By Tim Mullen
Recently while traveling in Ireland I was surprised to see that the procedures followed by airline security, both while arriving-in and departing-from the country, were far less restrictive and invasive than here in the states. Even in London's Heathrow airport, a "tight schedule" backed by a little social engineering allowed me to bypass much of the security that was in place.
So I was not surprised to see that Heathrow itself, in supposedly secure sectors, was the recent target of two heists within a week of each other where criminals made off with a combined booty totaling over seven million dollars.
My point: no matter how good one particular part of a unit is at security, if others who participate in the model are not involved and enrolled in the program, there will be breaches-- guaranteed. The U.S. may impose (sometimes drastic) security measures on the airlines, but when other counties with flights into the U.S. do not follow the same plan, the entire structure is weakened.
Computer security is often defined as a mindset, process, or goal; this is to draw contrast to those who think of it as a package, product, or tangible "do this and you will be secure" mechanism. Unfortunately, the latter assumption still seems to prevail. People think firewalls prevent break-ins, IDS systems detect all attacks, and virus software prevents malicious code from executing on your client boxes -- as if the installation and configuration of each results in "security."
Though an important part of the puzzle, the whole picture must include other means, including administrative and educational policies, to reach an acceptable level of security.
But regardless of how many technologies you employ to help secure your data, the process of security itself cannot be instantiated with any degree of success unless all the parties involved commit to some level of participation. Security cannot just be the job of IT -- it has to be the job of your clients, your users, your corporate management.
And your vendors.
To this end, I was heartened by the recent actions of John Gilligan, CIO of the United States Air Force. Not only does the Air Force do its part by engaging in continued education and training for use of its varied computer technologies, but Mr. Gilligan is using his "VIP Customer" status with Microsoft and other companies to apply pressure on the vendors to tighten up the security of their products. As recently repor ted by USA Today, in meetings with key vendors, Gilligan let them know that the Air Force's business would go to "those who gave us better solutions."
If you want to get a message through to Steve Ballmer, have it include "we could lose money" somewhere in the text.
I don't think any of us are naïve enough to think that Gilligan would pull Microsoft's share of his 6+ billion dollar yearly budget and roll out Red Hat to the Air Force desktop -- and that surely is not even Gilligan's intent. But the fact that major customers are now using their available software dollars as muscle to demand secure products marks an important step in the progression of security's status up the marketing tier. And it is about time.
There are volumes of people at Microsoft who are absolutely committed to security, and who take the massive task of securing Microsoft's suite of products quite seriously. But they are not en masse -- if they spoke as an authoritative body, then things would be better than they are today. With demands coming directly from the customer for security in software, I hope the voices of these people will be more easily heard among the buzz of market share and profit margin.
Development teams have to provide features. Security teams have to lock them down. And marketing teams have to figure out how much you and I are willing to pay for the varied levels of both.
I hope that more customers illustrate their willingness to fund the efforts of security-centric developments. The less time we have to spend on after-market security of products that should have been secure in the first place, the more time we can spend on delivering our products to our customer base. But remember, security does not stop with the vendor.
As security professionals, we all charge software vendors with producing secure products; and we back that up with research, vulnerability testing, and publication, when necessary. But as customers and users, I don't think we (the "collective" we, that is) take enough responsibility in properly learning how to deliver, configure, and secure the services we rush to provide to the Global Customer. We all have to do our part.
SecurityFocus Online columnist Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software.