Tuesday, May 29, 2012

Business Owner vs Business IT vs IT Supplier - disaster recovery fun#1

This is another classic story that may raise a smile for some security pros out there....

Business Owner guy: <* shouting over the phone *> What's happening? Why can't my customer access the application?

Business IT bloke:  The whole IT Supplier's data center is currently down. It has something to do with the earthquake that happened 10 minutes ago. Seems like the data center was badly hit by the quake. I managed to get hold of the service manager and he has arranged an emergency meeting in 15 minutes to update us on the situation.

After 15mins, in the emergency meeting...

Business Owner guy: IT Supplier chap, I understand you have a lot to deal right now, but my application is business critical. When can you get it up again?I'm losing like 10K per minute here!

Tuesday, May 22, 2012

Business IT vs IT Supplier Fun#2 - setting data classification

Last month, I wrote a story about BIT vs ITS on who should be the one setting the security requirements... well, as you may have guessed, the saga shall continue. This time, it's about data classification.

The Storybrooke Post today's headlines: XYZ Company fined 100Mil by Storybrooke State for non-compliance with Data Security Act 1337

Business IT bloke: What the heck is this? <* smashing the paper on the table *> . After our last meeting, we have given you all the security requirements for our system. How come we are still non-compliance with that Data Security Act? I believe we have a breach of contract here!
IT Supplier chap: I don't think so. We have carried-out and protected your data in accordance with your security requirements. The recent audit report carried-out by XYZ Group Internal Audit department confirms that. <* showing the report to BIT bloke *>

Wednesday, May 9, 2012

Application Owner vs Information Security fun#1 - data flow security

Have you ever met an old stubborn mainframe guy that just can't think outside of his archaic box? I bet you did. This is a story about this guy I met sometimes ago..... (My friend Adriano called them "The Dinosaur". BTW, if you time, you should check out his piece on this.)

Application Owner dude: We are using mainframe and we have tight ACL in place. No one can access the data inside. It's a very secure environment. I don't see any security issues here... That web interface is just a front-end for customer to see their order status...We developed this one ourselves and manage the user accounts. It's not even open to public or guest, by the way....

Information Security lad: Well... we see that there are other internal applications interfacing with this mainframe as well. How do you ensure these interfaces are secure?

Application Owner dude: Again. As I have said and stressed for so.... many times. We have strong and tight ACL in place. Those interfaces are connecting to our mainframe with their own credentials and we make sure they can only access their part of data... <* keep bragging about how fantastic ACL works on Mainframe *>

Information Security lad: <* I need to do more to than just talking to this guy to show him that ACL alone is not enough *> We going to run some test.....

Application Owner dude: Go ahead lad... No one ever broken into our mainframe before. I'll bet my every pint of beer on that.