Wednesday, 5 September 2007

How security is driven

I'm not afraid to say that I hate firewalls. I also think NAC is fundamentally flawed, another sales driven exercise which has no place in pure security thought. It's incomplete, half-baked, evolving at best and network-based, like early firewalls in many respects. Oh how this is going cause ructions. I don't begrudge anyone doing it, so before Alan, Mitchell, et al. get medieval on my ass, I'm glad someone's having a go, and filling a gap in the market.

Then again, there is little that can be considered as pure security at the moment, and as I said yesterday, security needs to move with the times and not get caught totally in the technical. However, firewalls and NAC prove to me how dangerous it is for security to get caught up entirely in the business too. These are both technologies that are solely there to address a business issue tangibly, that is, in a way that the average CEO does, rather than properly, like the average CSO should.

I don't think these technologies will last forever, although NAC seems to be doing OK now. I could argue that firewalls have been dead for years, and what exists now is a hybrid. In the same way, I hope NAC will be the beginning of a move towards proper data security. It certainly seems that it could be something which ties user and data security in a more complete way, the problem with it is now is that it is not understood by those using it.

So, just as firewalls have become UTM devices at the perimeter, so we will eventually find a data-security device at the centre of our networks in the future. NAC should not be everything which is needed, but built-in here. But is NAC taking us in the right direction? Probably.

However, the point here is that security hasn't identified a hole in the network and moved to fill it, it has identified a hole in the market, and the security barely makes sense. Evolution is necessary where people are involved. I understand this, just as I understand that sometimes people need a kick in the bum with something like compliance. However, just as we couldn't have predicted that Facebook wouldn't be the amazing success it is today back in 1985, we couldn't have predicted that compliance was going to cause us so much pain and lead us down so many blind alleys. Some people have cleaned up in all the confusion. ATW, by appearing to have all the knowledge, are now enormous, and spreading.

There was a link to my blog yesterday from Jon saying: "He thinks we need to force people to be secure through compliance regulations. I disagree. Screw regulation and screw compliance. If someone wants to do business with a company that had a breach, then let them."
I think this is the view of a lot of people in security nowadays. We've tried so hard to educate people, but they still won't buy from us. OK, that's slightly cynical, but it really is the case. We're all in this for the money, we don't do security just because we love it, it's interesting for sure, but it's also pretty well paid. And people won't buy what they don't need or want after all. All compliance does is force a need, but if people still don't understand it, they will buy what appears to cover all their needs the cheapest. Therefore security gets chased down a rabbit hole instead of improved. Odd.

Some of the best "solutions" (for want of a better word) in security remain untouched because people don't understand that they need them, why they need them, or even that they should be looking at them. The only way we are going to hope to change that is by educating slowly, evolving and moving through some bridging technologies to get there. Firewalls have evolved into UTM, which is almost right, NAC will evolve into part of a link between UTM and data-security. Data-security is really only just beginning, but I have a fair idea of how this will pan out, I've given various views on this already, but this is very much my area, so I will continue in good time.

No comments: