Fred Avolio's Musings

News Flash: Security is an Architecture

Another "ground-breaking column" in Network Magazine, (do we still say "in" when it is "on" the web page?). No, I am being unduly sarcastic. As I will suggest, it is not their problem, but ours.

The column, by Art Wittman is Security Is an Architecture, Not an Appliance. The premise: "The idea that security starts and ends with a prepackaged firewall is simply misguided." His column is right on target. But, don't we know this already? (And I suppose we do, but many people do not.) A search for "Firewalls are not enough," turns up 649 hits, including a paper I wrote that originally appeared in the Proceedings of the 17th National Computer Security Conference... in October 1994 and another I wrote—the cover story—for Information Security Magazine, "Firewalls: Are We Asking Too Much?" That was in May, 1999.

What new information does Wittmann's add? None, really. And to be fair, it is really just meant to be a lead-in to the magazine's current (not sure what month—I cannot tell from their web page) current issue that discusses host-based IPS technologies.

This seems to me to be part of the trends I related in "History Lost" and "The Same Old Drum Beat." Yes, application-specific controls are needed. Yes, firewalls are not and never have been enough. Nevertheless, we apparently have and continue to communicate to those with less clue than we have (see Seven Things to Help Keep Sanity and Equilibrium) that they are. I suspect, as I have for quite a few years, that the problem stems from the dilution of the network security clue-pool with those who took a course or two, got certified, and hung out a "security" shingle. As I rapidly approach a half-century of life, I am not suggesting anything radical. Just that the lack of practical experience may be part of the problem, and—as I suggest elsewhere—may be what leads us to repeatedly cover the same ground. I am not just ranting here, but I have no solutions to offer except that people do their homework. Some of our latest discoveries were already discovered many years ago.

Erling Jepsen wrote from Denmark with these observations and pointers:

I'm doing my masters thesis on security aspects of Service oriented architecture (SOA) and this is one thing that I've started to wonder myself. SOA introduces a new set of challenges to security. One is that organizations can not anymore tie themselves down behind a DMZ, because the people who are accessing our data could be sitting inside or outside the organisation and because there would be external partners also requesting information - a whole new. The Jericho Forum calls this de-perimeteriazation.
In order for security to properly match the extra abstraction layer, which SOA has adhered to, it will itself have to rise - so I think formulating a security architecture would be interesting.
Just my 5 cents of comments (or 25 re as the equivalent is here in Denmark)

Thanks for the pointer, Erling. I never heard of The Jericho Forums before.

Comment on this.
[/security/] permanent link

Massive Credit Card Exposure (updated)

If you read any Internet-technology-based news, you know that a recent security breach may have exposed 40 million credit card numbers. The actual number is probably smaller. And I suspect that the so-called "security vulnerabilities in the processor's systems," according to MasterCard, will provbably turn out to be well-known vulnerabilities or practices considered less-than-best.

So, what's a person to do? Do you stop using MasterCard and use Visa? That is hardly practical. But, we can start demanding that credit card companies enforce high security standards with the companies that support them.

Bruce Schneier writes about it in his blog.

The Register's story is here and InfoWorld does here.

Pete Lindstrom from Spire posted a terrific column on Credit Card Numbers vs. SSNs.

Read Matthew Friedman's comments and analysis in his securitypipeline column.

Comment on this.
[/security/] permanent link