Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

Bruce Schneier: The People Paradigm

Bruce Schneier, security technologist and CTO of Counterpane Internet Security, answers readers questions about computer network defenses and sloppy end users

November 01, 2004CSOQ: Now that weve moved beyond the security perimeter paradigm for security, we seem to be stuck with impossible-to-manage solutions. What is your outlook for relief?A: I think that the death of the perimeter is premature. Perimeter security defenses are still valuable, and always will be. Its just that they used to be enough, and now theyre not.

The firewall model of network security is based on the castle paradigm. The good guys are on the inside, and you build walls to keep the bad guys out. That worked pretty well when networks were largely self-contained and people worked inside them. Today, things are more complicated. The good guys are regularly on the outside, and the bad guys are inside. Even worse, you want the bad guys on the insidejust not doing bad things. So we have all sorts of solutions: intrusion detection systems, authentication services, VPNs and so on.

Instead of dumping the notion of a perimeter, we need a new paradigm. I think network security is like city security. In a city there are all sorts of perimeters: fences, buildings, rooms. People move in and out of those perimeters, depending on who they are. If youre a shopkeeper, you want everyone to be able to enter the store but only during business hours. And you want only employees to be able to open the door to the stockroom. I think the usability of products is the most critical Internet security problem right now, and I dont see much relief.Q: Do you think umbrella security servicesfor example, directory services, identity management and user provisioning, single sign-on, transitive trust modelsare ready for prime time?A: Your question points to an interesting paradox in the computer world: Products are never ready for prime time until after theyre widely deployed. In other words, it takes a healthy marketplace for a given technology before the problems shake out. Until theyre deployed, we dont know what the problems are. We cant fix the technology until we start using it.

So no, I dont think that these services are ready for prime time. But I think we have to deploy them anyway. We need to break them in. We need to watch the bad guys attack them. And slowly, over time, theyll become more robust.Q: While hardware and software security solutions abound, it seems like users are still the biggest security problem. How do organizations ensure that their people dont violate security?A: Honestly, they cant. Computers and networks might be difficult to secure, but the biggest security vulnerability is still that link between keyboard and chair. People are sloppy with security; they choose lousy passwords, dont properly delete critical files, and they bypass security policies. Theyre susceptible to social engineering, and they fall victim to phishing attacks. They misconfigure security hardware and software. They accidentally bring worms and Trojan horses into the network. In short, theyre a huge security problem.

RESOURCE CENTER