentation Zen has really helped me to understand the good and bad points of design for powerpoint presentations. As a result of reading this book, I have started to change my approach. Here is an example of some slides I created which I have used recently in a couple of presentations I gave.

I have only used these slides on internal presentations so far, but they seemed to be received well compared to the more traditional approach. Hopefully, if he saw these, Garr would be proud.

The only problem I have with his approach is the length of time it takes to not only prepare the presentation content but also any accompanying handout (if required). I’m sure, as I get more used to this approach I will become quicker at it and can re-use much of the content.

Presenting, however, is not just about the slides that you use. In fact, sometimes you don’t even need slides. The most important part of any presentation is the message that you are trying to convey and the way that you get it across. I am currently reading Presenting to Win by Jerry Weissman and, whilst a lot of what he talks about is common sense, its amazing how many presenters seem to leave common sense at the door.

So, when watching presentations, how can I tell if the presentation is good or not. Simple, am I captivated? Lawrence Lessig is a fantastic example, as shown in the video below.

I’ve never heard Lawrence speak before and aren’t particularly interested in copyright (the theme of his presentation). However, for the 1hr 5mins that he presented, I was absolutely captivated. His combination of conversation and supporting materials made a very enthralling presentation. It just goes to show, a good presenter can capture his audience regardless of what he is talking about.

Authorisation comes full circle

I find it really interesting to look at access control of web-based applications to see how they have changed over the past decade.

When I first started working with Identity and Access management back in 1998/1999, web applications were still emerging and there functionality was limited. At that time people were building silo’d applications containing all of the security within each application. Then along came the web access management (WAM) vendors including Netegrity, Oblix etc. All of these vendors took a new approach to web application security. Their approach was to remove the security out of the application and instead, put it into a security framework which surrounded your applications. This became a common access point which provided a range of features including:

  • Web-based SSO
  • Authentication
  • Authorisation
  • Auditing

This was all well and good but as applications developed and became increasingly complex, it became harder to meet all of the applications’ security requirements through this framework. Sure, authentication was straight-forward. Lets authenticate the user and then pass a token to the application containing the user’s identity. This has been done over and over again and is now a very well-trodden path.

However, what about authorisation? This wasn’t so simple. Despite their claims of handling authorisation, the WAM products primarily worked on URL. They were able to carve up the URL into chunks and decide which user’s got access to which chunks. This was fine in some cases, but more often than not, was not enough for many applications.

As applications matured, there were more requirements to do complex authorisation based on defining access control at levels deeper than the URL. The WAM vendors answer typically was to pass some information from the user directory to the application and let the application perform that level of authorisation. I have deployed many WAM solutions during my consulting days. The majority of those used WAM to provide authentication but left the authorisation to the underlying applications. So, we ended up with a half-way house. WAM providing authentication and some high-level authorisation, with applications providing the more detailed authorisation. Not ideal!

Then as the market has matured even more, we see the advent of products like Oracle Entitlements Server which addresses this problem. How do we provide a solution which allows us to not only externalise authentication and the high-level (coarse-grained) authorisation but also the low-level (fine-grained) authorisation? We now have the answer to providing a complete solution in this area.

We can now use WAM to provide the authentication and coarse-grained authorisation whilst allowing an entitlements service to provide the fine-grained authorisation.

Surely, this is where the WAM vendors first imagined we would be, i.e. externalising all of the access control from the web application. It just seems that it has taken us a bit longer than expected to get there.

Is ALL water a wishing well?

I have this theory which seems to bear out no matter where I travel to in the UK…..

When I was a child I used to throw pennies into wishing wells and make a wish. As I grew up I noticed the security protecting the coins getting stronger (however, I digress).

What I have noticed now for a number of years is that any expanse of water contained in a public place becomes a public wishing well. You may notice that all of these places have coins thrown into them. These include water features in shopping centres as well as water fountains outside.

What happened to the good old wishing well and why do people find an urge to thrown money anywhere where there is water?