Tense Times in Security
Tuesday, October 24th, 2006I just returned from Information Security Decisions, an outstanding conference, where I had many opportunities to compare notes with fellow practitioners. Two big issues keep coming up where conflicting interests are leaving us with nearly insoluble problems:
• The conflict between monitoring and privacy. Two huge trends — data protection with encryption and content inspection in the network — are beginning to collide in many companies. Examining content as it flies across the network, looking for malware or spam, logging for regulatory reasons, watching for intrusions and keeping track of resources is getting popular. But examining content depends on being able to see the content. At the same time, the use of encryption in Web, e-mail, instant messaging and every other application is increasing—and if the traffic is encrypted, you can’t see it.
There are piles of products and ideas on how to deal with this conflict, but nothing has bubbled up that has made any sense. Some of the suggestions are even outright absurd, such as blocking all encryption. The reality is that there’s no easy answer coming out of this collision between technology and politics. I hate describing problems without offering a solution, but all I can advise here is to start thinking about building your own compromise between these two trends—because if you haven’t started that balancing act yet, you probably will soon.
• The conflict between security resources and requirements. For most companies, every dollar spent on security seems like a wasted one. Security is often like insurance: money you spend now to avoid a much bigger and more catastrophic expense later. Unfortunately, the expensive war between malicious hackers and enterprise companies is escalating, and the bad guys have the advantage. Doing security well requires ever more sophisticated staff to understand how to build a deep defense and ever more expensive tools to implement that defense. Pressure to increase security controls is also coming from other fronts, such as the regulatory and legal side of the business.
Our old standbys — a three-zone firewall and a copy of Snort — aren’t good enough. As security guru Gregory Lebovitz says, “Swiss army knives are good for a great many things, but slicing an 80-pound wheel of Parmesan for a 500-person party is not one of them.” Even if you can afford the specialized products—and more are coming out every day—you also need to budget for training, support and most expensive of all, staff time. That’s assuming you can find the people out there who can actually understand, configure, manage, and interpret the output from all this new hardware and software. Network access control (NAC) is a good example. We didn’t need it before, but we think we need it now. Lots of money, time and aggravation make sense to those of us down in the trenches, because we have to paddle ever faster just to stay in place, counter new threats and secure newly business-critical networks. But that doesn’t make it any easier to explain to the CFO.
