Wednesday, July 7, 2010


An old boss of mine used to say that his best employees are the laziest, because they create automation to do their job, and automation reduces human error. Since human error is one of the leading causes of security breaches, this also means that using automation appropriately could not only serve to free up time, but also reduce your exposure and boost your security.

Granted, developing automation can be a pain. It sometimes takes days of development and testing, but the benefits are fantastic. For example, one of the most common security pain points out there are user accounts. Every time an employee joins the company, you have to create an account, create a random password, fill in all the account details, assign the user to various groups, and finally, convey the appropriate information to the user securely. If an employee leaves, it’s even worse, because you have to close out the account with very precise timing, to make sure the ex-employee doesn’t get locked out prematurely, but also not be able to connect from home after leaving his position. The worst are role-changes, which require you to carefully clean-up the account of unnecessary permissions, to make sure the employee can’t abuse the rights he had in the past.

When you need to do this on a routine basis, within a few days, you would be able to perform such tasks almost blindly. Like driving a car, this is what we refer to as “over-learned activity”. After a while, we tend to feel confident enough to chew a sandwich while doing it, talk on the phone or installing a server (talking about the network here…not installing a server while driving a car), and that’s where the little mistakes creep in. We might send the password to the wrong person; add the user to a group that has too many permissions, or worse. I’ve met an engineer who once, absentmindedly, misspelled the first name of a person named Bart as…well…you can guess. That guy got some chewing, but he might as well have exposed his network to attackers if his absentmindedness led somewhere else.

If you’re lucky, perhaps your company is rich enough to afford identity management software, but the costs of such suites and their adoption is immense. If so, why not write up your own automation? A VBScript, ASP page, PERL script or sometimes even a Batch file can save you tons of tedious work. If you’re thinking to yourself “heck…I ain’t no programmer!” you might be selling yourself short. Some tasks are so simple to achieve in VBScript and Batch that you can achieve this almost instantly. For example, a script to generate a random password in VBScript is so simple. Here’s a clever and tight one by Martijn Haverhoek . Here’s another one, written in JavaScript: . With time and patience, a script can be written to automate almost the entire process of creating and deleting user accounts, as well as other administration tasks.

Even when using automation, mistakes can still happen, but by shortening the processes, it makes them less tedious and encourage performing them with more attention and focus. Another advantage is that it may allow you to delegate some tasks to your subordinates (knowing that there is less things for them to mess-up) or to your colleagues when you go on leave. Even if you are a decision maker and will never get into programming, you can still benefit your organization by hiring or contracting someone to develop some automation for you. Start simply by thinking which processes are performed routinely, and which are the most annoying or tedious. From then on…the sky’s the limit!

No comments: