by Craig

Security or productivity?

domain merge domain migration linkedin productivity security

Like many of my colleagues I am often presented with a lesser-of-two-evils choice and  security is often one of those choices. In today’s consolidating market, with many SMEs facing a downturn in sales, a company with an acquisition strategy is like the proverbial kid in the sweet shop. Security

For me, working in one such organisation, the merging of companies into the ever growing group structure is now a regular occurrence.

Most mergers are about getting more for less and requires integration of business processes  into the new, larger, group as quickly as possible. Once the merger is completed the number of people maintaining processes can be reduced and the profitability of activities increased.

In broad strokes this makes sense, but only if you inject initial capital into merging those systems and processes. Compromises are often made where that capital does not cover the cost of integrating those services, or indeed even exist. At this point your security-vs-productivity kicks in and you would be hard pushed to find a board outside the financial services sector that would choose security over profit.

The problem can be particularly acute when faced with the acquisition of a smaller company where there is no formal IT department, or a one man band who was also doing 3 other jobs at the same time. Usually IT security would have suffered in an effort to ‘just make it work’, often in pressured circumstances. These situations lead to a lack of knowledge and make integration even more difficult and prone to outages.

When presented with a new company’s infrastructure and bolting it onto an existing company’s environment you could end up with any number of the following:

  • Multiple domains
  • Weak or inconsistent password policies
  • Inconsistent remote access
  • Unsecured user-published services

Really I would not be surprised if you ended up with all of those and more.

As an example:

  • We currently have 6 production domains (yes 6), only one of which is destined to survive
  • Each domain has a different password policy; we cannot implement the same across all of them
  • Fortunately we have managed to get consistent remote access and that is compatible with the domain that is staying
  • We still have user-published services that are all part of the security-vs-productivity balancing act

I would hope we have started in the right place by sorting out the remote access first. I would further hope that doing so tips about even on the security-vs-productivity scales.

Business led change or IT led change

“The time for passwords is gone because they can be captured easily by password sniffers, no matter how long and complex they are…”
Matthijs Van der Wel - head of EMEA forensics team at Verizon Business

This is a strong statement by Mr Van der Wel but it does ring true. The complexity of delivery mechanisms and the inability of Anti Virus software to protect against day zero or near day zero attacks leaves many computers infected. Where a machine is compromised there could be huge implications for the company or individual concerned.  What could help stop this is multiple for factor authentication; secureID dongles or biometric logons but these are more the domain of the enterprise. With multiple domains or a badly maintained permission domain underpinning an infrastructure, the implementation of enhanced security could at least be expensive, or worse not work at all!

Moreover, should an IT department be pushing through these changes to a business that does not understand or want them? Obviously this is where the risk log would come in to demonstrate offsetting the risk and cost of a security breach against the cost of implementing tougher security.  Even with a risk log conveying the ideas to a non-IT literate board could prove difficult if they view it in a similar way to a natural disaster. Yet if a river ran next to every office in the land how many would have flood defences just in case?

With security moving ahead rapidly in the enterprise through multi form authentication, Network Access Control and even down to limiting administrators access, the SME is starting to get left behind.  Yet SMEs are just as much in the firing line as enterprises and could be increasingly so as enterprises step up their security operations. The data protection act is there to protect the individual and the ICO can certainly impose heavy fines on any organisation in breech of it, but by then the damage is already done.

It is important to mention that integrated security is not just about defence, it can increase productivity with less downtime requesting access to resources and simplification of systems for IT staff and users alike. Expanding out active directory domains across the company makes it a powerful information repository to which systems can refer with confidence.

Closing thoughts

There are two subjects here; the integration of companies to achieve security and the security of the whole. The landscape is changing so quickly it is tough to keep up with threats, methods of working and even just the accessibility now demanded by users.  Traditional IT has led us down a route of a company infrastructure hidden behind firewalls in a secure network. If you rip that concept up and start to treat internal and external as insecure, each LAN and wireless network as a security threat, then you’re probably looking in the right place for a breach.

Should I even try to consolidate the IT infrastructure? Maybe 6 domains is the right number to ensure that any breach of security is isolated to that 1 domain.  Either way you wont be thanked for decreasing productivity and maybe you wont have that security breach…..