Security Is Happening….Finally

    May 1, 2006

I’ve got to resign myself that I’m cursed with longer eyeballs than most. It seems I’m like a B movie psychic when it comes to IT sometimes – I see whats going to happen, but there’s not much I can do about it.

It’s not that I’m smart, mind you. It’s only that I have the luxury of watching things for a living. Sometimes if you look long enough, you just see the way the game is going to play out. Security is one of those things.

I’m not the guru – I was just smart enough to hire the guru three years ago (Jon Oltsik). Last year I hired another one (Eric Ogren) because the privacy laws started to be violated. You don’t have to be a NASA engineer to figure out that consumer privacy breaches (or threats of breaches – as most of the laws cover) aren’t a new phenomenon – only newly reported. I knew it would get juicy.

So here we are – now every day it seems some new debacle is on the news around who lost what consumer data. It’s going to get worse – much, much worse. Most states in the U.S. still don’t even have privacy laws.

Check out this free abstract of Jon Oltsik’s “Protecting Confidential Data” – it’s loaded with data that should scare the heck out of you.

The good news is the storage folks – who hold all this data that keeps getting breached one way or another, can no longer ignore the issue, or make nothing statements like “we’re going to adhere to any security practice the customer chooses”. Protecting data in flight is nice – but only 2% of our data is ever in flight. Protecting the perimeter is nice – but I can’t even keep Spam out. Identity management is brilliant – if you use it. I don’t care what anybody says – sooner or later you will HAVE to encrypt anything you care about – everywhere it lives.

Here’s an excerpt from Hu Yoshida of HDS fame in one of his blogs:

“While the accumulating reports of data loss, have captured the headlines and focused attention on encryption, there is much more to storage security than encryption. Data does not have to be lost to be exposed. A hacker can access storage and steal information, without leaving any trace. Other areas of concern are authentication, authorization, immutability, non repudiation, integrity, privacy, logging, and auditing.”

Good point, and as Oltsik will concur – most attacks are from within. Those attacks don’t make the Wall St. Journal though – but some tape jockey dropping a tape behind the rack during an audit does.

I guess what strikes me as the most odd in all of this is that the CEO has absolutely no idea (typically) of the sheer magnitude of the potential for problems. They don’t know that there are tons of people with “root” privileges in their company that can see anything they want, any time they want. 99% of the time those folks are morally sound and doing all the right things, but sometimes…..

Add to | DiggThis | Yahoo! My Web


Steve Duplessie is the author of the “Steve’s IT Rants” blog, and the founder and Sr. Analyst of the Enterprise Strategy Group.