Enterprise Systems vs. Agility
I was recently reading a good Cameron Purdy post where he talks about his eight theses regarding why startups or students can pull stuff off that large enterprise IT shops can't.
My summary/trenchant restatement of his points:
- Changing existing systems is harder than making a custom-built new one (version 2 is harder)
- IT veterans overcomplicate new systems
- The complexity of a system increases exponentially the work needed to change it (versions 3 and 4 are way way harder)
- Students/startups do fail a lot, you just don't see those
- Risk management steps add friction
- Organizational overhead (paperwork/meetings) adds friction
- Only overconservative goons work in enterprise IT anyway
- The larger the org, the more conflict
Though I suspect #1 and #3 are the same, #2 and #5 are the same, and #6 and #8 are the same, really.
I've been thinking about this lately with my change from our enterprise IT Web site to a new greenfield cloud-hosted SaaS product in our R&D organization. It's definitely a huge breath of fresh air to be able to move fast. My observations:
Complexity
The problem of systems complexity (theses #1 and #3) is a very real one. I used to describe our Web site as having reached "system gridlock." There were hundreds of apps running dozens to a server with poorly documented dependencies on all kinds of stuff. You would go in and find something that looked "wrong" - an Apache config, script, load balancer rule, whatever - but if you touched it some house of cards somewhere would come tumbling down. Since every app developer was allowed to design their own app in its own tightly coupled way, we had to implement draconian change control and release processes in an attempt to stem the tide of people lining up to crash the Web site.
We have a new system design philosophy for our new gig which I refer to as "sharing is the devil." All components are separated and loosely coupled. Using cloud computing for hardware and open source for software makes it easy and affordable to have a box that does "only one thing." In traditional compute environments there's pressure to "use up all that CPU before you add more", which results in a penny wise, pound foolish strategy of consolidation. More and more apps and functions get crunched closer together and when you go back to pull them out you discover that all kinds of new connections and dependencies have formed unbidden.
Complication
Overcomplicating systems (#2 and #5) can be somewhat overcome by using agile principles. We've been delving heavily into doing not just our apps but also our infrastructure according to an agile methodology. It surfaces your requirements - frankly, systems people often get away with implementing whatever they want, without having a spec let alone one open to review. Also, it makes you prioritize. "Whatever you can get done in this two week iteration, that's what you'll have done, and it should be working." It forces focus on what is required to get things to work and delays more complex niceties till later as there's time.
Conservatism
Both small and large organizations can suffer from #6 and #8. That's mostly a mindset issue. I like to tell the story about how we were working on a high level joint IT/business vision for our Web site. We identified a number of "pillars" of the strategy we were developing - performance, availability, TCO, etc. I had identified agility as one, but one of the application directors just wasn't buying into it. "Agility, that's weird, how do we measure that, we should just forget about it." I finally had to take all the things we had to the business head of the Web and say "of these, which would you say is the single most important one?" "Agility, of course," he said, as I knew he would. I made it a point to train my staff that "getting it done" was the most important thing, more important than risk mitigation or crossing all the t's and dotting all the i's. That can be difficult if the larger organization doesn't reward risk and achievement over conservatism, but you can work on it.
Security Policy Architecture – How to fix your current disaster
One of the sessions that I attended during the day on the Tuesday of TRISC 2009 was by Doug Landoll from Lantego on "Security Policy Architecture". The presentation was a very good overview of how to put good security policies in place that are easily auditable should that need arise and that are as comprehensive as necessary. The actual presentation slides are available here and because he had some very good visual aids in his presentation, I'm going to just recommend that you check out the actual slides. My notes, however, are below just in case the slides ever get deleted for some reason:
Importance of Security Policies
- Govern expected behavior and process
- Expected and prohibited behavior
- Security process
- Establishes roles and responsibilities
- Management & oversight
- Execution
- Define protection measures
- Access controls
- Physical security measures
- Monitoring, audit, and oversight
- Response priorities
Hazards of Weak Security Policies
- Unclear expected behavior
- Personnel guess at what is allowable & expected
- Minor “infractions” – undefined & unnoticed
- Leads to eroding culture of trust
- Unclear roles and responsibilities
- No oversight – administrator actions go unchecked
- No management – activities according to whim
- Unclear protection measures
- “Heroes” define network security
- Extremely tech-centric security posture
Security Architecture Mistakes
- Mixed audience policies
- Ex: Encryption policy
- Use of encryption – users
- Selection of encryption algorithms – system owners
- Implementation of encryption – custodians
- Key escrow – system owners
- Oversight – auditors/management
- Ex: Security Updates
- Do not block network updates – users
- Patch every Tuesday – admins
- Ex: Encryption policy
- Who is the audience?
Common Policy Architecture Mistakes
- One topic = one policy
- Magic Policies
- Templates
- Handbooks
- Pros
- Solves the “blank piece of paper” problem
- Cons
- Old
- No consideration for your environment, culture, or organization
- Discourages analysis
- No SME (Subject Matter Expert) involvement
- Thwarts adoption
- Match policy to requirements
- PCI Policy project
- HIPAA Policy project
- TAC 202 Policy project
- Etc
- Problem
- Requirements by controls
- Policies organized by audience & topic
Clean Slate Approach
- Assess what you have
- Independent & complete review process
- Determine controls framework
- COBIT, ISO 27001
- Map in requirements
- PCI DSS, HIPAA, TAC 202
- Organize create policy statements
- For each control (rows) and requirement (column)
- Create policy architecture
- According to audience & topic
Policy Assessment Approach
- Step 1 (Essential Elements Checklist)
- Steps 2 (controls & framework) & 3 (map requirements)
- Steps 4 (policy statements) & 5 (policy architecture)
Conclusion
- Administrative Controls
- Management, oversight, process
- Address organizational and insider issues
- Lack of policy architecture
- Leads to weak administrative controls
- Unplanned technology implementation
- “implementation by appointment”
- Ensure your controls are complete
- Reaction is NOT a strategy (Don’t do it because a vendor called you or because an auditor said to do it)