Monday, August 11, 2014

Security Blogging - A Stitch in Time…

By Rick Epstein

Have you ever heard someone rationalize an important decision with a folksy saying? It may make one seem wise at the time, but you should be aware that, for every such "wise" saying, there is generally an equally wise and opposite saying. For example, "look before you leap," but "he who hesitates is lost."

If your rationale for not reconsidering your SAP BusinessObjects security model is "If it ain't broke, don't fix it," then my reply to you is that "A stitch in time saves nine." You won't know whether it's broken until you look.

There are, of course, other sorts of objections to taking action that I hear over and over again from normally risk-averse people who don't want to address necessary changes to their SAP BusinessObjects security model.

Here are the top five:

We don't have any data that needs to be secured.
Great. Just publish it all on the Internet. No? Every company has private data that they don't want to share with competitors and/or the public. The only difference is the degree to which a breach will hurt. What is your pain threshold?

We don't have time right now.
What will it take to get your attention? Delaying the discussion of your SAP BusinessObjects security model will almost inevitably lead to an unanticipated security breach. Implementing a well designed security model is an investment. Prioritize and make the time.

We don't have money in the budget.
Budgets are expressions of priorities. If you don't have money in the budget, then you need to re-examine your priorities. The potential cost to your company -- in terms of both money and reputation -- in the event private information is viewed by an unauthorized person or persons far exceeds what it would cost you to analyze and reengineer your SAP BusinessObjects security model.

Why should we change? Our security model works fine.
If it seems as though the pain of change is too much to bear, ask yourself how you will feel about the pain of regret. It is quite likely that there are unknown security holes in your security model. Designing and implementing a security model using a true top-down methodology is the only way to ensure that there are no such holes.

We don't have resources who know enough…
…about SAP BusinessObjects security to instantiate a true top-down security model. Then I guess today is your lucky day. Please reach out to me at I would be glad to provide some tips and tricks and answer some questions in a 1-hour free consultation.