This is chronological, and by a twist of fate I am now on the security board of a company in the earlyish days of the Internet. This is not a nice thing, just more pain added to my average week. The general gist of the board is that any requests to pass data out of the business that do not adhere to current standards/methodologies end up at this board to decide on the correct path.

Our authority was gifted to us by the board of the business and was such that we could not be overruled by anyone. It was anecdotally known as the board that likes to say “no” but in reality the “no” was for damn good reason, this story is a great example of why no is the right answer.

On this particular session, we had the joys of a director coming to join us. This was a little unusual, it was normally project managers, technical people or at worst a grumpy programme manager but a real director of the business was somewhat unique and it went about as well as you would expect.

“I want to send a 750Mb file once a week to RandomPlace™. You are preventing me doing this and it is costing £millions. You will let me send this or you will all be out of a job.”. Nice. He is ably supported by a somewhat embarrassed technical person to help answer the tricky questions. So we start with the basics. “Why are you sending the file, what is the data in the file, what is the transfer mechanism?”. That is when the world unravels into some new form of ridiculousness.

It is revealed that the file is actually a “gold build”, i.e. an image of a CD that is used to build computers. That in itself is not so much of an oddity but as we dig we find that the file is being transferred from one floor of a building to another location within that same building just to another company, hence needing to traverse our security facility some 414 miles away. The more astute of you will also realise that 750Mb at this point in time is a rather large amount of data to transfer via a wide area network.

The natural question then comes from us, “Why don’t you just take a copy of the CD to the company once a week?”. Simples, yes? Apparently not. Being a corporate, if it’s not in your job description it can be rather hard to get simple things done. As it turns out the trainee employee who was doing this task is leaving and no-one seems to be able to get anyone to do this simple task, as such the situation has been escalated and escalated to the point that the task now needs to be handled in a highly resilient fashion, automatically and without human intervention. Oh and just for kicks, the reason this has been flagged to us was the request to do the whole transfer using IPX.

Now for those who are less familiar with IT security, security capabilities are generally architected around the use of IP, so politely asking a firewall to permit IPX is really not going to get you very far, nor is any IDS or IPS system really going to add any value here.

Of course, we end up in a situation of saying no purely because we can’t easily secure the transfer using anything that currently exists in the security gateway facility. This enrages the director and he starts to turn a funny colour whilst he releases a tirade of expletives. He does this before we can explain that we’ll get some design thinking into the situation beyond sending a file on an 828 mile round trip to a security facility that doesn’t deal with the technology in question anyhow.