Educause Security Discussion mailing list archives
Re: Are users right in rejecting security advice?
From: Michael Van Norman <mvn () UCLA EDU>
Date: Wed, 17 Mar 2010 09:51:53 -0700
On 3/17/10 7:56 AM, "Joe St Sauver" <joe () OREGON UOREGON EDU> wrote:
Regarding passwords, Russell Fulton <r.fulton () AUCKLAND AC NZ> mentioned:
#I now cringe when I hear the phrase "Best Practice" when applied to #security -- I have come to believe that this means that the speaker #can't be bothered (or lacks the expertise) to do any analysis and is #simply trotting out some thing 'safe'. I think there's value to seeing how other sites (or the community as a whole) are doing things, if only because you get to learn from others mistakes (if they'll admit to them and accurately describe them!) rather than continually having to reinvent the wheel from scratch. That said, should you slavishly adopt what site A is doing simply because they're doing it and have taken the time to document what they did? No, and I don't often see that sort of unthinking copycat mentality in higher education. In fact, part of the issue may be that we really don't have well codified security norms, or "community expectations for security" if you will.
Part of the problem here is the phrasing. We should not be looking at "security norms," we should be looking at "policy norms." Policies are going to differ between institutions, as well as *within* institutions as you move between different user communities. Security controls are a technical response to a desired policy outcome (with apologies for over-simplification). "Best practices," or whatever you want to call them, must be evaluated in relation to a specific policy goal. The "best practice" for accomplishing one goal may be exactly the wrong thing to do in accomplishing another (in which case the security measure will actually become a security breach). What we really need in this space is a list of desired policy outcomes along with the practices and technologies that have been proven effective in accomplishing those outcomes. With such a list in hand, a security audit can focus on the effectiveness of a given piece of "security" against a specific policy target. What we have today in too many cases is auditing of generic security practices against unspecified requirements. /Mike
Current thread:
- Re: Are users right in rejecting security advice?, (continued)
- Re: Are users right in rejecting security advice? Allison Dolan (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Valdis Kletnieks (Mar 17)
- Re: Are users right in rejecting security advice? Vik Solem (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Joe St Sauver (Mar 17)
- Re: Are users right in rejecting security advice? Perloff, Jim (Mar 17)
- Re: Are users right in rejecting security advice? Brad Judy (Mar 17)
- Re: Are users right in rejecting security advice? David Escalante (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Michael Van Norman (Mar 17)
- Re: Are users right in rejecting security advice? Basgen, Brian (Mar 17)
- Re: Are users right in rejecting security advice? Allison Dolan (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Patrick Ouellette (Mar 17)
- Re: Are users right in rejecting security advice? Jansen, Morgan R. (Mar 17)
- Re: Are users right in rejecting security advice? Dick Jacobson (Mar 17)
- Re: Are users right in rejecting security advice? John Nunnally (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
(Thread continues...)