Tuesday, 17 April 2007

How much does security suffer for sales?

The simplest example of WORM (write once, read many) storage is a CD or DVD. Once written, that data cannot change, we can only read from it as many times as we like, or destroy it. Great. I trust that data. Until the very second it leaves my sight that is. Once someone else has it they can copy it where they like, reproduce it, change it and put it back on a similar storage medium.

Also, taking a step back, was this data originally in a database file? Was the database secure? How do you know? Did the data get written by an application? Was that secure? Did the application have good user controls? Access controls? Secure transmission? I suddenly don't trust that data at all.

More complex WORM drives are available, and some storage companies are using software to create unique tape and drive identifiers. These are great sales pitches, but are still just point solutions. What extra security do they provide, other than a warm fuzzy feeling that compliance is being addressed? I can't answer that, please let me know if you can. COMPLIANCE != SECURITY.

Security NEEDS to stack up, if you have a storage solution, you need to secure EVERYTHING above it, and the storage into which you are depositing needs to be secured BY everything above it, otherwise it is weakened by it.

I spoke with a Bay Area product manager for a very large storage vendor a couple of weeks back. I told him about some integrity software and he said "Well, I'll talk to a couple of people, but I don't think we'll be interested." Long story short: they weren't. Long story explained: the storage company sells more storage if it is WORM storage. Using integrity software they could re-use that storage and that would stop sales. Ugh. So much for security then. Oh, and the "security software" solutions for WORM, yes, they can be uninstalled. D'oh!

This same storage company has bought a security company, like many of them seem to be doing now. I'm sad for the state of security, I hope someone will prove me wrong, I really do.

No comments: