Sunday, March 30, 2008
Sunday, October 7, 2007
The one portion of your outstanding daily that I love to read for it’s lack of quality is the weekly Paul Taylor Technology column, especially when he ventures way beyond his depth into matters concerning information security. His column presents a regular opportunity to get a peek at how technology is thought about from the point of view of the dangerously-misinformed. Unfortunately, the field of technology is littered with “professionals” who are in reality hazardous to the credibility of the profession – gadget monkeys who feel fulfilled in showcasing their ability to rattle off inconsequential acronyms and other minutiae. Little do they realize that their mindless word-spewing actually betrays an appaling lack of useful/contextual understanding and endangers the organizations that depend on their “advice”. Judging by the euphoric outpourings in his most recent column (dated Sep 28, 2007 “Spies kept out in the cold”), it seems that “all-singing, all-dancing security suites from Symantec, Panda and Kaspersky” have caught Mr. Taylor’s fancy. A bigger picture perspective on some underlying dynamics in the commercial security space might be useful for your readers (and Mr. Taylor) before they go off and act on any of the regurgitated marketing hype.
The problem in the context of Internet security is that the interests of commercial product vendors have evolved such that they are fundamentally at odds with the dictates of good security architecture/design. Vendors, driven by the desire for ever larger profits, define progress as the creation of the correspondingly ever larger “Security Superbox” – one appliance or platform that functions as firewall, malware scanner, spam blocker, intrusion cop, to list a few headline functions. The fact that the enormous complexity and unreasonable cost of Superboxes actually erodes Defense-In-Depth by consuming an inordinate amount of limited resources, is lost in the cacophony of irrelevant marketing claims. This noise is amplified by gadget monkeys who are only too happy to spew the new lingo fed their unthinking brains. In reality, a “Security Superbox” represents the ultimate security design no-no : a Single Point of Failure (SPoF). So when your firewall gets compromised or crashes, it takes all your stored passwords with it and you no longer have any spam or intrusion protection either. Multiple programs, a.k.a. anti-Superboxes, have way smaller “footprints” and provide the isolation of functions so critical for devices connected to the Internet, besides providing way better performance. Good advise would be for users to move away from dangerous “silver bullet” thinking and start to craft a security suite suitable to their specific contexts. Good security architects know that the flip side of what vendors pitch as “the convenience and manageability” of their particular Superbox approach is the loss of true Defense-In-Depth attributes. In effect, by pursuing this approach, you end up spending all the emperor’s money in building a wall of needlessly large perimeter that is all the more vulnerable to sneak attacks.