Denying everything, a temptation that must be resisted | by Vicente Aceituno Canal | The CISO’s lair


because it can turn against him silently

Certain cybersecurity principles are taken as revealed truths that should not be questioned, including:

  • Confidentiality, Availability, Integrity
  • Defense in depth
  • Must know.
  • Minimum privilege

There are many consequences of not taking a step back and examining whether these principles are applicable to our environment, among them the classic attitude of using Deny All as the default access for all types of information, allowing the access only when necessary.

While this is in all likelihood a good approach for military and intelligence environments, it may not be very useful in many enterprise environments.

The reason is very simple: denying access is the best option when someone who does not own the information actively wants access to it. If this prerequisite does not exist, what we are doing with a Deny All setup is preventing the flow of information throughout the organization, thereby making collaboration more difficult. No one will ask for access to something they don’t even know exists. This is a discreet, often unacknowledged harm that involves unnecessarily restricting access to information.

I invite you to review your access settings, with a simple question: Who would like to have access to this but I shouldn’t? While this is difficult to answer, this repository of information should probably be publicly available, at least within the organization.

The only information I restrict is business proposals and the personal information of my team members. The rest of the information I manage is public within the organization.

You may or may not be surprised at how many people read publicly available draft cybersecurity policies that have not yet been approved. It is an integer between +1 and -1.

Leave a comment