Security Thinking

Started by Netwörkheäd, April 21, 2015, 11:29:38 AM

Previous topic - Next topic

Netwörkheäd

Sitting here in the Kool-aid sessions of RSA (the keynotes), I had a strong reaction to the Microsoft guy. He talked about how things will get fixed with some of his company's initiatives.

But, at the end of the day, no matter how secure a company wants to be, performance trumps security.

This is a huge obstacle to any and all security technologies. Consider something that should have been the most secure thing in the world: the launch codes for the USA's nuclear weapons. For decades, the generals in charge put performance over security and set the code at 00000000.

In the USSR, their resolution of the performance-security riddle was to automate their system, so that they could have a sophisticated security framework and maintain a rapid response posture. They were also highly vulnerable to false positives. A launch of a Norwegian weather satellite in 1994 almost caused a complete launch of their land-based missiles. At the end of the day, it was still performance over security, but with a sacrifice in a different area.
Let's not argue. Let's network!

deanwebb

I like to think that a pure R&S guy/developer/manager all want the network equivalent of an Ariel Atom for their systems. They want something that's lean, fast, responds to the CLI like nobody's business, and whips around the track for as little cash per horsepower possible.

Then the security guys show up... we ask for more protection in body panels, airbags, seat belt improvements, additions to the braking system, sensors to aid in braking, rear-view cameras for driving in reverse... all that stuff reduces performance and you've now got a Honda Civic 2-door coupe with a top speed governor at 90mph.

While we think that's actually kind of sensible in cars, we have to remember that those safety features (including steering wheels that wouldn't impale drivers in a 20mph crash) all went in after massive amounts of kicking and screaming on the part of the car designers, and not a few only because of government regulation.

Not a lot of IT directors get pulled from security - hard enough to get one from networking, let alone a specialized area - so the mindset of best performance at least cost goes with that IT director, and security is almost always viewed as a cost and not as a mitigation of future costs.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.