How the principles behind Lego can assist IT managers in their quest for better IT security

by Reuven Harrison, CTO of Tufin Technologies

As a boy, like many lads of my age, I loved Lego - I'd use the red, green, blue, yellow and white bricks that, in those days, came in just a few shapes, to construct houses, ships, cars and stairways that led absolutely nowhere.

Lego - for small boys - as it is today, is all about fun and imagination.

In mid-April, Tufin's team had the good fortune to attend Check Point's annual European customer and partner event, the Check Point Experience, in London.

At the event, which was attended by the great and the good in the world of IT security, we demonstrated our workflow technology.

Because of the high calibre of the professionals attending the event, it was a delight to meet industry colleagues both old and new, and explain how we see the changing IT security puzzle to the professionals at this event.

During the event I was struck how infosec has matured. Many companies are now approaching security as an integral part of IT which requires proper management and the business processes around it.

In many ways the approach to building models as a boy that Lego engendered is the approach that is needed in the modern world of IT security - a set of building blocks, in different shapes and colours, that can be combined to build an effective IT security process.

The `building block' principle is nothing new in the world of network computing. It's a similar approach that taken by developers of the `C' programming language back in the 1970s when Bell Labs came up with the then fledgling Unix programming language.

C's minimalist approach allowed early software developers to develop quite complex programs by taking a modular approach to program development.

Within a few years of C's release, libraries of simple C routines were developed that, like Lego bricks, could be combined to produce quite spectacular software capable of doing a great deal with quite limited memory and processor facilities.

Fast-forward 38 years to the Check Point Experience, and there are my team and I, explaining how a modular approach is the only way that security processes which differ so widely from one organization to another, can be supported by a generic workflow solution..

After a couple of year's detailing Tufin's IT security solutions to the great and the good, and not just at the Check Point event earlier this month, I have realised that there is no such thing as a standard process for managing changes to the security policy of an organisation.

For example, whilst one organisation starts off with an access request which is then approved by a line manager, another may first want to design the change and only then approve it.

If you extrapolate the Lego `building block' approach to the security policy issue in most organisations, it's clear that a modular methodology can pay dividends when the requirement to deviate from normal procedures is required.

As another example, some professionals want to allow requesters to specify the target firewalls, whilst others keep them strictly within the domain of the firewall operations group.

In an ideal world, it would be down to the IT professional to issue the dictum - "here's how you should be working" - and provide one ideal process for managers to implement.

As any IT professional will know, however, this ideal cannot work, as the principal of `one size fits all' does not work with IT security - every organisation has developed an often unique set of processes that match their needs, organisational structures and policies.

In addition, beyond the obvious technical constraints, it's clear that there are also social and political factors that have shaped these processes and these cannot be modified very easily.

But there is a solution - and once again the modular principals that millions of small boys the world over have adopted with Lego blocks also apply to the grown-up world of IT security.

And flexibility also comes into play here, as instead of a single rigid process, companies like ours have opted to provide its clients with a variety of small security building blocks that can be compiled into the organisational process.

These building blocks are designed around permissions and roles; users and groups; workflows composed of configurable steps; and forms that consist of configurable fields such as input fields and drop down lists.

Other `Lego blocks' include access flow descriptions that can change their appearance to match the needs of users with different roles; and dynamic but controllable workflows so that users have flexibility within a fixed framework.

This modular approach has been well received amongst the end user community, who appreciate the building block approach is highly effective in a variety of environments with differing processes, including those situations that management have not yet seen - or anticipated.

Now I'm back from the exhibition and conference, I'm back to playing with real Lego with my daughters - who enjoy their building blocks every bit as much as their male peers - and am building princesses and castles, rather than the cars and ships of my boyhood.

And just as Lego can be flexible enough to meet the disparate building needs of little boys and girls everywhere, so I've concluded that a `building block' approach to IT security and lifecycle management can help customers create their ideal security protection.

And just like my Lego analogy, by allowing IT professionals to create their unique set of IT security processes - and processes that are almost infinitely customisable - allows the rest of the organisation get on with its core business of making a profit.

As a small boy Lego taught me a lot. Now I'm a bit more grown up, the principles I've learned from Lego have helped shaped my professional approach to security.

Now where did I put that Meccano set?...

Courtesy: Eskenzi PR