Security Lessons Learned from the TSA (or how to annoy your users)

With the first wave of holiday travel behind us and the next big wave around the corner, many of us will be suffering through endless airport security lines. I couldn’t help but draw a comparison between airport check points and firewalls. When you think of it, both serve the same purpose – allowing trusted traffic (be it human or network) in and out of a facility, and both have policies in place to identify and keep the risky stuff out.

Anyone who used air-travel in the USA has suffered through the TSA’s poorly implemented security policy. Bruce Schneier summed it up nicely in an interview last year by saying – “the only real worry is that we’ll scare ourselves into making air travel so onerous that we won’t fly anymore.”

There is an important lesson for CSOs and IT security departments here, as poorly implemented firewall and network security rules can negatively impact the business process. Just as there are obvious dangers in simple “check-the-box” security compliance, so too are there concerns of alienating users or rendering applications unusable with poorly implemented security solutions. The best security teams know that implementing an effective security strategy requires striking a delicate balance between protection and usability – a practice the TSA has yet to completely understand.

Let’s look at some examples:

•  Automate the process whenever you can. Manual repetitive tasks are time-consuming and expensive, so automation improves efficiency and reduces errors. In the case of the TSA, bags receive X-ray screening instead of being manually opened and searched. Network security policy management can apply automation to policy review, ensuring optimization of rule sets.
• Reevaluate your policy to make sure all legacy rules are needed. We can all agree that being forced to fly with three oz. bottles of shampoo and conditioner does little to improve security, but does a lot to inconvenience travelers. Likewise, legacy network security rules may prevent applications from working effectively or impede business processes, so it is important to understand why they exist.
• Look at consolidating rules. Disparate network policy rules create longer lines (of packets) and effect operations, just as every secondary security screening you have to go through at the airport check point creates a longer line (of people). Do you have different rules that can be consolidated, allowing your firewall to process fewer rules?

Safe travels, and as always, we look forward to your feedback.