Steve Riley posts on a topic he discussed at Tech-Ed – protecting the data, because everything else is just plumbing.
He has a point – after all, the thing most needing securing on your system is your data – the hardware, OS and tools can all be replaced at nominal cost (generally by buying a new machine, and installing from the original disks if you have them, or buying replacements), compared to the cost of replacing the data (and dealing with lost customer confidence, regulatory action, etc).
However, technological security boundaries are generally designed to prevent users from knobbling the system and its applications, rather than preventing the users from knobbling their own files. This does provide some protection between users, so user A can’t kill user B’s files unless they previously agreed to share.
But it doesn’t protect against user A killing user A’s files.
Perfect backups – maintaining every bit that had ever been on the system – are a little extreme, even if you could achieve that state physically, with huge storage requirements.
“Previous Version” (aka Shadow Copy) support goes a long way to providing for a functional “time warp” file system, where users can recover their own data from corruption – this functionality is in Windows XP, Server 2003 and Windows Vista (presumably also in Windows Server 2008, but no plans are solidified until the OS ships).
So, that’s recovery – but what about prevention? Other than today’s outdated-by-the-time-you-download-them antivirus programs, what good security measures do we have to protect the user from the unexpected consequences of processes running in their own security context?
Education, awareness and training count highly in that area – by convincing your users that they should be aware that the data they work with is a valuable commodity, and should be handled with some caution.
But there’s really little you can do from a technological standpoint to distinguish between a user’s request to modify or delete a file, and a virus acting on that user’s behalf.
Business rules are great for enforcing ‘common sense’ on your data at work, but who wants to set “business rules” up for home use? What about all those ‘unsupported applications’ – the Excel spreadsheets replete with macros, the Access databases built by the sales team, any scripts put together for a specific purpose, and then used year after year without any thought to modification for reliability?
Consider reliability and the application of common sense to be a part of security, and remind your users that it is within their skill to do the same. Even when every piece of software deployed in your business is controlled by Group Policy, and every technological measure has been applied, you still need to give your users the tools, the education, and the reasons, to keep your systems’ data secure.