During one of the EfficientIP sponsored roundtable discussions at Security Field Day 6 we discussed DNS security, and how useful watching what people do with DNS can be.
DNS is, for the most part, ragingly lacking in privacy and we are spied on a lot just trying to go about our day. This surveillance is quite useful for security monitoring, but should we be spying on our staff like this in the first place?
Why do we, as IT admins, consider it acceptable to spy on people just because they happen to work here? Why does paying someone in exchange for their labour entitle us to observe their every move, every website they decide to look at?
If they’re so bored and disengaged that they’re browsing gambling sites at work, why is their manager not already aware of this and doing something about it? Why are you, as an IT admin, getting involved in what is a management issue of someone who doesn’t report to you?
Why is surveillance of DNS so vital to securing your IT systems?
Failure of Imagination
The reliance on surveillance as a pre-requisite for security is, I think, severely limiting. The idea that you cannot secure something you can’t see is, for many circumstances, simply not true. The entire premise of Need To Know compartmentalisation of knowledge is that not everyone needs to know everything because that’s how you can keep information secret and secure.
So why do we throw this notion out the window when it comes to security monitoring? Why do we constantly try to build ever more pervasive panopticons inside our organisations in the name of greater security?
Why does the inside of a modern corporate so closely resemble an authoritarian dystopia?
And what if we abandoned that idea, even if just for a moment, and tried to imagine how we would secure things without being able to bug every laptop, phone, switch, desk, chair, and bathroom stall in the company?
What if you built your security system around the idea of not being able to see everything all of the time?
My Challenge To You
I want you to try this exercise: Imagine you are not allowed to spy on your employees.
How would you secure things? Could you do it? Why, or why not?
I put it to you that there are plenty of things you can do that involve your employees and staff in the group task that is protecting your community.
Instead of taking an authoritarian, top-down approach to things, consider taking an emergent, public health approach where people take care of themselves and each other and you don’t actually have to do very much yourself.
Why not give it a try, even just as an exercise?
You might surprise yourself.
Pingback: Are We the DNS Baddies? - Gestalt IT
Pingback: Are We the DNS Baddies? - Tech Field Day