August 8, 2011 at 9:10 pm
Comments posted to this topic are about the item The Window Is Shrinking
August 9, 2011 at 6:12 am
I went to a technology conference once where it was pointed out that if NASA managed its new technologies the way the computer hardware and software industry did, every rocket, Space Shuttle and satelite would blow up on the launch pad.
Your editorial points out something that is a disease in this industry: technologies are invented and then tested on the "live" public long before they should actually be released. We ALL participate in this lunacy - just consider Microsoft, a company that has never once in their entire history released a "finished product" - and now all companies seem to march along to the same beat. Release it now, fix it later.
And who are the "lab rats" in this cycle? You, me and our employers. Hence, it is up to us to change this but for years no one dares. Personally, I have never bought a new Microsoft Operating System until it has been out at least one year - and I know many collegues who do the same thing. But the masses generally scramble for the latest cell phone, software or gadget and only learn later they pulled the trigger too fast.
We need to stop marketing systems and services until they are tested. How? I dont know because competition is first and foremost. But then, many years ago a company called Johns-Manville released a "wonder product" called asbestos and they put it in almost everything; buildings, cars, planes, homes - and then it started killing people. Its a cautionary tale that we dont pay much attention to... often to our own demise.
August 9, 2011 at 7:29 am
I have been working in my job for a little over two months. In that time, when questioning a gaping lack of security precautions, I have received the same two answers several times:
1. It was a pilot project so we didn't need to implement that
2. The database doesn't contain any sensitive data
#2 is *mostly* true, but it's difficult to get across that being compromised is not only about exposing sensitive data (although that is a gigantic concern.) The amount of downtime is a very real concern as well.
It is also difficult to argue the monetary value of redesigning and implementing security procedures, since the value would only be shown if we were indeed compromised.
I can design all applications going forward with security in mind; so now it's just a question of working on the 'inherited' apps. Fortunately, I have team members who are backing up my recommendations, so I think I will be able to move forward to .. retrofit. Does anyone have any suggestions for helping management see the need for this in ALL applications, pilot as well as production?
August 9, 2011 at 8:13 am
Security has to become an integral part of the corporate culture. A good way to jump start that is to implement policies around applications and security that make a risk assessment and security review part of the design stage. You cannot effectively implement security as an afterthought, it has to be designed in from the start. This appleis to pilots too, given the frequency that they become the basis for a new application.
Point out to management the cost of security failures, data exposure, etc. If your company is subject to data privacy laws, then I don't know how you can ignore security.
August 9, 2011 at 8:15 am
There is another issue with cloud data, as well.
Your company, by itself, may not be a high profile target for hackers, but a site with hundreds of companies and thousands of users is. There is much more incentive to go after clouds than individuals and individual companies.
...
-- FORTRAN manual for Xerox Computers --
August 9, 2011 at 9:07 am
Ross McMicken (8/9/2011)
Security has to become an integral part of the corporate culture. A good way to jump start that is to implement policies around applications and security that make a risk assessment and security review part of the design stage. You cannot effectively implement security as an afterthought, it has to be designed in from the start. . . .
Absofragolutely. Security considerations ought to be the first doc that the architecture team produces, and until that is approved, no one touches anything else, no matter what is the pressure from the business users.
August 9, 2011 at 9:12 am
Revenant (8/9/2011)
Ross McMicken (8/9/2011)
Security has to become an integral part of the corporate culture. A good way to jump start that is to implement policies around applications and security that make a risk assessment and security review part of the design stage. You cannot effectively implement security as an afterthought, it has to be designed in from the start. . . .Absofragolutely. Security considerations ought to be the first doc that the architecture team produces, and until that is approved, no one touches anything else, no matter what is the pressure from the business users.
here, here. Well said.
However I think it will be the insurance companies that force this, certainly not the business or government.
August 9, 2011 at 10:03 am
I came to the understanding a long time back that you get what you aim for. If you develop a system without a security framework already in place or developed in the first part of the project, you compromise the system before it starts, and end up with security problems.
Often you hear "It cost too much to do that level of work." or "We should not have to jump through that many hoops for this project, it is not that critical." But what does it cost to be hacked, to admit you compromised your clients data or personal Identification? More can be lost than SSN, Drivers License, or Credit Card Numbers.
The fact is that if you do not secure your systems as they should be, you simply do not care about your clients, their data, or their lives.
Application Security can not be a wink and a prayer, it has to be a well thought out strategy to protect company assets and clients information.
Thanks for the article, good read!
Not all gray hairs are Dinosaurs!
August 9, 2011 at 8:24 pm
This is a great editorial, but even so it fails to address the whole problem.
It will really be good news when it becomes possible to insure security if IT security is a significant factor in determing the premiums.
BUT:
There are many aspects to security, and not all of them are database-oriented or even IT-oriented. In general, there is no imaginable way that the best IT design can provide a secure system, because IT design can not control system factors outside the IT component of any system. In particular, although good IT design may reduce the risk and/or the impact of security breaches occurring in the non-IT parts of the system (for example breaches caused by human stupidity or human dishonesty) it can not eliminate that risk or that impact completely.
