Security Needs Speed
The long standing rule amongst security heads is that security trumps performance requirements no matter what. And I've had a long standing belief that ignoring performance requirements in security is flawed security.
Here's the problem: End users are (generally) not graded by how secure they are. Rather, they are graded by how effective they are at their jobs, regardless of security. For example, if an employee forwards company confidential email to his personal Gmail box so that he can work on a document over the weekend, chances are that he'll be praised. He may very well have exposed all kinds of intellectual property to the public Internet, on another company's server, and then made edits on his virus infested home computer, but he'll still be praised. Security issues be damned, the document was completed in time for the Big MeetingTM.
This is where speed starts to matter. When accessing a resource is painfully slow, users will come up with solutions of their own to circumvent the problem. Period. Email is the most common problem with the most available solution (public web mail), but the scope does not end there. Homebrew, unbacked up, security audit failing wikis are setup when IT administrators force sluggish installations of Sharepoint on users. Google Desktop search goes up when end users can't search document repositories fast enough.
The most ambitious effort I have seen was at a branch office that got tired of corporate IT's refusal to get them a faster connection. The local manager approved a DSL line to be put in and a $50 Netgear firewall to be installed to replace a 256Kbps WAN link. Users accessed the corporate network via their VPN connections for internal web and Oracle applications and external web access no longer had to go through the centralized proxy server. The "computer guy" has no idea if updates are pushed out or pulled down and doesn't appreciate how the Netgear's NAT can completely break that. To him, it's moot. "The damn things work."
As consumer tech brings increasingly complex and powerful tools to the masses, the number of workarounds to "make stuff work" is going to increase. As infrastructure professionals, we either make sure that our secure methods are better or we risk losing the battle.
Here's the problem: End users are (generally) not graded by how secure they are. Rather, they are graded by how effective they are at their jobs, regardless of security. For example, if an employee forwards company confidential email to his personal Gmail box so that he can work on a document over the weekend, chances are that he'll be praised. He may very well have exposed all kinds of intellectual property to the public Internet, on another company's server, and then made edits on his virus infested home computer, but he'll still be praised. Security issues be damned, the document was completed in time for the Big MeetingTM.
This is where speed starts to matter. When accessing a resource is painfully slow, users will come up with solutions of their own to circumvent the problem. Period. Email is the most common problem with the most available solution (public web mail), but the scope does not end there. Homebrew, unbacked up, security audit failing wikis are setup when IT administrators force sluggish installations of Sharepoint on users. Google Desktop search goes up when end users can't search document repositories fast enough.
The most ambitious effort I have seen was at a branch office that got tired of corporate IT's refusal to get them a faster connection. The local manager approved a DSL line to be put in and a $50 Netgear firewall to be installed to replace a 256Kbps WAN link. Users accessed the corporate network via their VPN connections for internal web and Oracle applications and external web access no longer had to go through the centralized proxy server. The "computer guy" has no idea if updates are pushed out or pulled down and doesn't appreciate how the Netgear's NAT can completely break that. To him, it's moot. "The damn things work."
As consumer tech brings increasingly complex and powerful tools to the masses, the number of workarounds to "make stuff work" is going to increase. As infrastructure professionals, we either make sure that our secure methods are better or we risk losing the battle.
posted by Steve Shah at 10:25 AM
0 Comments:
Post a Comment
<< Home