• Blogroll

  • DevelopSec

• Archives

  • March 2024
  • December 2023
  • January 2023
  • August 2022
  • February 2020
  • October 2019
  • May 2019
  • June 2018
  • November 2017
  • June 2017
  • February 2017
  • October 2016
  • September 2016
  • May 2016
  • February 2016
  • January 2016
  • November 2015
  • October 2015
  • September 2015
  • April 2015
  • October 2014
  • August 2014
  • December 2013
  • November 2013
  • October 2013
  • July 2013
  • May 2013
  • April 2013
  • March 2013
  • January 2013
  • December 2012
  • September 2012
  • August 2012
  • July 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • September 2011
  • July 2011
  • June 2011
  • April 2011
  • March 2011
  • February 2011
  • January 2011
  • November 2010
  • October 2010
  • September 2010
  • July 2010
  • May 2010
  • April 2010
  • February 2010
  • January 2010
  • December 2009
  • October 2009
  • August 2009
  • April 2009
  • March 2009
  • January 2008
  • December 2007
  • October 2007

Call for Education or Need for Better Applications?

The fallout from the recent VA issue http://www.nextgov.com/nextgov/ng_20101222_6852.php has made me think about one issue around software security. Is it a lack of security education or out-dated applications that lead to some of these breaches. In this example, the users apparently wanted to be able to share their calendar among multiple employees. I am sure there are many people that have had this same request. There are many solutions to this, but which one is right depends on your environment.

Education
Many users are not aware of all the compliance requirements that exist. With HIPPA, SOX and others, it can be difficult to keep up with it if you are not a security professional. Even some of the information protection standards that corporations may have can be difficult to interpret. Maybe more education on what type of data needs to be protected might have been successful.

How many users do you know that don’t have a strong understanding of the internet or what the “cloud” even is? We, as IT professionals are expected to understand this much more in-depth than those not in this industry. Just as those in the health care industry are expected to understand health more than us. Users may not understand how these technologies work, or how they may be susceptible. When a typical user thinks about sharing a password with a co-worker they do not share the IT concerns. IT is concerned with audit trails, non-repudiation, etc.. Is it possible for the general user community to have the understanding to really make legitimate decisions when it comes to using third party apps with internal data? The IT department must be involved to offer the experience, but that too can be difficult when the company is small or the IT department is limited.

Better Applications
Are many of the applications we use out-dated? Of course they are. Technology is moving fast, where most applications are updated more than once a year. There are new applications coming out every day to solve the problems of older applications. Workers want to do as little as possible, this is not a fault, but the way of life. Why work harder when we can work smarter? When a user sees a new application that solves their problem, and it is probably free, they want to jump on it. Why use an excel spreadsheet to track scheduling when you can use a nifty online application accessible by everyone from anywhere? The intent is not to cause a “breach” as stated in this case, but to make the user’s life easier. This was not malicious. It was a case of something better coming along, and how often is that happening these days?

Unfortunately, this problem is not easily solved. Many IT departments are small, with very limited resources to create new applications. Even if they did, they may be out-dated by the time they are completed. It is also difficult to even have staff to research or understand the offerings already available by third parties. How does a company, with limited IT resources, manage their data and control access to this type of “breach”? Until there is an answer to that question, I believe there will be many more of these findings.

Hopefully, as time goes on, users will become more knowledgeable about how these technologies work and how the data they work with needs to be protected. As IT professionals, we need to do a better job of assisting users with protecting their data. It is obvious that every application cannot list out all the uses, but there has to be a way some assistance can be provided.

Comments

• Follow Us

  

  

  

  
  
  
  

• Recent Posts

  • Securing the Forms Authentication Cookie with Secure Flag
  • Does ASP:Textbox TextMode Securely Enforce Input Validation?
  • Disabling SpellCheck on Sensitive Fields
  • What is the difference between encryption and hashing?
  • XmlSecureResolver: XXE in .Net