Friday, May 15, 2009

Selling Changes: Security Implementations

Part of the security program that I am in charge of is a transition to a Cisco Clean Access based "zoned" network. In parallel, we're migrating from a relatively open campus wireless network to an authenticated network with unencrypted and encrypted SSIDs for guests and our own users.

None of this is particularly attractive to end users or technical staffers in general - we're creating additional work for many by making them touch systems to install the Clean Access agent, or more user support time when their users can't figure out why they don't have network access when their system isn't authenticated. Many worry that we will filter their traffic, monitor it, or otherwise make their network access less usable than it was pre-change.

Since not every device is capable of handling CCA or web authentication, we have to deal with some switches on a port by port basis, and we also have to whitelist many devices.

How, then, you may ask, do I sell the project with thousands of users, over a hundred buildings, and a user base who are used to a flat, undivided network?

  • First, I explain why the project is part of my program: we did a risk assessment, and this was identified as a risk to the organization, and in addition, we're doing it because we want to know who to contact for any given system, and who they are, at least on a role basis.
  • Second, I explain why our management is behind this, and what their expectations are. This includes personal responsibility for both our IT staff and our users, and that they are responsible for protecting our network and our data.
  • Third, I describe our test scenarios, our communication plans, and what our migration process involves. We've deployed to a variety of areas, we've tested extensively, and we have the ability to exclude problem areas. We also ensure that the changes are well communicated, that we meet with all parties in an area before deploying, and we have an on-site team post change.
So far, we're meeting with reasonable success. Management is behind the effort, and we have a talented technical team - but this effort is going to boil down to a large communications and sales effort.

No comments: