(I’ve hesitated posting this, since I’m myself getting sick of just complaining. But sometimes it helps with the thought process…)
So I’ve regularly been seeing these announcements that the perimeter is porous and users are adopting “cloud” (in the loose definition) services and consumer products to consume corporate data, and how security needs to accept it and start tailoring data-centric controls and architecture to deal with that reality.
That’s all great and fine to say, but there’s nothing actionable in these postings. Maybe I’m being dense for the moment, but in all these sorts of grand announcements, no one actually seems to have any idea what to actually do. (Or maybe all of the suggestions are at a developer level and involve more people vetting processes/data usage, and more QA controls, and…I hate to say it, but Lord help us if so. In that case, the security team needs to be part-time developers, and have 48-hour days.)
And no, I don’t want to hear (yet again) about education and dialogue and threat analysis. Necessary, yes, but there’s no real assurances in that. That’s like saying we’ll implement a firewall by talking about it in a monthly group therapy session. (Update: Ok, maybe education is the only real answer here. I’ll accept that if people say it, I guess. I’ll just remind them there’s still no *real* assurance there, and you don’t have enough security staff to watch everyone all the time.)
If a company is using Google docs, I want to know what a security team can do to keep that more secure.
If a company is using the Amazon cloud to deliver part of their web site content, I want to know what a security team can contribute.
If a company is using Github, I want to know what options a company has with their code security.
If some employees were using Dropbox for the past few weeks to backup business-critical files, what can you assure me with their security? (Or do you even have a chance to know someone accessed your files during the “any password accepted” hours?)
If you’re allowing your executive teams to use iPads, I want to know what you’re doing to assure some security for those users on those devices with the things they access. (Not counting people who only browse the web and check their web mail.)
And I don’t want blog comments, I want to actually see industry blog posts that go into realistic detail, ya know? Not because I want someone to do my job for me, but if we can’t solve things behind our curtains, we’re damn sure not going to solve things in front of the management teams.
I completely buy that the “perimeter” is porous (my coworkers are getting used to my sighs of exasperation as I hear of yet another service that wiggles and persists itself through any and all perimeter controls. [Strangely, all of this is a *product* of perimeter control, ya know? We stopped things, people still wanted them, it evolved. Just like an attacker!]) But so many articles and blog posts include the reverse implication that you need to forget your perimeter and find something else to do. A something else they never define. They just say we need it. Even Neo needed something tangible to wrap his mind around (pun intended) so he could start buying into this paradigm shift.
I know I’m being self-fulfilling in this, but we have a lot of commentary and not a lot of doing these days. I’m painfully aware of my own coasting over the last year or so. Still, I’d rather have a lot of complainers than a lot of people saying vague general unactionable things, to be honest.