I recently started on a new project at work. I'm in a fairly non-technical role on a technical project. I've been there just over a week now and I finally feel like I understand what's going on, where I fit in, and where the project is headed (for better or worse). What's sad, is that even after 11 days, I can not (officially) log onto my clients computer systems. I have no badge. I've been roaming the building for days, but I officially do not exist.
This is an example of poor access controls. Despite having no log-in of my own, I've spent hours navigating around their network and learning what I need to learn (that might sound hacker-ish....It's not meant to. The project I'm working on uses a SharePoint site and a few other cloud-based tools for tracking an collaboration). Despite having no badge or key card of my own, I spend days navigating around their buildings (plural). This got me thinking today about how IT departments handle access issues. Anyone who works as a consultant regularly deals with getting acclimated to new cities and getting access to new client systems. But, for reasons I don't fully understand, some clients are extremely proficient at the task of managing users and others are not. I've decided it mainly comes down how company leadership balances security policy with a need to get things done.
The utility companies I've worked at are, for good reason, extremely focused on security. It's near impossible to enter a building or log onto a system without a badge or a system profile. Most of the buildings I've been in have gates in the lobby that alarm if you don't swipe your card, they have elevators that require a key card to operate, they have uniformed security in fixed and rotating positions. Additionally the systems are configured so that a user can only be signed in from one location at a time (no sharing of log-ins), that accounts will lock out if the password is entered incorrectly too many times, etc. They can not be accused of being lax on security. At the same time, I've never waited more than a few days for all the access I need. I think in part this is due to the fact that Utilities operate in a regulated environment with tightly controlled costs and margins. Any delays can adversely affect profitability and costs which in turn can annoy powerful regulators.
I can contrast this with a media company I worked at that seemed mostly unconcerned with security. On day one I was handed a plain, unremarkable Kastle card and a form for access to the building. I was told to try to turn the form in by the end of the first week, but that the Kastle card was already active and I had full access to any floors I needed (mind you, my client only had offices on two floors). When I met my client sponsor upstairs (not in the lobby), he gave me a user name and password from a former consultant who had left a few weeks earlier. He said it would get me up and running until my paperwork was processed. The upside is that I was working full-bore on day one. The downside is that IT security was nearly non-existent.I mean, I was using the log-in of a guy who'd been gone for 3 weeks...why did it even still work? These things should be turned off right away.
Then I've worked at government agencies. These guys take security to a whole new level. I had to go to the client site two weeks before my start date to pick up paper work, get finger printed, and sign some forms. Then, on day one I was given a guest pass and an escort. These two things stayed with me for two weeks. I could not carry my own laptop into the building until it was certified as virus/malware free by IT and was given a special tag to denote it as "non-government property". I was required to leave my blackberry in the car because it had a camera (I eventually bought a new one with no camera). Needless to say, for the first couple of weeks my productivity was less than optimal (though my bill rate was pretty good!). Because of the sensitivity of the agency I was working with and the nature of the material I was handling, security was a vastly higher priority than cost or profitability.
What it all comes down to is finding the right balance of security vs profitability for your company. For a highly sensitive government agency, it makes sense that efficiency would take a back seat to security. For a small media company it might be OK to relax a bit on security. And for a utility company, it's probably right that they fall somewhere in between.
A few tips to get up and working as fast as possibly:
1)Start the process and paperwork as soon as possible. If you know weeks ahead of time that you're going to start on XYZ day, call your client and find out what can happen ahead of time. Sometimes providing a name and DOB can really get the ball rolling. Likewise, if you're a buyer, reach out to your consultants and request the necessary information. There is no reason to wait until the consultant is on the ground (charging your company)
2) Do not give out your password. I don't know how my client got the old consultants log-in information, but make sure to protect your own. Change passwords regularly, do not use the same password for everything and never give it out. If you're a buyer, delete access as soon as possible after someone leaves, require password changes frequently, and never encourage password sharing.
3) Grant only the access needed. If someone only needs access to one system, provide only that access. If they only need access to one floor in a building, do not give them access to all the floors. And if you are a consultant (or an employee even), don't attempt to access things you don't need. This will only open you up to liability.
Good Talk,
Tom
No comments:
Post a Comment