In recent weeks we have run a number of connected "articles" about IT security. In this, the last article in the series, we reflect on security as a whole, and reviewing some of your feedback. We kicked off with a piece on "why IT security matters" . While we said that it would be a rare IT person who saw security as unimportant …
Not to be dismissive, but adopting a formal Systems Engineering approach to an information system would illuminate problem areas and provide solutions before the system was put together. It is a proven approahc, widely used and shown to dovetail well with human systems and business management.
There's no end to articles pointing out IS systemic problems and highlighting that they're not tactical and that they're not adequately treated with some new add-on product. Such articles are correct, but still beat about the bush describing a horse as "a large animal-like creature with possibly up to four legs and at least one head ...". It's a horse, so call it one. Likewise the integrated problem-solving approach that's needed already has a name: Systems Engineering.
IT Security - We get what we deserve?
Here we go again! It is time to STOP this!
Let's blame the human user for poor security BUT this is just like asking a car driver to stop a car at speed when the car manufacturer decided to save money by not putting brakes in the car, of course stating that the market didn't want "brakes" - metaphorically speaking. The introduction to the USA "Orange Book" of 1983 set the broad philosophy, which we have known for over 50 years, i.e. manufacturers ONLY respond to strong legislative requirements and strong government purchasing policy for secure systems. Ralph Nader did it in the 1960s for the car industry - but no-one has done it for the computer industry. Remember "C2 by '92" and even "B2 by '95"?
A quick glance at current attack problems with current systems shows that the major problem is that "Discretionary Access Control (DAC)" at the operating system level in the Internet age is totally obsolete and something along the lines of "Flexible Mandatory Access Control (FMAC)", made easy to understand and administer, is urgently needed across the computer industry.
The problem is simple!
Legislation and compliance have been common at the industry level, e.g. motor vehicles, pharmaceuticals, air transport, electric power generation and distribution and so on - BUT - for some strange reason NOT the IT industry itself.
It is time to stop blaming the customer and blame the industry.
"It is time to stop blaming the customer and blame the industry."
Transportation, drugs & etc. will all kill you. IT will not.
Our society's use of computers has exploded faster than the base of knowledgeable users. Management has no clue how to make use of this new technology, and as a result is falling back on old business models. Old business models, where "it's good enough" rules the day don't work in the digital world where 10101010 != 10101011 ...
The last thing IT needs is government regulation ... all that will do is add more humans to the chain, and humans make mistakes. I said before that security starts with people, and I meant it in that context ... but in this case, adding more people will only make the problem worse.