Here we introduce a thought manipulation technique and then apply it to some of the recent developments IT managers face. You may remember in the last century that when a COBOL program would blow up at 3 a.m., the programmer would come into the data center, diagnose the problem, fix the program, correct the data, rerun the program, and go back home. This made sense, since the programmer was the one best-suited to fixing the problem, and we needed the program fixed quickly.
Later, someone introduced the concept of separation of test from production. Once we were exposed to the concept, we could never think about the COBOL programmer in the middle of the night the same way. Whether or not we thought he should be allowed to fix the program that way, we couldn’t help being aware that some people considered it a breakdown in controls. Merely being exposed to a new concept alters the way we look at things.
You understand then the tremendous advantage in a new field of being the first to introduce the important concepts. You have an opportunity to take advantage of this regarding two new developments affecting mainframe IT: Bring Your Own Device (BYOD) and the cloud. The person who first introduces new concepts in these two fields is the person who gets to decide where the fences are.
Imagine a scenario where a high-level executive demands access to mainframe data from his smartphone. There are already easily downloadable apps that turn a smartphone into a virtual 3270 terminal. If no one else has introduced concepts into your organization’s smartphone/mainframe field, then a high-level executive’s foot-stomping demands are likely to drive the decision.
Imagine, though, an earlier scenario, where you quite reasonably introduced some new concepts, not test vs. production, but something similar for end users. Suppose you declared that all mainframe production data is one of three types: OK to copy data outside the data center; OK to copy and/or change data from outside the data center using controlled programs and transactions; or not accessible at all outside the data center. (You might decide to use slightly different types to fit your situation.)
You don’t decide which type various data falls into; you just introduce the types. You invite the application owners to decide which category their data falls into, in consultation, of course, with the legal or compliance departments. Ask your security administrator to implement what they decide.
This ties directly to a concept auditors rely on: IT governance, which are the rules describing who is responsible and who has the authority to make decisions regarding IT. In many organizations, the CIO is specifically made responsible for IT security. If you re-direct a specific portion of this responsibility to the people who best understand the business risks and legal ramifications, then you’re improving IT governance. You’re also protecting yourself, your security administrator, and your organization from careless data access outside your control.
This relates as well to Wikileaks. Many people have spent a lot of talk, arguing over whether the soldier alleged to have fed classified information to Wikileaks should be prosecuted. A more interesting issue though is who made it possible for him to have allegedly accessed the data. The secure network, which people claim was used to access the sensitive data was originally designed for one department’s sensitive data. The number of users was tightly restricted. Over time, other departments added their data and users to the secure network, apparently without controls to restrict users from accessing other departments’ data. You may have known projects to die from “scope creep.” This would be an example of security disintegrating from “access creep.”
How do you protect your organization’s sensitive data from access creep with BYODs or in the cloud? You control what data leaves the protection of the data center, allowing its movement out of the data center only when the right people approve it.