If someone has designed a complete system in such a way that good security of its IT components will have a useful impact on the overall security of the total system, then good security design of the IT components is important. If, on the other hand, the overall design provides no security then attempting to make the IT components secure may be a waste of time.
Usually the human aspects of system design are pretty awful. Nevertheless, it's important to ensure that the IT aspects of design do everything they can to improve security, in order to avoid making the total system (including IT) even less secure than is implied by the overall design.
So when security insurance happens it will be a good thing only if it looks at (and premiums are based on) overall system security, and not only the security of IT components.
edit: fix spelling
Tom
August 9, 2011 at 8:39 pm
Tom.Thomson (8/9/2011)
This is a great editorial, but even so it fails to address the whole problem. . . .BUT: . . .
Usually the human aspects of system design are pretty awful. Nevertheless, it's important to ensure that the IT aspects of design do everything they can to improve security, in order to avoid making the total system (including IT) even less secure than is implied by the overall design. . . .
Sure, Tom.
One of my biggest professional disappointments was when I designed and implemented overall IT security and found, just few a weeks later, that finance users with access to the most sensitive information had their strong passwords written on post-it notes, tacked on the rims of their screens.
Something was apparently amiss.
August 10, 2011 at 7:47 am
IT security isn't limited to the design and implementation of applications. It also includes the users and infrastructure, and has to be assisted by strong support from management up to and including the baord of directors. Securing applications alone does nothing if users aren't trained, and expected, to do their part, and the policies enforced by a strong internal audit function. Part of any internal audit should include an after hours surprise inspection of work areas for passwords on post its, with disciplinary action for those who violate policies on password protection.
I am hopeful that the trend towards using smart cards as a means of authentication and more widespread use of active directory services by applications will make secusity for end users more palatable. If they only have to remember the PIN for their smart card, there won't be passwords left on random bits of paper.
August 10, 2011 at 8:08 am
Revenant (8/9/2011)
Tom.Thomson (8/9/2011)
This is a great editorial, but even so it fails to address the whole problem. . . .BUT: . . .
Usually the human aspects of system design are pretty awful. Nevertheless, it's important to ensure that the IT aspects of design do everything they can to improve security, in order to avoid making the total system (including IT) even less secure than is implied by the overall design. . . .
Sure, Tom.
One of my biggest professional disappointments was when I designed and implemented overall IT security and found, just few a weeks later, that finance users with access to the most sensitive information had their strong passwords written on post-it notes, tacked on the rims of their screens.
Something was apparently amiss.
I'm going to go a way off the rails into heresy, but this is human nature and should not come as a surprise.
Social animals (and humans are the ultimate social mammals) display a very different behavior to in-group and out-group individuals. Wolves in a pack will sleep, will lie on their backs, will be vulnerable to members of the pack while aggressively onguard agains outsiders .. in fact with many animals displays of vulnerability are an important component of group bonding. It says, mutually "I trust you, you trust me"
What does this have to do with passwords? We have a deep need to trust (and exhibit displays of trust) those we are working closely with, whether hunter-gatherers on the hunt, soldiers on a battlefield, members of a family, or members of a department. We actually prefer not being on guard against our group. Being on guard is emotionally draining, and mammalian group cohesion is built on displays of trust--sometimes deep, sometimes symbolic. These displays are not just viable, they are psychologically significant. If you can't trust your co-workers, your family, your fellow tribal members then you cannot form a cohesive group.
Logic may tell us to guard against everyone, including our co-workers, or our family, but millions of years of evolution tell us otherwise; distrust outsiders but trust insiders. We have an instinctive voice that tells us that distrust destroys marriages and families, and weakens fighting units. But security policy tells us to treat everyone as a potential threat.
It's a tough problem. Logic vs. instinct.
...
-- FORTRAN manual for Xerox Computers --
August 10, 2011 at 10:10 am
Tom.Thomson (8/9/2011)
This is a great editorial, but even so it fails to address the whole problem. . . .
Good point, but not trying to address the whole problem. Designing security into the application and architecture just addresses part of the issue, but it's a part that needs addressing. It prevents lots of low level, remote attacks.
August 10, 2011 at 10:13 am
jay holovacs (8/10/2011)
I'm going to go a way off the rails into heresy, but this is human nature and should not come as a surprise.Social animals (and humans are the ultimate social mammals) display a very different behavior to in-group and out-group individuals. Wolves in a pack will sleep, will lie on their backs, will be vulnerable to members of the pack while aggressively onguard agains outsiders .. in fact with many animals displays of vulnerability are an important component of group bonding. It says, mutually "I trust you, you trust me"
I think there most humans trust each other. Most of us are fair and respectful of others. I think the danger is that we have more and more people in absolute numbers that don't and are willing to engage in criminal activities. It's a small percentage relatively, but the absolute numbers cause us issues. Even most hackers don't cause much damage, it's more like vandalism than criminal activities for some gain.
Viewing 14 posts - 1 through 13 (of 13 total)
You must be logged in to reply to this topic. Login to reply