Skip to main content

Balancing security and compliance

Obtaining the minimum level of compliance for an organization’s designated security standards isn’t enough. In today’s session, IT security expert, Daniel Griggs, discussed why it’s vitally important to do more.

Griggs has extensive experience in the field, including work with the U.S. Army and the Department of Defense. He also founded cmdSecurity where he continues to lead the charge on Apple device security and management for organizations at scale.

During the session, Griggs presented a mock technical plan that navigated the political and technical challenges of augmenting security compliance using Jamf Pro. He started with a simple question, “Why does this matter?” In short, gaps in security could destroy an organization.

Griggs reviewed some of the common security standards and suggested everyone become familiar with the following:

But why are these standards so great? Griggs said not only do they provide actionable to-do lists for almost every environment, but they also provide “battle-tested guidance” for response processes. “They’re actionable to-do lists, plus they’re literally experts tell you best practices,” he said.

But, even with all these great reasons of why to follow common security standards, Griggs said they still have shortfalls, including their inability to identify an organization’s specific risks. While evaluating what these risks may be, Griggs suggested looking to those in the hierarchy of security, which includes cryptographers, scientists and Apple security researchers. Why? “You cannot effectively audit your own deployment,” he said. “They know the why and you can talk through decisions.”

Throughout the process of identifying and implementing a security plan at an organization, Griggs said to remember that most vulnerabilities are misconfigurations in both software and operating systems. But don’t let this trick users into thinking disabling more features creates security enhancements. Griggs suggested asking a few key questions:

  • If a virus ran on one of my computers, would I know about it?
  • If someone was scouting out my network, would I know about it?
  • Am I sure that my computers connect to my management services securely?
  • If a user made a system configuration change, would I know?

“Remember that sometimes it’s OK for users to do a bad thing, if it stops them from doing a worse thing,” Griggs said. “I’d rather they turn on File Sharing for a little bit than put important files on a thumb drive.”

Then what? Griggs suggested build resilience into systems. “Ensure that your management always works, and ensure that your monitoring always works,” he said about two easy enhancements to any security standard. But, he warned, there are also dangers of going too far in proactive technologies. Griggs encouraged evaluating whether the technologies that are being considered add more value than risk. Then, “live off the land,” he said.

Using native Apple features in smart ways is a move Griggs said can’t be ignored. This includes things like: blocking known bad IPs; blocking internet on compromised Macs; ensuring users don’t add sudo rights; etc.

Griggs suggests setting goals for planned enhancements with subsequent evaluations of the technical plans around them. When used together, he added all these steps will help go beyond the basics of IT security and establish a stronger core security system for an organization.