We were sitting and chatting with a fellow geek last night, and he was describing a corporate network he is familiar with. The description was like a tale from the old show “The Twilight Zone”. If it was a security vulnerability, it was present. If it was a standard and accepted security procedure, it was not present. The story got scarier by the minute, and was largely explained when the punch line was “they’ve had 200% admin turnover in the last few years.” Actually, I don’t know if it was 200%, I suspect it was higher as a percentage, but I’m purposely obfuscating the numbers because it’s creepy to talk about how many people they’d lost even though you don’t know who “they” are.
Even if your turnover is high, you just can’t do things like “no DMZ, inside is outside all over the place, dual-homed”. You really can’t. And that really is a quote. “a cheap little (fill in F5 competitor here) SMB firewall that doesn’t seem to work with all the rules in place” was another really scary statement.
We here at F5 can help you implement standardized Application Security, VPN Security, secure remote tunnels, URL obfuscation on-the-fly, and a wealth of other things… But we can’t help if you don’t have a procedure documented to keep your staff on-the-point, even in times of employee churn.
In fact, even if you’ve got high turnover due to rates of pay, benefits, or whatever, might I humbly suggest that you give the security admins golden handcuffs? Really, if you’re going to have an online presence, there are a lot of critical jobs, but the threat from the Internet is institutionalized and large, so the most critical (again assuming you have public facing apps on-site) is, in my not-so-humble-opinion, is the security staff. They can double as a whole lot of other staff in a pinch because they have to know enough to be dangerous about both network and applications, and having a perfectly running app or a finely tuned network does you no good if you are hosting a botnet.
Of course I could argue the opposite side of that, most of us have worked in one or more places where the security staff wasn’t a staff, it was the developers, systems admins, and network admins, each doing their part. But the complexity and ferocity of attackers has steadily increased, and I think those days are increasingly behind us. Particularly the larger your data center infrastructure, the more important it is to have someone(s) dedicated to watching the security aspect and doing impact analysis when things do go wrong. Like any other job, there’s only so far that security can go as a part-time job.
Don’t go through life like the topic of a Twilight Zone story, wondering what is around the next corner, and what surprises are in store for you. Build a solid security team, get quality security products, have a plan and documented standards so that turnover doesn’t create a total mish-mash of security policies that no one can maintain.
This is going to get harder, not easier. The word from the street is a resounding “we are trying or moving to the cloud, we are scared to death of the security implications”. That means security for your organization’s bit of the cloud is coming your way. When I say “get quality security products” include “ones built with the cloud in mind” in that equation.