Trust or Enforcement

There are two approaches to security:

  • Enforce
  • Trust, but verify

The first places hard restrictions on what users can do. Advising development teams, I very often find that development workstations are locked down so tight that a developer can’t install a needed utility without logging a service request. The enforcement strategy always comes with a cost in lost productivity, but nobody bothers to count this cost.

The second places few restrictions on what users can do, but has a rock-solid audit function and people to actually monitor this. This approach doesn’t suffer the loss of productivity that enforcement does, but it does require you to generally trust your users to do the right thing. The problem with the trust & verify strategy occurs when organizations do not truly monitor what users do. This can allow malfeasance to go on for too long.

Make a decision which way you want to go. If you go with enforcement, make sure to calculate the cost. If you go with trust & verify, make sure you truly implement the “verify” part.