Deny all, permit some

Securing your data is as much about keeping your data in as it is keeping intruders out. One simple rule works wonders

1 2 Page 2
Page 2 of 2

If that's true, why don't network devices come configured that way? Why did the administrator have to make an explicit decision to implement that policy? The answer is simple: convenience. People -- administrators and users alike -- aren't fond of jumping through hoops to start using a new system. Most of you will remember the annoyance caused by Microsoft's User Account Control as it was shipped in Windows Vista, not to mention the fun involved in actually trying to use Internet Explorer when its "Enhanced Security Configuration" is active (good luck).

It's a fact of life that by default most systems give more privileges to users than they need to or should. It's up to the administrator configuring the device or service to lock it down. All too often, this process isn't taken seriously enough and too many default permissions are left in place in the name of expediency.

Avoiding this trap requires IT to bite the bullet and constantly reevaluate rights and permissions -- and make exceptions to allow further access only as it is required. This sort of policy won't win much praise from end-users, either. Nobody likes to be told that they aren't allowed to do something that they need to be able to do and wait for IT to come fix it for them. Well, too bad -- having people occasionally irritated with IT is far better than having confidential corporate data quietly upload itself onto the Internet without your being the wiser.

The next time it seems easier to leave default permissions in place or grant more permissions than you think are really required, don't. It could very well save your skin.

This story, "Deny all, permit some," was originally published at InfoWorld.com. Follow the latest developments in data management and network security at InfoWorld.com.

1 2 Page 2
Page 2 of 2