tags:

views:

104

answers:

5
Q: 

Explaining security to non-technical managers.

I'm maintaining an Intranet website for my company that they want to expose to the big, bad outside World. Right now, it has no authentication or authorisation whatsoever. My idea to manage user accounts is by using existing technologies to validate user accounts and build an authorisation model on top of this. Existing techniques would be CardSpace and OpenID, which would save us from maintaining lists of usernames and passwords, thus making the site less interesting for hackers. The data on the site isn't that sensitive either. Actually, we just export the same data to users of one of our desktop products as XML and anyone can view this information if they know where it is. We're just blocking everyone from modifying the data, except for a few super-users. At worse, a superuser destroys all data in which case we'll have to restore a backup. In the worst case, we lose one day of data entry which would translate to a hundred modifications at most. (98 was actually the highest number of modifications in a single day so far.)

All in all, it's not very critical data. We just want some security added to it all.

Now, management has suggested to build an additional database where we would store usernames and passwords, add encryption and do all kinds of other things to protect this user data and they're basically making up all kinds of weird schemes to handle user accounts. None of them are experienced with the technical aspect of software design and none of them has any knowledge about making systems secure. Thus, their designs become complete Chaos. (With a capital C.) It is taking them two months already to come up with a functional design since they even fail to agree with one another on certain security aspects.

So they asked me to provide them an easy-to-understand insight in proper security. Since I know that both CardSpace and OpenID are reasonable secure, I want to introduce these to them as the best options for managing accounts. Add a simple role system to this where every account is connected to a special role, granting additional rights beyong "View only", this would be quickly to implement and easy to maintain. Building this, making a proof-of-concept and finding enough technical information is easy. I only have one question...

How do I explain techniques like CardSpace and OpenID to people who have absolutely no technical background? Something like "OpenID for Dummies" but even easier to understand. Am having trouble finding the proper words without becoming a bit technical again. (And worse, if I fail to explain this correctly, they might decide not to use this technique and I'll be doomed to implement a monstruous construction.)

Please, Help! :-)

Oh, well. Simplified question: How do I explain in non-technical words the advantage of using OpenID or CardSpace over any home-brew solutions?

Addendum: These managers are not my "normal" managers. They're basically the CEO and partners of the company, who came up with the idea to have the site published. Normally, they would delegate these task to the regular managers and accept any solution the regulars will come up with. But this has become a bit of a prestige project for them, thus they're personally involved. At least one of them has been searching the Internet for information about security and wants it to be more secure than Fort Knox. He's causing a bit of paranoia that I need to subdue, without offending them either. And they all seem to learn more about this "security" thing without even understanding the technical aspect. Since it is a prestige project, they are willing to accept an expensive solution but it's just not good for the company. Personally, I'd like to tell them to back off and let real professionals handle this. Then again, I also like to keep my job so I need a more political correct answer.

+1  A: 

Using a validated solution, such as OpenId or CardSpace, is:
- lower cost
- more reliable
- faster to implement
- more secure
- not another password to remember

Burkhard  2009-07-24 12:24:37
I can say that, but then they will ask me why it's easier/more reliable/faster to implement/more secure. These people are truly non-technical. (Basically, they're the top-brass of our company, not my regular managers who tend to have some slight technical knowledge.)
Workshop Alex  2009-07-24 12:30:24
I'd remove easier, pointy haired in-duh-viduals ofen hear "lazy" for "Easy" (also if it's easy, how can it be secure). I'd add "lower cost", even though it's an "obvious" (you'd think) consequence of "reliable" and "faster"
Binary Worrier  2009-07-24 12:30:39
A: 

What technology are you using to write this intranet site? Almost every single technolgy in use has a good way to implement security - and re-inveinting security from scratch always fails.

That's not say your managers are wrong. In the same way that you know technical limitations that they don't understand, they may know about company policy or govornance that you don't know about too.

Sohnee  2009-07-24 12:27:50
The site is written in ASP.NET, uses SQL Server and runs on a Windows 2003 server. (And I wrote most of it.)
Workshop Alex  2009-07-24 12:41:03
In that case - check this out: http://msdn.microsoft.com/en-us/library/330a99hc(VS.71).aspx
Sohnee  2009-07-27 07:49:02
+1  A: 

I always think that explaining security to managers is easiest if you explain it in terms of economics - not just financially, but try and describe the user experience in terms of economic theory too:

  • it costs a certain amount of mental effort to remember yet another password, which their solution would impose
  • there's some cost in mental effort associated with the OpenID login process, which makes you jump between different sites
  • there are risks associated with each approach
  • each approach mitigates certain risks
  • each approach costs some money to implement
  • each approach costs some money to maintain

Now you can talk about the monetary cost, user experience cost and development cost of each approach, as well as the risks to the business, their likelihood and probability. Managers are paid to understand cost and risk so ought to be good at dealing with your explanation :-).

Graham Lee  2009-07-24 12:31:32
Ah, Money. Didn't think of that, but they would understand that approach. :-)
Workshop Alex  2009-07-24 12:42:14
+1  A: 

Writing your own security system is hard. The chances of getting it wrong are significant. The consequences of getting it wrong are huge embarrassment, potential lawsuits and ultimately cost to the company's bottom line.

The wise solution is to minimize the risk to the company.

(You could also appeal to their sense of self-preservation. Who gets the blame if an in-house solution goes pear-shaped versus an off-the-shelf solution?)

Stephen C  2009-07-24 12:38:50
+2  A: 

You could sell it with the "Verisign" argument.

We could all generate and store our own strong cryptographic keys, but it's a huge overhead and Verisign do it for a nominal charge, and like a secure bank (not that there's too many of them around anymore) it has a huge amount of trust from the business community, and while there are other companies providing the same products, Verisign is the market leader.

Another aspect of Internet security are user ids & passwords

An "Open Id" is like (forgive the metaphor) a passport, it proves who you are because you have declared your identity to a trusted agency (the issuing country for passport, Verisign et al for Open Id) and it can there after be used to prove who you are.

Verisign provide open ids, Versign are trusted in the marketplace ergo, you can trust open ids.

Binary Worrier  2009-07-24 12:41:53
Sounds as the best answer to me. Comparison with a well-known company, the money aspect, trust for openid... This sounds convincing enough to me. :-)
Workshop Alex  2009-07-24 13:00:49
As you have a Microsoft application, you might consider Passport, which is their version of Open ID.
Sohnee  2009-07-27 07:50:17
Hence my "forgive the metaphor". You don't want some decision maker to hear "Passport" and associate it with Microsoft Passport. They'll either latch on to it "Wow, lets use Passport instead!", or dismiss it "Oh no, I heard that failed, we are NOT using passport!"
Binary Worrier  2009-07-27 07:59:53

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security