False safety of outsourced IT
No matter how much of your IT is outsourced, you have the feeling that the data at the datacenter is secure. Your databases and storage, sometimes your Active Directory and other servers are there. They are secure – the procedures to protect your data are usually tough to bypass and little attackers are brave and smart (or stupid?) enough to try their luck there.
However, it is not at all important.
When somebody attacks you, they will attack your infrastructure, not the one at the datacenter. People bend much easier than equipment, and are much more succeptible to defeat. In fact, who will spend the time in breaking through tens of firewalls and protections at the datacenter, when they could bypass a single (or dual) firewall and get straight into the heart of your company?
New strategy. Before protecting your firewall, your DMZ (I already said in a previous post, that DMZ is useless) – protect your client computers. Yes, build your network with firewalls first, dmz second, internal network and finally client computers – but start protecting your network in depth *from* the client computers, outwards. If your accountant uses Excel, Word and Powerpoint in their work, do not allow them to run Firefox or Skype! Do not give them higher than Guest permissions on their computer! They want to install the latest screensaver? Fine, let them do it at home. No playtime at the company computer network.
Your system administrators, of course, need to work as administrators of their own computers. WRONG! Guest, and Run As when needed.
The CEO needs full access to his computer, of course! … ? – NO! Guest permissions. Unless he signs a document that he is ready to take responsibility for leaking confidential information from his computer, to the internet.
Think about it, and the logic will become clear. Leave one link weak, leave microscopic opening in your security – it *will* be used against you, sooner or later. Make sure you’re not responsible for it, do your job and secure as good as you can.