Sunday, 8 July 2007

Give me a break!

I just spent the weekend at Caldes de Malavella, in the Balneari Vichy Catalan spa hotel. Wow. No more needs to be said about this place. If you go there now you can see my finger nail marks on the floor where my wife had to drag me kicking and screaming back to reality and life in Barcelona. That's just to make you jealous, now down to business.

Before I left for a fabulous weekend (did I tell you about it? I had a massage and a thermal bath), I had someone leave a comment on my Friday afternoon blog that started:

"Stastics show that 70% of security breaches happen internally, rather than externally."

Obviously not a regular reader then, or follower of threads. Alex Hutton and I had a brief discussion earlier in the week about how this statistic has been bandied about, willy-nilly, since time immemorial, and yet no-one knows where it comes from, or can prove it. It's easy to infer that more attacks come from internally now that most people have firewalls and IDS, but whereas you used to get thousands of attacks through a flaky perimeter, and maybe one or two from inside, now you get nothing from the outside and one or two from within. Really, nothing has changed, just the percentages.

But I gave him a chance and read on:

But then what's Information Security really? My take - Information Security prevents:
1. Productivity Lossess
2. Collateral Lossess
3. Prestige Losses"

Uh-oh. So, apart from the profligate use of "s", what's wrong with this picture? Is information security really just about preventing loss? Is this ALL I do all day?

I called Friday's blog "Back to Basics", but maybe I need to go a little further back:

C is for confidentiality, which is keeping information private, it doesn't prevent loss.
I is for integrity, which is keeping information unchanged unless authorised, this CAN prevent loss, or just indicate a loss.
A is for availability, which is making sure everyone who is supposed to be able to see it, can see it. This has nothing to do with loss.

There are other things which have grown up around this, reporting, management, risk analysis, DR, BCP, etc. The last 2 cover productivity loss prevention. Risk analysis will cover all of them, reporting and management will give you a hook into some of it, but they do far more. Ever heard of return on investment? No security would EVER have been sold without it. If you can't put together an ROI argument, you won't sell anything to a bank, goverment office, healthcare institution, etc, etc.

The commentator then started on about Content Filtering (capitals included). I won't bother repeating the convoluted arguments he went through, but he started by telling me that what I was talking about was preventing Collateral Loss. No I wasn't! I was talking about stuff which used to sell well 10 years ago, and is still selling well now.

It wasn't a comment about my knowledge of security, it was about the state of the market and how slowly it is progressing in some areas, and not in others. There was maybe a hint of bitterness towards salesmen, and frustration that data security hasn't zoomed forwards, but nothing to say that this was the be all and end all of Security As It Stands.

By this time I had lost interest in the comment, but clicked on the commentators homepage link. It went somewhere... which... was... about... f... f... fu... firewalls. Didn't anyone tell you that I'm not a big fan? Have you EVER read one of my posts before? It was one of the things I wrote in the post for god's sake!

Let me get this straight, once and for all. I don't mind vendors coming and engaging in lively debate on my site. I welcome it in fact, most people who work for vendors have reason for doing so. I have a passion for my chosen technology, and always have done, hence the hat tips to Bluecoat, F5, Ingrian, Kinamik, Vormetric, et al.

What really gets on my tits however, is when someone I don't know tells me I'm missing something, then proves to me that he hasn't understood a word of what I'm saying, or just deliberately ignored it to get their own message across. Especially when they sell crappy firewalls - which, by the way, have nothing to do with loss either, merely intrusion, which only then leads to loss after a lack of access controls (availability), encryption (confidentiality) and integrity - we really don't need them.

Thanks to Walt Conway for bringing the comments back to a sensible level. I've downloaded your paper and will be quoting it at some point soon I hope. It's really good, and unlike some others, you've obviously worked hard and done some proper research.

Now I need to go back to the spa to unwind. That's one good thing I suppose.

No comments: