Fundamentals: Don't Look for a Security 'Holy Grail'

Stick around the IT business long enough and you'll realize that successful paradigm shifts are few and far between--in fact, the Internet explosion is the only one that

leaps to my mind. Failed changes, like the development of an all-telecommuting workforce, are much more common. In the security area, broad concepts like PKI (public key infrastructure) and ID and attribute management also have gone largely by the wayside, despite lingering glimmers of resurgence.

Indeed, most technology shifts come in increments. Such is even the case with remote-access security, as you'll see when you read Joanne VanAuken's cover story on page 14. When you get right down to it, the only real difference between a remote user on a modem and a remote user on a VPN is his or her access method. Sure, the variety of options is increasing, but the security problems--authenticating users, limiting access to resources, monitoring users and troubleshooting--remain status quo.

Same Old Song

When I talk with readers at infosec conferences and meetings, I hear many of the same stories David Joachim found in interviewing consultants for his "10 Worst Security Practices" report in our issue. Companies neglect to set and enforce corporate security policies, or they don't re-evaluate their security approaches frequently enough and make essential tweaks, or they invest in expensive security technologies but leave half their features sitting on the shelf.

Vendors, meanwhile, often claim their products will solve 80 percent of your problems--the other 20 percent require other products. Truth is, though, I bet you could solve 80 percent of your security problems just by changing processes or leveraging existing features.

Let me guess: You run Microsoft Active Directory, but you don't use the directory structure to organize users into logical groups so AD and external applications can apply access control based on group membership. You lump users into the local admin group on desktops. You set your perimeter firewall to limit access from the external network to internal resources, but not from the inside out.

It's time for us all to accept that there will probably never be some dramatic transformation, at least not when it comes to info security. No single technology and no single vendor will ever solve all our problems--we must start making the most of what we have. That's the only paradigm shift we can truly count on.Mike Fratto, Editor [email protected]