Wednesday, 30 May 2007

Exciting compliance shakes up security

Is it just me or is everyone talking about compliance all of a sudden? Wow, what a thrill.

I've seen more articles about ISO17799/27001 in the last week than in any other week in the history of the standard. It's been in existence for about as long as I've been in IT Security in one form or another, as BS7799, when I was a slip of a lad, setting off on my career path back in the UK, to its current spread of numerical dyslexia from ISO17799 through to 27008. But that's not important right now. I'll blog on it later once everyone else has bored you to death with it. Ready yet?

I've also seen a lot of stuff being written about data security. I suppose I asked for it. I've wanted proper data-centric security for a while, and now people are really beginning to think about it, the crackpots are coming out of the woodwork. I ask you for one thing, in the vain hope you might be a crackpot with a conscience (and hey, if you're reading this, you just might be): please, please, please, think about what you are writing before you bombard us with rubbish ("Hypocrite!" I hear you cry). However, I've been around the block on this particular topic, and I'm not going to back down on "matters of opinion". OK, personal gripe over, let's get back to the topic in hand.

A lot of people have commented on Chris Hoff's "Network security is dead" post this week. Some say "Yay", others "Nay". I am a Yay-sayer. Not because I support Microsoft, UTM, or even Chris himself - although he seems to be a nice chap and he's always questioning the big security "names" instead of taking their wisdom as gospel, which I think needs a lot more encouraging. I say "yay" for my own data-centric reasons, and because I think UTM might just be a way towards it without offending my sensitive security nature too much.

So, compliance and data security, the death of the network, where could this possibly be leading?

I think security really needs a shake-up. It's in a bit of a rut, like we're scared of getting it wrong, or moving forwards. No-one seems to know where convergence is going, because it could just stay like it is or everything could end up in huge mainframes which we attach to with terminals...

No-one trusts data security or user-security, and everyone HATES network security. Actually, I should qualify that, I don't hate network security, I think it's a necessary evil - a place where research about other types of security is done. Network security in itself doesn't really exist you see. If you can think of device in which it does, it's pointless (ahem, firewalls). The network isn't actually where the security is taking place, it's always on a device, which is essentially a host of some sort anyway, which requires linking to something, with users, ending up at data, etc, etc. Then it gets built into the most useful device, or a UTM box. Where will the UTM boxes end up, probably one at the perimeter, and one at the data. One for users, one for, er, data. Yawn. It's all got a bit dull really, this discussion of convergence and UTM, NAC, blah, blah, blah. Just buy a couple of Crossbeam boxes and futureproof yourself, get on with your life.

So where was the big encryption explosion I was waiting for? Never happened, why? Because confidentiality isn't the whole story of security, and in fact isn't much of a story at all. Availability has been massive over the years of course, but why not integrity? Well, no-one understands it properly, that's why.

I think we're about to see a big shift here as the repercussions slowly dawn on the market however. And that's why I'm doing what I do. Selling integrity to people is hard. If they haven't experienced a loss of integrity they don't understand how damaging it is. We have to rely on compliance, and internal compliance at that. "External" compliance STILL isn't properly secure. I'd like to see some proper leaps forward in security, with some proper international compliance driving it, across every industry: something simple that we can all comply with.

Maybe that's why everyone's talking about ISO27001 all of a sudden?


Christofer Hoff said...


Great post.

I thought you might be interested in my latest little rant this time focused strangely enough on data-centric security...


Rob said...

I don't know how you position yourself in a security framework Chris, but personally I think this is a very valid way of speaking to the community at large.
UTM can provide a launch pad for a real "paradigm shift" in security, and by god do we need it.