About 100 years ago, a brain teaser known as the nine-dot puzzle appeared in the Cyclopedia of Puzzles. It is fairly simple in principle, but it can be quite challenging for many people when they see it for the first time. An array of nine dots, equally spaced in a square pattern are presented with the challenge to connect all the dots with four straight lines without lifting the pencil from the page. The solution to the puzzle requires that lines go beyond the boundaries of the imaginary box that is formed by the outer set of dots. Since most people will limit themselves to the invisible borders formed by the dots, the solution can be elusive.
For many years, the nine-dot puzzle has been used to challenge people to approach a problem in an unexpected way. Since then, the puzzle has become a popular way illustrate the value of creative thinking. This puzzle is so associated with creative thinking that the phrase “thinking outside the box” is now a common part of our vocabulary. In the world of information security and compliance, it can sometimes be valuable to intentionally limit solutions and keep our thinking “inside the box.”
Information technology professionals are often creative problem solvers by nature. After all, they find new ways to leverage technology to solve new problems every day. As new systems are deployed and old systems are upgraded, it brings new opportunities to do something better, faster and more cost-effectively than the day before. That thinking is born from a spirit of innovation, creativity and experimentation. The world of information security and regulatory compliance, however, is based upon rigid structure, discipline, and limiting the capabilities users to interact with a system to maintain the confidentiality, availability and integrity of data. Placing limitations on a system’s capabilities can run counter to the natural inclination of IT personnel, but it can pay enormous dividends in preventing information security incidents, regulatory fines and privacy breaches.
Security is inherently inconvenient. Just as using a key to unlock the front door when you have a bag full of groceries can be frustrating, so too using multi-factor authentication to access a secure system safeguarding confidential data can be inconvenient. Treating a secure environment as an inflexible fortress (think of our secure “box”) to protect precious data is the best way to prevent a breach. Inside this box, it is best to limit creativity and accept legalistic process — even when it may frustrate the natural creativity of technical talent. There are other advantages to carefully defining the boundaries of the secure system. In addition to helping limit activities within the secure perimeter, it clearly lets personnel know where more flexibility is allowed: outside the box.
Often, it is best to define the secure system boundaries as tightly as possible. Keeping a small footprint makes the secure environment easier to maintain, minimizes the impact of strong security on daily operations, and discourages personnel from violating security in an effort to make daily tasks easier. In most cases, a smaller, secure environment is stronger and easier to maintain than a more expansive system. Keeping the secured environment smaller also has the benefit of reducing the scope, cost and time demands of security audits and compliance assessments.
Defining a secure system that will clear boundaries is a one part of an overall security program. Keep the system boundaries for enhanced security as small as possible and encourage a culture that embraces structure and rigid adherence to the rules inside those boundaries. Doing so protects confidential data, minimizes operational impact of security controls, and makes system management easier and more affordable.