The jarring sound of an iPhone vibrating against a mahogany nightstand at 3:15am. This can’t be good. Server down? Much worse: 50,000 sensitive files have been stolen from a poorly permissioned file server. First, damage control. Next, investigation.
Problem: 50,000 files were stolen.
Why? The files were accessible to everyone in the company, even guests.
Why? The folder’s access control list was configured incorrectly.
Why? Chuck the intern configured that file server in 2007 and it hasn’t been reviewed since.
Why? We don’t have a process to review file system permissions.
Why? Because manually reviewing every folder’s ACL for problems is like searching for a needle in a haystack…and THERE’S ONLY THREE OF US AND A THOUSAND FILE SERVERS! SHEESH!
This fun little question-asking technique is called The 5 Whys. It was developed by Sakichi Toyoda at Toyota to determine the root cause—and solution—to any given problem in the manufacturing process. The technique has been borrowed by coders, sysadmins, and startup founders alike.
See, behind every technical problem is usually a human problem.
On the surface, it seems like the above fictional security incident was technical in nature – the ACL was configured incorrectly. Deep down, however, the problem was the company’s non-existent entitlement review policy.
The 5 Whys technique encourages us to address the problem on multiple levels: fix the ACL, stop letting interns configure important systems by themselves, and institute a system for performing periodic entitlement reviews.
Sometimes it’s not feasible to immediately address every single problem uncovered, but 5 Whys suggests that if you make a proportional investment in the solution every time an incident occurs, you’ll eventually get to a point where you have an optimal level of protection against a given problem. In our example, maybe you’d start by piloting entitlement reviews with a small business unit, or review just the super sensitive data sets.
The 5 Whys is an excellent technique for determining root cause so you can take reactive steps to ensure a problem doesn’t happen twice. In my next post I’m going to talk about a new model for holistically evaluating your company’s risk profile so you can make proactive improvements.