Skip Links

Network World

  • Social Web 
  • Email 
  • Close

(Comma separation for multiple addresses)
Your Message:

The cost of not reaching IT project closure

Security: Risk and Reward By Andreas M. Antonopoulos , Network World , 07/08/2009
Andreas Antonopoulos
  • Share/Email
  • Tweet This
  • Comment
  • Print

All things, good and bad, eventually come to an end. Philosophers have told us this in many variations for at least three or four thousand years. In IT we seem to have exquisitely intricate plans for starting new things: projects, applications, users, policies. Yet we seem to always forget to plan for their eventual end: the closure of projects, the removal of applications, the retirement of servers and the departure of users. Why do we find it so hard to achieve closure?

The lack of closure can be costly. In IT projects it often means extra expense at the end of a project, long after any budget allocation is gone. Our total cost of ownership in IT rarely includes the cost of exit from a project -- whether the disposal cost of hardware, the migration of data to a new application, or the severing of a contractual relationship with a provider. When we lack an exit strategy we pay dearly. Having learned that the hard way, I have always added an "exit strategy" section to new projects and applications. Nowhere is that advice more important than security, where the lack of closure can leave gaping holes in your defenses.

Reduce Your Private WAN Bill 40-90% With Adaptive Private Networking: View now

One common example of a lack of closure can be found in most user directories. After conducting many security audits it no longer surprises me when a company discovers that the user directory (perhaps Active Directory or LDAP) contains 25% more entries than the number of employees. The most egregious example I have seen contained more than double the users than expected. Sometimes this "growth" occurs because of an obvious lack of policy and process for deleting users when they are laid off or resign. So companies keep adding new users but never delete the old ones.

Even if a process exists for deleting employee records after they are fired, there are dozens of other forms of closure that are missed: contractors who finish a short term job, employee retirement, short-term disability that turns into permanent leave, national guard service that is extended. I could go on for pages. Very often, the cases of employee departure that are missed are marginal ones where the paycheck continues or what was expected to be temporary leave becomes permanent. So the directories grow, phantom users long gone but never forgotten.

Related Content
  • Share/Email
  • Tweet This
  • Comment
  • Print
Comments (2)
Login
Forgot your account info?

I give the author 5 Stars for a very cool nameBy Smithwill on July 8, 2009, 3:56 pmThe story, 4 starz :)

Reply | Read entire comment

Very good!By Anonymous on July 9, 2009, 6:55 pmHaving been there and realized that, I salute this guy for putting it in print!

Reply | Read entire comment

View all comments

Add comment
Anonymous comments subject to approval. Register here for member benefits.
Have a NetworkWorld account? Log in here. Register now for a free account.

Most Read

View more Most Read

Videos

rssRss Feed

Latest News

rssRss Feed