How To

Bruce Schneier: The People Paradigm

Bruce Schneier, security technologist and CTO of Counterpane Internet Security, answers readers questions about computer network defenses and sloppy end users

November 01, 2004CSOQ: Now that weve moved beyond the security perimeter paradigm for security, we seem to be stuck with impossible-to-manage solutions. What is your outlook for relief?A: I think that the death of the perimeter is premature. Perimeter security defenses are still valuable, and always will be. Its just that they used to be enough, and now theyre not.

The firewall model of network security is based on the castle paradigm. The good guys are on the inside, and you build walls to keep the bad guys out. That worked pretty well when networks were largely self-contained and people worked inside them. Today, things are more complicated. The good guys are regularly on the outside, and the bad guys are inside. Even worse, you want the bad guys on the insidejust not doing bad things. So we have all sorts of solutions: intrusion detection systems, authentication services, VPNs and so on.

Instead of dumping the notion of a perimeter, we need a new paradigm. I think network security is like city security. In a city there are all sorts of perimeters: fences, buildings, rooms. People move in and out of those perimeters, depending on who they are. If youre a shopkeeper, you want everyone to be able to enter the store but only during business hours. And you want only employees to be able to open the door to the stockroom. I think the usability of products is the most critical Internet security problem right now, and I dont see much relief.Q: Do you think umbrella security servicesfor example, directory services, identity management and user provisioning, single sign-on, transitive trust modelsare ready for prime time?A: Your question points to an interesting paradox in the computer world: Products are never ready for prime time until after theyre widely deployed. In other words, it takes a healthy marketplace for a given technology before the problems shake out. Until theyre deployed, we dont know what the problems are. We cant fix the technology until we start using it.

So no, I dont think that these services are ready for prime time. But I think we have to deploy them anyway. We need to break them in. We need to watch the bad guys attack them. And slowly, over time, theyll become more robust.Q: While hardware and software security solutions abound, it seems like users are still the biggest security problem. How do organizations ensure that their people dont violate security?A: Honestly, they cant. Computers and networks might be difficult to secure, but the biggest security vulnerability is still that link between keyboard and chair. People are sloppy with security; they choose lousy passwords, dont properly delete critical files, and they bypass security policies. Theyre susceptible to social engineering, and they fall victim to phishing attacks. They misconfigure security hardware and software. They accidentally bring worms and Trojan horses into the network. In short, theyre a huge security problem.

Bruce Schneier

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors