Approaches to security policy

Here are common strategies for security policy, for better or worse.

Plug the Holes

This approach is used by enterprises and big business – those with a $10,000,000+ budget for their IT department.

Enterprises need a full-functioned network.  They need ten different versions of Microsoft servers and desktops, Office, Adobe, Internet Explorer, File sharing, Websites, and a myriad of other commercial products.  Each of these products is complex, totaling millions of lines of code, with numerous attack avenues and vulnerabilities.

To plug the holes, the IT department will try to patch or negate each vulnerability on each software and hardware product running on the network.  In some cases, like Adobe Reader, this is simple (just upgrade to the latest version), but complex in that you need to do it to EVERY computer.  There is also a concern that moving to the newest version will simply introduce new, undiscovered, vulnerabilities.  In other cases, there isn’t an easily downloaded patch, or the patch will break something vital.

Plugging the holes is a numbers game.  You are constantly behind the curve, with ever changing known vulnerabilities and unknown vulnerabilities, and are simply striving to plug 90 – 95% of them over time.

This is not a good cycle to be in, but without a complete change to the way we do computers, it is the only way for well run computer networks to keep their heads above the water.

Security through Obscurity

Home users and most small businesses take this route.  By default, the internet provider’s router/firewall is set to automatically deny all traffic from the outside.  By using less professional versions of software (such as the home version of Windows XP), these people hope that their network will be considered low value and ignored.

Cross your fingers on this approach.


Air Gap

Used by either highly secure military, or by the odd pragmatic computer nerd, this strategy is to keep the really important data on separate computers which are never connected to the Internet.

There are still ways around it.  Data transfers still occur between the private and public computers, there is just an air and time gap.  For example, a computer operator might copy files onto a DVD-R then read those files on the private computer.  Self-contained viruses or other executable files can be passed in this manner.  But it is highly complex to design and almost impossible to achieve a “phone home” or other data transfer once the private computer is infected.

In my opinion, this is the only effective solution for security.  The next generation of personal computing should incorporate this concept at all levels – having public/private modes on each device, with no ability to pass instructions or data directly between them.


The Middle Way

Even with a limited IT budget, small and medium businesses can improve their security by using mid-tier or cloud-hosted equipment that has most of the features of enterprise equipment.

A business in this situation will want to run a Windows Domain with strong security policies for authentication and central management.  They will often invest in a mid-tier email and web filter which protects employees from downloading suspicious files.  They will pay for professional antivirus and backup software.  If they operate their own hardware (as opposed to using the cloud), they will purchase the hardware for 2-3 servers and use a virtualization product like VMWare for redundancy and management.  They will hire a small staff or a consultant to perform monthly maintenance on their network, making sure that patches are installed and problems are found before they cause an outage.