Re: Outsourcing Firewalls/Internet Security count

[Bennett Todd <bet () rahul net>]

1997-12-04-16:42:15 Rick Low:
> 1997-12-03-18:56 Bennett Todd:
> > [...] you shouldn't be extending that sort of trust outside your own
> > organization; [...]
>
> Why not? Isn't that what companies have been doing for years
> with physical security -- outsourcing alarm monitoring, sensor
> configuration and maintenance, detection and response, etc.

Interesting point. Where does the parallel break down?

I think it's in two points.

First, physical security is a mature discipline; it doesn't turn inside
out and upside down every few months; the basics of a straightforward
implementation appropriate for a normal business operation haven't
changed at all in recent decades. If we were to hit a plateau, with no
substantive changes in the security landscape for a couple of decades,
then outsourcing would be a lot more reasonable; you negotiate a design
once, then the provider implements and maintains it. No big deal. By
contrast a month doesn't go by when some new protocol, new application,
new user data flow reqirement, or new something else doesn't require
weighing the tradeoffs between risks (how likely is a problem to be
exploited * how bad could it be if it were), benefits, and costs to
imlpement protections. That's a tough tradeoff, and requires close work
between dedicated security experts and committed management. When you do
it right, the security stances that emerge are strongly defended; users
cannot stomp over and ignore 'em, since you can explain the tradeoffs
that were weighted and the resulting business justifcation for the
policy, and refer them to management if necessary.

And second, the threat model is different. Burglars aren't a huge
problem, partly because physical security is so mature I'm sure,
but I think there's another factor. If you go and try and burgle an
establishment, you have to (a) physically exert yourself, (b) be
physically nearby --- burglars in the antipodes aren't a threat to you
--- and (c) run a real, immediate, and scary risk of getting caught and
incarcerated. By contrast, the internet is just crawling with people who
go around twisting doorknobs, often using burglary tools that attempt to
exploit very subtle bugs. They sweep machines all over the world --- you
are in as much danger from someone in a very differnent timezone and
season as you are from your next-door neighbor. And worst of all, the
perception among those who practice computer intrusion for fun is that
it's a very very low-risk hobby, that the likelihood of getting caught
is slim and the chance of being prosecuted successfully is nearly nil. I
fear they're right, today.

Combine these two and you're left with a very different picture: you can
outsource the design, implementation, and management of physical
security to external companies that have been doing it for a long time,
and it's an honest fire-and-forget solution. Do it once, don't worry
about review and redesign unless your own company changes radically.

By contrast, computer and most especially internet security needs to be
completely redone from scratch periodically and needs to be updated and
tweaked weekly or monthly, and the decision-making process for the
changes requires research, education, and negotiation with management
and users.

-Bennett