Firewall Wizards mailing list archives
Re: Outsourcing Firewalls/Internet Security count
From: Bennett Todd <bet () rahul net>
Date: Fri, 5 Dec 1997 09:00:55 -0800
1997-12-04-16:42:15 Rick Low:
1997-12-03-18:56 Bennett Todd:[...] you shouldn't be extending that sort of trust outside your own organization; [...]Why not? Isn't that what companies have been doing for years with physical security -- outsourcing alarm monitoring, sensor configuration and maintenance, detection and response, etc.
Interesting point. Where does the parallel break down? I think it's in two points. First, physical security is a mature discipline; it doesn't turn inside out and upside down every few months; the basics of a straightforward implementation appropriate for a normal business operation haven't changed at all in recent decades. If we were to hit a plateau, with no substantive changes in the security landscape for a couple of decades, then outsourcing would be a lot more reasonable; you negotiate a design once, then the provider implements and maintains it. No big deal. By contrast a month doesn't go by when some new protocol, new application, new user data flow reqirement, or new something else doesn't require weighing the tradeoffs between risks (how likely is a problem to be exploited * how bad could it be if it were), benefits, and costs to imlpement protections. That's a tough tradeoff, and requires close work between dedicated security experts and committed management. When you do it right, the security stances that emerge are strongly defended; users cannot stomp over and ignore 'em, since you can explain the tradeoffs that were weighted and the resulting business justifcation for the policy, and refer them to management if necessary. And second, the threat model is different. Burglars aren't a huge problem, partly because physical security is so mature I'm sure, but I think there's another factor. If you go and try and burgle an establishment, you have to (a) physically exert yourself, (b) be physically nearby --- burglars in the antipodes aren't a threat to you --- and (c) run a real, immediate, and scary risk of getting caught and incarcerated. By contrast, the internet is just crawling with people who go around twisting doorknobs, often using burglary tools that attempt to exploit very subtle bugs. They sweep machines all over the world --- you are in as much danger from someone in a very differnent timezone and season as you are from your next-door neighbor. And worst of all, the perception among those who practice computer intrusion for fun is that it's a very very low-risk hobby, that the likelihood of getting caught is slim and the chance of being prosecuted successfully is nearly nil. I fear they're right, today. Combine these two and you're left with a very different picture: you can outsource the design, implementation, and management of physical security to external companies that have been doing it for a long time, and it's an honest fire-and-forget solution. Do it once, don't worry about review and redesign unless your own company changes radically. By contrast, computer and most especially internet security needs to be completely redone from scratch periodically and needs to be updated and tweaked weekly or monthly, and the decision-making process for the changes requires research, education, and negotiation with management and users. -Bennett
Current thread:
- Outsourcing Firewalls/Internet Security count Safier, Adam (GEIS) (Dec 03)
- Re: Outsourcing Firewalls/Internet Security count Edward Cracknell (Dec 03)
- Re: Outsourcing Firewalls/Internet Security count Bennett Todd (Dec 03)
- Re: Outsourcing Firewalls/Internet Security count David HM Spector (Dec 04)
- Re: Outsourcing Firewalls/Internet Security count Bennett Todd (Dec 05)
- Re: Outsourcing Firewalls/Internet Security count Adam Shostack (Dec 08)
- Re: Outsourcing Firewalls/Internet Security count Bennett Todd (Dec 03)
- Re: Outsourcing Firewalls/Internet Security count Rick Low (Dec 04)
- Re: Outsourcing Firewalls/Internet Security count Paul D. Robertson (Dec 05)
- Re: Outsourcing Firewalls/Internet Security count Bennett Todd (Dec 05)
- Re: Outsourcing Firewalls/Internet Security count Larry J. Hughes Jr. (Dec 08)
- Re: Outsourcing Firewalls/Internet Security count Edward Cracknell (Dec 03)
- Outsourcing firewalls & InfoSec Ops - Part I/II Frank Willoughby (Dec 09)
- Re: Outsourcing firewalls & InfoSec Ops - Part I/II Paul D. Robertson (Dec 15)
- Re: Outsourcing firewalls & InfoSec Ops - Part I/II chuck yerkes (Dec 16)
- Re: Outsourcing firewalls & InfoSec Ops - Part I/II Paul D. Robertson (Dec 17)
- Re: Outsourcing Firewalls/Internet Security count Ted Doty (Dec 05)
- Re: Outsourcing Firewalls/Internet Security count Paul D. Robertson (Dec 05)
- Re: Outsourcing Firewalls/Internet Security count Joseph S. D. Yao (Dec 05)