When it comes to security, we have met the enemy and it is most definitely us.
That concept may be hard to swallow for a lot of people in IT, given the fact that they spend a large percentage of their time thwarting attacks from both outside and inside their company. But the truth is the circumstances that have let this situation come about are directly related to the weak infrastructure that is in place today and the inability to effectively manage end-user access to strategic resources.
The latter issue has been addressed in recent months with a wave of identity-management offerings solving two key issues that let security holes grow big enough to drive trucks through. Managing end-user access and authorization is an expensive proposition for IT organizations.
And with hundreds and sometimes thousands of applications, it's easy to miss the fact that someone is no longer with the company and that their password has been commandeered by some intruder.
Among the companies trying to solve this problem are Tivoli Systems Inc., Sun Microsystems Inc., Oblix Inc., Netegrity Inc., Novell Inc., Waveset Technologies Inc., and OpenNetwork Technologies Inc. As usual in IT circles, the less you have heard about the company the more robust the solution. But no matter what offering you pick here, the task of managing end-user access and authorization across a broad swath of applications is steadily getting easier, which in turn will help close one of the most glaring security holes in any enterprise.
Less obvious a problem is the weakness of the existing IT architecture. Like the Internet itself, nothing in the enterprise was designed to work with anything else. So every point of integration creates an opportunity for exploitation. To deal with this issue, we have invested billions of dollars in firewalls, intrusion detection systems, and anti-virus software. Security professionals liken this approach to building a house with steel doors and paper walls because there are so many ways around these products. In layman's terms, this is like treating an insidious cancer with aspirin. You may get some temporary pain relief but you're still going to die.
To deal with this problem we are going to have to invest in new hardware and software systems that are designed to check how trustworthy each application is, and how much access should be handed to any specific user at any given time. And based on new technology, starting with Itanium processors that leverage Very Large Instruction Words and trusted computing models, we can actually get this done.
No doubt this will be costly, but it's no longer about trying to thwart the amateur efforts of high school hackers. Now it's about preventing well-trained terrorists from invading systems and wreaking all kinds of life-threatening havoc. And interestingly enough, you'll find that the cost of the new infrastructure is probably going to be less than you would spend on myriad security point solutions during the same five-year period. So here's what the real goal should be when it comes to security: Eliminate the problem altogether with a real cure, rather than spending millions of dollars vainly treating the symptoms.