For years, the OSI Model has been the standard for describing the way data moves from the wires and cables in the walls connecting computer systems through our devices and applications and present what we seen on screens of all shapes and sizes. The model describes the 7 layers in which information moves, and is a fundamental part of understanding technology and security architecture, as we know it today. If you’re not already intimately familiar with it, here’s what it looks like:
Officially, the OSI model stops at 7 total layers. However, anyone who’s worked in the IT field for any length of time is fairly familiar with an unofficial 8th layer. Some refer to it as the Political Layer, reflecting that an organization's choices and/or policies can affect the use of data and other information technologies. Others call it the Finance Layer, stressing that procurement teams have more control over the final outcome of how information is used and presented in an organization, as they control everything that gets purchased from the wires in Layer 1 on up to the applications in Layer 7. For me, though, I simply refer to it as the Human Layer, which represents all of the users, executives, system administrators and customers that use any type of technology to get business done. And, for most security organizations out there, it represents one of the most under-protected and neglected pieces of a corporate security program.
The First 7 Layers are Easy
Solving technology problems is actually surprisingly easy. Throw enough money, time and resources at a problem, and you can build a technological system that does exactly what you need it to do. Obviously, there are limitations for all of our organizations in one or more of those areas, but the point here is that it’s a fairly straightforward path to solve a problem. Need to provide email services? All you need to do is acquire some servers, install some mail software, hire a mail administrator, configure, implement security architecture, deploy and voila! Email! Add in some processes and procedures for keeping email secure, and even your security program involvement can be fairly straightforward to maintain compliance with policies and/or regulations.
But, how do you secure the use of those systems by all of your users? People are not software programs you can configure, and it’s incredibly difficult to predict what they may do with the technological tools you allow them to use. What’s to stop a user from emailing intellectual property out from their workstation? Whether malicious or accidental, this human action can present a huge risk to your organization, and the reality that most organizations face is: the Layer 8 problem is really hard to solve.
Policy Is Part of the Problem
So how do you secure the human elements within your organization? It all starts with creating and implementing sound, strong corporate security policy. Now, I admit, this isn’t the most glamorous or interesting part of building a security program. No one ever brags about identifying a previously unknown piece of malware and reverse engineering it before it caused any damage by way of documenting the methodology in which users are on-boarded and given proper rights and permissions in the environment. But, policy is still a fundamental and critical part of your program, and it behooves every organization to develop a comprehensive and easy-to-understand document. With a well-developed policy, you can begin to layer on the specific requirements, guidelines and standards that you can train your users at every level of the organization so that they are clear as to what is expected from them and how they are allowed to use the technologies within your company.
What most organizations today have, however, are weak policies that are typically not updated yearly and have out-of-date information, poorly understood requirements and because of a lack of communication, are likely being ignored or circumvented throughout the environment. When the fundamental guidebook of your security program is weak and ignored, it becomes completely ineffective and can even hinder your ability to remain nimble to address security issues in the future. Working on policy documents may not be to everyone’s liking, but it is a critically important function that every organization must make a priority, including the review and updating of the policy on a periodic basis (no longer than yearly). This gives management a strong place to work from to direct teams to action, purchase appropriate technologies to support the policy efforts, and gives a reference point for all employees to work from to conduct business in a secure fashion that aligns with the company’s goals.
Trust, but Verify
Once policies are in place, the most common next step is to institute a security awareness training program for all staff. And it’s a very good next step to take! But training isn’t sufficient, no matter how comprehensive the content is or thorough your organization is about ensuring every employee completes the training. There must be a monitoring and verification program in place to identify anomalous behavior from users, as well as a means to address these situations when they arise. Note that I have not suggested that all rights, permissions and tools be kept under lock and key and to minimize any user’s ability from being able to do anything. Empower your employees to do what they need to do to get the job done and trusting them to always do the right thing in alignment with policy.
But with that trust comes accountability, and to ensure that, you must monitor activity to identify when an outlier is violating that trust. The last thing any organization wants is to have one of their trusted employees become a rogue insider like one of these folks:
There are huge segments of the market that can provide technology solutions for behavioral analysis or Security Information and Event Management (SIEM), and those solutions should definitely be in place. These tools can solve the technology side of the problem by gathering logs and other event information, but be sure that you have strong leadership and well-documented processes in place that can effectively deal with an employee who may be performing actions that violate policy, whether intentional or unintentional. Train, coach and mentor your leaders to handle these sorts of situations in appropriate manners, both legally and from an organizational culture perspective. And, as with the discussion of policies above, be sure to take the time and effort to document those guidelines and procedures for these types of incident review processes as well as to communicate them so there are no surprises for anyone in the organization.
When you and your organization handle the Layer 8 challenges alongside the rest of the technology stack represented by the OSI Model, you not only address a key form of risk to your environment caused by human error, malicious insiders, social engineering attacks and legal issues, but you also bolster the overall effectiveness of all of the technology you have invested in and put in place to secure your systems, networks and applications. It’s easy to get lost in the process of procuring the next great technology solution, but now more than ever, it’s imperative that organizations address their people and policies to create a complete security program.