Confusion, fear, procrastination; these are words often associated with making decisions about IT security and as threats become more sophisticated it is easy to see why. The increasing popularity for workforce mobility have made detecting and eliminating threats purely from within the corporate network alone an inadequate approach to network security.
…security is a never-ending battle. I once thought that we reached the pinnacle of security when, for example, only machines with a specific MAC address were allowed onto the network. Seems pretty simple and secure, right? Only that specific machine you allow will have access to the network, all the others will stay out. Well then I found out about MAC-spoofing and the like…that really threw a wrench into everything. It seems no matter what people do to secure their networks, there will always be someone out there who’ll figure out how to get in.
security is a process, not a product. what is often termed security is in fact the “methods” used to achieve it – ie MAC filtering etc… the aims of security are appropriate levels of
* Privacy
* Integrity
* Availability
* Accountability
I say appropriate because there is no point wasting resources securing something that doesn’t need it. Like marketing, finance and HR, security needs to be both an integral part of the business/organisation and it needs to be designed into every stage of yourproduct or service. Its not an afterthought. Its not a firewall. The above four aspects of security need to be cnsidered at every stage, from feasibility right through to maintenence.
And because it is an ongoing process, it adapts to evolving emerging threats (new techniques for cracking). The cliched cyle of “plan, implement, review effectiveness, re-design .. ” es equally applied to security as it is to any other aspect of business.
The problem with security has been that management don’t undertand it, meaning that geeks are left in charge of it – menaing that a bottom-up product-led approach has been applied historically. You need a top-down policy-led approach if you every hope to have a holistic coherent cost effective and adaptive security.
until CEO’s wake up and realize that MS has no interest or ability in providing secure solutions can we discuss this in a corporate manner.
features sell, not security and that is the problem.
btw… linux, UNIX, BSD and OSX have always been able to provide the needed featues and layer of security if the admin is knowledgable. it’s just that big biz has no concern yet for porting their apps to these platforms because of MS and their ultimate lock-in!
how’s your suv doing on gas btw?
happy now?
revolution is courage.