The dreaded security redesign. You’ve been putting it off for so long but now it’s time to take action. You’ll feel much better once it’s done but it can be difficult to get started.
Part of the fear is the unknown. You don’t know if you’ll get the security design done right and you won’t get another chance to fix it. When you flip the switch (like any other go-live) you’ll have a backout plan just in case chaos happens but it would be an embarrassment to have to go back.
If only there was an easy button to get it done quickly without any risk. But until that day arrives, I’ve collected a few best practices to get you on the right path on your redesign.
Refresh Your Data for A Fresh Start
You wouldn’t want to base your new security design on stale irrelevant data, so my first tip is to get rid of any unnecessary security data like unused roles or data integrity issues. I call this “cutting out the fat.” The less data you have to look at, the easier it will be to envision what the new security world needs to look like. This also builds a little momentum and puts you on the road to success with a small but important step with your data management.
Define Roles Clearly for Quick Decisions
The most difficult part of the redesign is to draw the lines between the users and roles. It would be rare for one person to know exactly what roles need to be created and what roles each user needs. Working with the business owners can be tough since they may not know what they should want in terms of security roles. The devil is always in the details. What you can do is make it easy for them by giving them many options on how to review the data and by giving them nice templates to work with. Make it easy for them and they’ll return the favor by making informed decisions and getting back to you quickly.
Test, Test, and Test Again
The next challenge is testing. Security testing is boring and can be cast aside as a lower priority since resolving security issues in production is usually a quick fix. You may not be able to give an inspirational locker room style speech to motivate your testers but here’s what you can do:
- Identify issues before they (the testers) can. Pre-test those roles if you have the knowledge to execute the processes.
- Again, templates. A clear plan with visual representation will make it easy for the users to complete the task at hand.
- Create an environment where testing is meaningful. By this I mean, ensure that you have *PUBLIC setup correctly, you’ve got test IDs on hand, and you’ve got an isolated test environment by using the 2 or alternate workbench.
A Few Exceptions
My final reflection point is about what I call “exception-land” whereby we (both technical and business owners) agree on a brand new (and amazing) security design only to have it become fragmented and distorted shortly after go-live. A business owner will say something like “he/she is usually in that role but we have an exception.” Soon the exceptions become the norm and your security design can’t even be called a design anymore. You’ve got to be flexible and sometimes the business gets what the business wants but you need to draw the line somewhere. The security design must make sense in order for it to be sustainable long term.
Maintaining your security design should be a non-issue so you can focus on revenue- generating initiatives. The security redesign can be a large and exhausting mountain to climb but the benefits gained at the end will be well worth it. I will discuss this in even greater detail in an upcoming webinar.