Network Computingwww.networkcomputing.com

		our customizable newsletter, sends you security alerts, product updates and software patches on the products you use. Sign up now at www.networkcomputing.com /express/

The clipboard-toting weasel took three hours of my time and left a trail of new work behind him. Ultimately, his security study introduced layers of procedure designed to track every minor system change and collect mounds of user-activity information. This new process took hold for a few months and then was abandoned when another consultant identified that our IT staff was overburdened with administrative work and our systems wer e bogged down logging the movement of every user.

This story isn't unique. Most companies just don't know how to achieve a sane security policy, one that protects information assets for a reasonable cost. Instead, we thrash about with quick fixes--a form here, a firewall there, the occasional audit. The responsible forces at work are fear, a general distraction by IT and a lack of understanding that starts with IT and gets progressively worse toward the top.

First, we have fear--an emotion that many security vendors are perfectly happy to promote. Despite the fact that the highest risk to information is rarely at the network perimeter, the threat of hackers from the underworld still produces headlines and commercials on prime-time TV. Fear can generate substantial vendor revenue and divert money from important projects. But paranoid security is just a cost center, a bottomless money pit that won't enhance company performance.

IT, along with most software vendors, is principally concerned with adding capabilities that will contribute to the bottom line in some fashion, through user productivity, reduced labor costs, faster time to market and so on. My auditor friend doesn't help me here, but mostly gets in the way of delivering service to my customers. But it's my fault if I don't manage him well, and to do that I need to understand the risk and cost trade-offs that drive security policy and take over the problem myself by becoming a champion for a sane security policy. I also need to understand the tools and techniques that will keep it manageable.

A Practical Security Education Isn't It's not easy to take a rational approach to security, so we're doing our part to help. In these very pages, you've seen detailed discussions of the real-world limits of critical security technologies: certificate authorities, firewalls, S/MIME and VPNs, to name a few. We've assessed the overall state of security and how these technologies fit--or don't fit--your environment. Very few products get high grades b ecause we evaluate them against the ideal solution, not on a curve. If you don't need a product, we tell you.

Network Computing continues to promote practical security by presenting The Internet Security Conference (TISC) April 6 to 8 in San Jose (see tisc.corecom.com for more details). Our editors will be presenting sessions on secure e-mail, advances in biometrics, secure remote access, desktop encryption and our analysis of certificate authorities. A vendor fair will demonstrate real applications running across a distributed network, including VPN products running at Network Computing's own Real- World Labs¨.

TISC will feature tutorials and workshops conducted by a world-class faculty, the really big names in security: Dr. Steven Kent will teach network security principles and protocols; Dr. Radia Perlman and Charlie Kaufman will provide an overview of commercial security systems from a technical perspective; Marcus Ranum will predict the future evolution of security tools. And those are just for st arters. These experts understand the technology inside and out, have decades of experience and are just plain interesting to hear.

I attend conferences to learn and I've always been disappointed by the security sessions. Academic presentations often cater to mathematicians, scholars and product developers. Vendor presentations have mostly been self-serving. Finally, we get a conference that provides something more memorable than a hangover.

David Willis can be reached at dwillis.nwc.com.