By Tim Mullen Recently while traveling in Ireland I was surprised to see that the
procedures followed by airline security, both while arriving-in and
departing-from the country, were far less restrictive and invasive than here
in the states. Even in London's Heathrow airport, a "tight schedule" backed
by a little social engineering allowed me to bypass much of the security
that was in place.
So I was not surprised to see that Heathrow itself, in supposedly secure
sectors, was the recent target of two heists within a week of each other
where criminals made off with a combined booty totaling over seven million
My point: no matter how good one particular part of a unit is at security,
if others who participate in the model are not involved and enrolled in the
program, there will be breaches-- guaranteed. The U.S. may impose (sometimes
drastic) security measures on the airlines, but when other counties with
flights into the U.S. do not follow the same plan, the entire structure is
Computer security is often defined as a mindset, process, or goal; this is
to draw contrast to those who think of it as a package, product, or tangible
"do this and you will be secure" mechanism. Unfortunately, the latter
assumption still seems to prevail. People think firewalls prevent
break-ins, IDS systems detect all attacks, and virus software prevents
malicious code from executing on your client boxes -- as if the installation
and configuration of each results in "security."
Though an important part of the puzzle, the whole picture must include other
means, including administrative and educational policies, to reach an
acceptable level of security.
But regardless of how many technologies you employ to help secure your data,
the process of security itself cannot be instantiated with any degree of
success unless all the parties involved commit to some level of
participation. Security cannot just be the job of IT -- it has to be the
job of your clients, your users, your corporate management.
And your vendors.
To this end, I was heartened by the recent actions of John Gilligan, CIO of
the United States Air Force. Not only does the Air Force do its part by
engaging in continued education and training for use of its varied computer
technologies, but Mr. Gilligan is using his "VIP Customer" status with
Microsoft and other companies to apply pressure on the vendors to tighten up
the security of their products. As recently repor
ted by USA Today, in meetings with key vendors, Gilligan let them know
that the Air Force's business would go to "those who gave us better
If you want to get a message through to Steve Ballmer, have it include "we
could lose money" somewhere in the text.
I don't think any of us are na?e enough to think that Gilligan would pull
Microsoft's share of his 6+ billion dollar yearly budget and roll out Red
Hat to the Air Force desktop -- and that surely is not even Gilligan's
intent. But the fact that major customers are now using their available
software dollars as muscle to demand secure products marks an important step
in the progression of security's status up the marketing tier. And it is
There are volumes of people at Microsoft who are absolutely committed to
security, and who take the massive task of securing Microsoft's suite of
products quite seriously. But they are not en masse -- if they spoke as an
authoritative body, then things would be better than they are today. With
demands coming directly from the customer for security in software, I hope
the voices of these people will be more easily heard among the buzz of
market share and profit margin.
Development teams have to provide features. Security teams have to lock
them down. And marketing teams have to figure out how much you and I are
willing to pay for the varied levels of both.
I hope that more customers illustrate their willingness to fund the efforts
of security-centric developments. The less time we have to spend on
after-market security of products that should have been secure in the first
place, the more time we can spend on delivering our products to our customer
base. But remember, security does not stop with the vendor.
As security professionals, we all charge software vendors with producing
secure products; and we back that up with research, vulnerability testing,
and publication, when necessary. But as customers and users, I don't think
we (the "collective" we, that is) take enough responsibility in properly
learning how to deliver, configure, and secure the services we rush to
provide to the Global Customer. We all have to do our part. SecurityFocus Online columnist Timothy M. Mullen is CIO and Chief
Software Architect for AnchorIS.Com, a developer of secure, enterprise-based