« Are Condemned to Repeat Them | Main | CARB 'o Loading »

Ends to the Means

Sometimes people can forget what their goals are or confuse the goals with the means to the goals. In the case of network security, it may manifest itself in people tending towards either security or usability. But I would say each is an objective towards a goal, but not the goal itself.

If neither is the goal, just what is? The goal, in my opinion, is to facilitate the operations of the business or government entity so that, in the case of business, it makes money and in the case of a government entity, the policies of the decision makers are carried out.

Notice that I am in no way saying the network should be configured solely to make it easier for IT people to maintain nor solely to make it easy users to access. In the first case, no one would have access and the data would remain in a pristine, if useless state. In the second, everyone would have access and the data might be suspect and therefore also useless.

In order to reach their respective goals, security must be balanced with usability. But this balance is based on criteria such as, but surely not limited to, how secure the data must be (based on context) and how computer savvy are the users.

Data that someone would want to access, without the proper authority to do so may need a higher level of security than something that is not valuable to anyone other than those already authorized to use it. For example, salary levels are considered highly proprietary information by businesses. On the other hand, public officials have their salaries, many times, set in statute and therefore are open to anyone. How much government spends and what its revenues are is also public information. Hence, the context of what is being stored may make a difference on the level, if any, of security.

Likewise, if people authorized to access salary data are not able to, due to security, because it is overly cumbersome then they can't help, for example, the business make money.

Now, you would think all of this is obvious and why am I wasting these electrons telling you this. Well, there is a saying that the customer is always right and perhaps there will come a day in which the competing values of network security and usability will not longer be a problem. But as many businesses learn, not all customers are right for their business. I mean, in a service business like, for example, computer customer support, a minority of your customers create a majority of your work. In most cases, a business model like this is workable because everyone pays for the service but only a minority actually use it. So a business can still make money under this model.

But get enough of the wrong kind of people, either as users or people wanting to inappropriately access your data and it is possible that the experience of providing support is higher than the money coming in.

In my case, I know of two people in our office that between them, generate more service calls than the rest of us combined. Why? Partly it's because network security is not as transparent as some would believe and partly it's because these users don't understand the concept of a computer, much less a network of computers.

One solution would be to open the network to anyone. In our office that might not be so bad of an idea. Being a court house, this building has pretty good physical security. I'm not going to list what this includes but suffice it to say no one gets in without being noticed. Further, the resources available are not so much different from what is available on our public facing Internet servers. So heretical as it may sound, a case could be made to eliminate network passwords or at least standardize on one password that gives access to all required data (as opposed to having one to login, one to get email, one each to access the mainframes and minis, etc.).

But you may work at a place where data positively must be kept only for those authorized. If so, you have to balance that with making it accessible to everyone that is authorized. To do that, you may have to spend money and get retinal or fingerprint scanners. This costs money, but so may losing proprietary information to a competitor.

The bottom line is to remember what your goal is and not to confuse it with the means to the goal.

About

This page contains a single entry from the blog posted on August 25, 2004 9:11 AM.

The previous post in this blog was Are Condemned to Repeat Them.

The next post in this blog is CARB 'o Loading.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.
Powered by
Movable Type 3.34