Workaround

Happy Friday!

Welcome to this edition of “Workaround” (#240).

My maiden journey to the U.S. occurred just a couple of months after 9/11. Although I was aware of the horrific and tragic attacks, I wasn’t expecting an almost strip search at the immigration checkpoint. I experienced the deeper sentiments firsthand at the port of entry. It was the first time a passenger aircraft was used as a weapon rather than a bargaining tool (hijacking was the threat until that time), so I convinced myself that such high scrutiny was warranted.

A whole new federal agency was launched called the TSA (Transportation Security Administration) in November 2001 with the sole purpose of protecting the nation’s transportation systems. While everyone understood the need for its stringent procedures, over time some of these measures have become burdensome, and many workarounds have been introduced. Let me list a few.

As extremists cleverly plotted to use shoes as bombs, a rule emerged to have shoes and belts screened. Over time, exceptions were granted to frequent travelers through a workaround by paying a fee and registering themselves in programs like TSA Precheck.

When terrorists concocted liquid bombs disguised in bottles of sports drinks, this led to the ban on carrying any liquids through the security gate. Over time, the 3-1-1 rule was introduced, followed by the allowance to carry empty bottles through as a workaround.

Similar to the evolution of security processes and the workarounds in the physical safety of the transportation systems, an evolution has occurred in the digital safety of the cyber systems too.?

We have evolved from a simple password to access and safeguard a computer system to a plethora of tools and devices, from MFA’s to Firewalls to Encryption. There is always a tension between the teams releasing a piece of software and the teams safeguarding and upholding the safety and security of the enterprise systems. Here are a few workarounds that can ease this tension.

As a team releasing the software, spend the time to understand the intent and background behind each security measure that you are asked to adhere to. Then you can come up with a workaround, like TSA Precheck, by doing the requisite tests before hand and getting a clearance ahead of the release night.?

As a team upholding the security of enterprise system safety, understand that application teams do not have ill intent. More often than not, they are either unaware or pressed for time. Show patience and concern, guide them to the policy documents and establish a partnership model with a give and take.?

No matter what the security process is, it always requires more time and work but for a good reason. Just as we allow ourselves more time for TSA clearance, especially during busy travel days, allow yourself more time in your planning for security compliance.?

A popular infosec quote summarizes it well, “If you can’t afford security, you can’t afford a breach.”

Stay safe, Stay healthy and Stay blessed.?Thank you and have a safe weekend.