I could not agree with you more that the key to a solid security program has more to do with the holistic aspects of security than it does with simply placing larger more expensive locks on the doors. If you take a look at the history of the information security industry it has developed largely out of panic and fear, with vendors quickly popping up to capitalize on that market and help perpetuate the fear. This fear was developed by IT professionals that remembered working in a time when information security was more about information physically walking out the door than it was about remote intrusion over the internet. In turn, we now live in a world where information security is more audit driven than it is business driven.

The good news however is that times are changing, albeit slowly, and organizations are employing individuals academically educated in information security. With that education comes an understanding of the modern day business and the business benefits of using Web 2.0 technology. These professionals understand the need to be more flexible while still maintaining a strong posture on protecting the Confidentiality, Availability and most importantly the Integrity of an organization’s technical infrastructure.

Each of these three items (Confidentiality, Integrity, and Availability – CIA) play a unique and important role to any organization. If you are dealing with the department of defense Confidentiality is obviously a big issue, if you are an online retailer Availability is one of your priority problems, and if you are unaware if the information you are working with is legitimate and free from malicious manipulation, Integrity is a significant factor. In my opinion, data integrity is the most important of the three. How can a business possibly operate if it is not sure it can fully trust the data it is working with.

Passwords are also still a big issue, for without them any of the three fundamental of information security (the CIA) can be easily circumvented. However, there are some rational alternatives. Two factor authentication provides significant protection and will allow the use of less stringent passwords. Another alternative is to have longer more complex passwords that are not as easy to crack which provide you the benefit of allowing less frequent changes. This will certainly not prevent them from writing the passwords down, but it has been my experience that frequent passwords changes are a more difficult experience for users than longer more complex passwords with less stringent change requirements.

You also touched on another interesting item. Account lockouts. Accounts lockouts are a bad idea period. Account lockouts and account lockout durations lend themselves to being more dangerous than helpful. For example, suppose your organization has a web presence for internet based email, such as a portal for Outlook Web access. With this login page freely accessible to the internet an attacker could potentially run through the gamut of accounts within your organization (because they are generally the same as the pre @ in their email address) and lock out every employee’s account. This would not only flood the IT Help Desk with calls but has the potential to lock out those Systems Administrators and Help Desk staff as well.

The dangers of blocking web based email is also an interesting topic. The problem with web based email, from an IT standpoint, has less to do with productivity loss (that is an operation issue not an IT issue) and more to do with the fact that these accounts are new vectors of attack into your organization. In fact, the free public email systems are generally the first ones flooded with new viruses. So organizations choose to either block entry points or risk new infections coming in. Yes defense in depth and having client side antivirus can help avoid some of these issues, but how often are the client side antivirus definitions updated as compared to a new virus that spreads through the world in under an hour. My solution to this is by way of filtering this internet traffic before it ever reaches the client. If software can understand and read the web surfing traffic, and potentially virulent attachments before they reach the client, then the need to block these sites within an organizations technical boundaries is significantly diminished. Granted this does not protect the organization from laptop users that visit these same sites when they are outside the organization (and bring infected machines back into the office). However there are newer technologies to help alleviate these issues as well.

I recently wrote an article for Baseline Magazine outlining what I see the be the future landscape of Information Security, focusing more on your information and the streamlined operation of your business, than on rigid endpoint controls.

The article can be viewed online here: http://www.baselinemag.com/c/a/Security/IT-Security-Strategy-Thinking-Inside-and-Outside-the-Glass-Box/

Scott Christiansen http://www.linkedin.com/in/scottchristiansen