How Much Security Is Too Much?

By Rich Loeber

Last time, I posed the question "Just how much security is enough security for your IBM i?" This tip will explore the contrary thought of "Just how much security is too much?". Is there a point where security is just too much for your installation?

First, we need to admit that all security involves overhead expense. If you are running security software features in the operating system, they take some computing resources to perform access validation routines. When you run additional security validation, such as exit point processing, that adds more processing overhead. When you require users to regularly change their passwords, that requires time every so often on the part of every user on the system to reset their password to a new value. When someone has a problem during the normal course of their business day that ends up being related to security, this is additional overhead not only on the part of the end user but also by your support staff. No matter how you look at it, good security costs money.

But, is there a point where you have too much security and the benefits are outweighed by the security protection deployed? I think the answer is a clear yes, in certain circumstances.

Some time ago, I did a consulting gig for a large company located in North America. This company had a very aggressive security implementation for outside vendors. And, they apparently use a lot of outside vendors who need access to their network. They had a complicated VPN installed which required a remote token generator be shipped to me. When the token arrived, it included indecipherable instructions on how to gain access which ultimately did not work. It was a long and drawn out process, but it ended up taking me three days and countless hours of trial and error with various members of their support desk team to get access to their system just to get started on a project that was behind schedule at the outset. Once I got into their IBM i processor, I found that my profile had not been properly set up and there was a further delay in getting started.

In this case, the costs associated with the security implementation became excessive. I was on the clock for this entire experience and the customer ended up paying dearly for this wasted time. For this customer, I'd conclude that too much security was in place or that the security deployed was insufficiently funded. The whole point was to provide a secure signon to their IBM i from a remote location, but the number of layers needed to get through was just too much.

When is there too much security? One check is to see if normal business transactions are regularly stopped due to security checking. If people in your organization can't get their normal day-to-day work done due to security hurdles, then maybe there is too much security in place and a review of your setup is in order.

Another check is to see if your support costs are on budget or running way over. If you're spending significantly more money on support and that can be traced to security issues, that's another red flag that something is quite wrong in your security environment.

I know that some of you security officers out there are going to cringe at this, but security is always a compromise between operating efficiency and data integrity. You need to have a good balance, tempered by an honest assessment of what you're protecting.

If you have any questions about this topic you can reach me at rich at kisco.com, All email messages will be answered as quickly as possible.