6 ways to fight deploy and decay

Even your best security controls will weaken over time after deployment, much to hackers' delight. Take these steps to slow down or get ahead of that decay.

Hackers love drift. That’s the unofficial term for describing how some good (and secure) state moves into something less good (and less secure). Computer security is difficult. We know that. The old saw says defenders have to get it all right all the time. Hackers just need to find one mistake.

Any computer control is hard to deploy perfectly. The even bigger problem is that any nearly perfect, deployed control almost always degenerates to a far worse state starting almost immediately. The process is what some security experts call “deploy and decay.”

What is deploy and decay?

For example, suppose your job is deploying and maintaining security settings on an application or operating system. You (or your team) spend a great deal of time deciding what those security settings should be. You read about the negatives and positives of each setting, consider the business impacts, and then choose the setting that best fits the allowed risk profile for your organization.

You deploy those settings, say using Microsoft Windows or Active Directory group policy, to every possible managed computer. We know that for myriad reasons those settings are not perfectly applied to all the computers we expect. It’s usually some issue in the imperfect technology. It could be a corrupt local configuration database, a third-party app getting in the way, or the computer unknowingly not connecting to the domain for months. It can be a lot of different reasons, and we aren’t always aware that the deployed control isn’t applying to all computers.

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!