Technology

Forcing Teamwork on Redmond


By Tim Mullen Recently while traveling in Ireland I was surprised to see that the

procedures followed by airline security, both while arriving-in and

departing-from the country, were far less restrictive and invasive than here

in the states. Even in London's Heathrow airport, a "tight schedule" backed

by a little social engineering allowed me to bypass much of the security

that was in place.

So I was not surprised to see that Heathrow itself, in supposedly secure

sectors, was the recent target of two heists within a week of each other

where criminals made off with a combined booty totaling over seven million

dollars.

My point: no matter how good one particular part of a unit is at security,

if others who participate in the model are not involved and enrolled in the

program, there will be breaches-- guaranteed. The U.S. may impose (sometimes

drastic) security measures on the airlines, but when other counties with

flights into the U.S. do not follow the same plan, the entire structure is

weakened.

Computer security is often defined as a mindset, process, or goal; this is

to draw contrast to those who think of it as a package, product, or tangible

"do this and you will be secure" mechanism. Unfortunately, the latter

assumption still seems to prevail. People think firewalls prevent

break-ins, IDS systems detect all attacks, and virus software prevents

malicious code from executing on your client boxes -- as if the installation

and configuration of each results in "security."

Though an important part of the puzzle, the whole picture must include other

means, including administrative and educational policies, to reach an

acceptable level of security.

But regardless of how many technologies you employ to help secure your data,

the process of security itself cannot be instantiated with any degree of

success unless all the parties involved commit to some level of

participation. Security cannot just be the job of IT -- it has to be the

job of your clients, your users, your corporate management.

And your vendors.

To this end, I was heartened by the recent actions of John Gilligan, CIO of

the United States Air Force. Not only does the Air Force do its part by

engaging in continued education and training for use of its varied computer

technologies, but Mr. Gilligan is using his "VIP Customer" status with

Microsoft and other companies to apply pressure on the vendors to tighten up

the security of their products. As recently repor

ted by USA Today, in meetings with key vendors, Gilligan let them know

that the Air Force's business would go to "those who gave us better

solutions."

If you want to get a message through to Steve Ballmer, have it include "we

could lose money" somewhere in the text.

I don't think any of us are na?e enough to think that Gilligan would pull

Microsoft's share of his 6+ billion dollar yearly budget and roll out Red

Hat to the Air Force desktop -- and that surely is not even Gilligan's

intent. But the fact that major customers are now using their available

software dollars as muscle to demand secure products marks an important step

in the progression of security's status up the marketing tier. And it is

about time.

There are volumes of people at Microsoft who are absolutely committed to

security, and who take the massive task of securing Microsoft's suite of

products quite seriously. But they are not en masse -- if they spoke as an

authoritative body, then things would be better than they are today. With

demands coming directly from the customer for security in software, I hope

the voices of these people will be more easily heard among the buzz of

market share and profit margin.

Development teams have to provide features. Security teams have to lock

them down. And marketing teams have to figure out how much you and I are

willing to pay for the varied levels of both.

I hope that more customers illustrate their willingness to fund the efforts

of security-centric developments. The less time we have to spend on

after-market security of products that should have been secure in the first

place, the more time we can spend on delivering our products to our customer

base. But remember, security does not stop with the vendor.

As security professionals, we all charge software vendors with producing

secure products; and we back that up with research, vulnerability testing,

and publication, when necessary. But as customers and users, I don't think

we (the "collective" we, that is) take enough responsibility in properly

learning how to deliver, configure, and secure the services we rush to

provide to the Global Customer. We all have to do our part. SecurityFocus Online columnist Timothy M. Mullen is CIO and Chief

Software Architect for AnchorIS.Com, a developer of secure, enterprise-based

accounting software.


Race, Class, and the Future of Ferguson
LIMITED-TIME OFFER SUBSCRIBE NOW

(enter your email)
(enter up to 5 email addresses, separated by commas)

Max 250 characters

Sponsored Links

Buy a link now!

 
blog comments powered by Disqus