Lego lessons can assist CIOs deliver better IT security

As a boy, like many lads of my age, I loved Lego – I’d use the red, green, blue, yellow and white bricks that, in those days, came in just a few shapes, to construct houses, ships, cars and stairways that led absolutely nowhere.

Lego- for small boys – as it is today, is all about fun and imagination.

Many companies are now approaching security as an integral part of IT which requires proper management and the business processes around it.

In many ways the approach to building models as a boy that Lego engendered is the approach that is needed in the modern world of IT security – a set of building blocks, in different shapes and colours that can be combined to build an effective IT security process.

The `building block’ principle is nothing new in the world of network computing. It’s a similar approach that taken by developers of the `C’ programming language back in the 1970s when Bell Labs came up with the then fledgling Unix programming language.

C’s minimalist approach allowed early software developers to develop quite complex programs by taking a modular approach to program development.

Within a few years of C’s release, libraries of simple C routines were developed that, like Lego bricks, could be combined to produce quite spectacular software capable of doing a great deal with quite limited memory and processor facilities.

Fast-forward 38 years and my team and I are explaining how a modular approach is the only way that security processes, which differ so widely from one organisation to another, can be supported by a generic workflow solution.

After a couple of year’s detailing the Tufin IT security solutions, I have realised that there is no such thing as a standard process for managing changes to the security policy of an organisation.

For example, whilst one organisation starts off with an access request which is then approved by a line manager, another may first want to design the change and only then approve it.

If you extrapolate the Lego `building block’ approach to the security policy issue in most organisations, it’s clear that a modular methodology can pay dividends when the requirement to deviate from normal procedures is required.

As another example, some professionals want to allow requesters to specify the target firewalls, whilst others keep them strictly within the domain of the firewall operations group.

In an ideal world, it would be down to the IT professional to issue the dictum – “here’s how you should be working” – and provide one ideal process for managers to implement.

As any IT professional will know, however, this ideal cannot work, as the principal of `one size fits all’ does not work with IT security – every organisation has developed an often unique set of processes that match their needs, organisational structures and policies.

In addition, beyond the obvious technical constraints, it’s clear that there are also social and political factors that have shaped these processes and these cannot be modified very easily.

But there is a solution – and once again the modular principals that millions of small boys the world over have adopted with Lego blocks also apply to the grown-up world of IT security.

And flexibility also comes into play here, as instead of a single rigid process, companies like ours have opted to provide its clients with a variety of small security building blocks that can be compiled into the organisational process.

These building blocks are designed around permissions and roles; users and groups; workflows composed of configurable steps; and forms that consist of configurable fields such as input fields and drop down lists.

Other `Lego blocks’ include access flow descriptions that can change their appearance to match the needs of users with different roles; and dynamic but controllable workflows so that users have flexibility within a fixed framework.

This modular approach has been well received amongst the end user community, who appreciate the building block approach is highly effective in a variety of environments with differing processes, including those situations that management have not yet seen – or anticipated.

By allowing IT professionals to create their unique set of IT security processes – and processes that are almost infinitely customisable, the rest of the organisation can get on with its core business.

As a small boy Lego taught me a lot. Now I’m a bit more grown up, the principles I’ve learned from Lego have helped shaped my professional approach to security.

Now where did I put that Meccano set?…

About the author:

Reuven Harrison, is CTO of Tufin Technologies