I faced a strange feeling a few days ago… I received a notification from a colleague about a scheduled upgrade of the SSL VPN solution deployed by my company. As I’m a mobile user, I use this SSL VPN daily (and often more than 8 hours a day!). The upgrade covered not only the software but also the security policies in place included a “host check”.
Bundled with the classic user authentication, the goal of the “host checker” feature is to deny or restrict access to resources based on the type of terminal trying to establish the VPN session. Basically, the available checks are:
- Presence of an anti-virus and up-to-date signatures
- Presence and activation of a firewall
- Presence of a specific running process
- Presence of a specific key in the Windows registry
- Being part of a specific Microsoft domain
- etc…
Practically, it means that a corporate laptop will have more access rights than a public PC running in a cyber-café.
When I tried to connect after the upgrade my access was denied: my host was not compliant with the new policy in place. My laptop is clean, properly managed but the SSL VPN definitively refused to grand me the regular access I needed. I successfully connected to my office resources by another mean and fixed my computer to match the required stuff. No big deal! But in the same time, I started to realize how it can be frustrating for regular users…
As Infosec professionals, our goal is to ensure that the business runs smoothly. Not only by properly protecting the organization assets but also the access to them. It’s the “A” of Availability from the CIA triad – “Confidentiality Integrity and Availability“). Too often, InfoSec Pro forgot the impact of new security measures against the regular users. Guys, even if users are “dumb” and do things which can have a severe impact on our business, from time to time come down off your pedestral!
Try to switch your brain from kernel mode to userland mode 😉 and imagine the consequences in case of changes. It’s extremely difficult and, honestly, I’m certainly not the best to try this exercise but it may be constructive from time to time. Don’t misunderstand me, I never said that all security controls must be disabled! But, at least be prepared to face end-users questions and remarks!
I’ve had a similar “problem” with a client. I’ve routed around it by using a virtual machine to connect to their VPN that I tought was too restrictive (needed their approved antivirus solution and other shit…)
As a security professional who has implemented just such a system, I have a feeling that this problem resulted from the tech folks becoming hypnotized by the array of security checks that they could perform and forgetting about which checks they should perform. The idea is sound – (hopefully) corporately managed boxes are less likely to be malware rissen ebola monkeys… but when you are implementing a security measure which (like this one) has the potential to impact your users, you need to do some quality assurance work. We ran the software in detect mode for a while to gauge the impact and deal with issues before we turned it “up to 11.” The result? Safer network, happy users, no late night calls. Just saying…
You are so unbelievably correct.
I refer to this as “friction-free security” – if you’re throwing sand in the gears of your coworkers, you’re going to discover pretty quick that they’ll simply route around you. The problem is that we’re still teaching the new infosec pros to behave this way – the classic “What do you do when you discover an iPod connected to a laptop?” question with the standard answer “INCIDENT!!!!!!” rather than the reasonable response “We let them take the laptop home every day, if they were going to be nefarious, why do it where we can see it!”
Thanks for making this point and I hope you can find more people joining the cause.