Comments on: It Doesn’t Matter How Many Raindrops There Are, It is All About How Wet You Get

By: Naithan

Naithan — Tue, 31 Mar 2009 03:36:52 +0000

It’s all about acceptable risk. The sky falls daily and then the sun shines again. A big bad breach happens, we all cry and hug, spend money, and then forget until the next one. Thats the cycle. Acceptable risk is business specific. FUD helps no one. Mainly because FUD is reactionary. It is just irresponsible to practice risk in a reactionary manner is if you are managing server availability. This is where IT sec has to be understood as a business practice much moreso than it’s other IT counterparts. If FUD is used to drive awareness and culture then we have all lost. FUD isn’t even the point anymore, or at least it should be, because IT Sec is a mature practice now.

By: Rob Lewis

Rob Lewis — Mon, 30 Mar 2009 12:17:27 +0000

Well, I hope that you will find some value in a technology that does resolve the vast and largely unresolvable difference between security policies and business rules.

With our solution, the business rules ARE the security policies. The example you gave could be handled in a straight forward manner with a few rule changes, by changing any parameter for inclusion into a certain user group, and with a simple deny access rule to your South American reseller.

By: John Pescatore

John Pescatore — Mon, 30 Mar 2009 11:28:04 +0000

That authorization component hasn’t been missing – what today we call Web Access Management has long had that capability. Many of them would use logic to try to implement business rules of the sort “Platinum resellers are allowed this level of access, Gold only this level.” Today there are efforts to capture this logic in XML syntaxes and schema, but I don’t think that is the biggest part of the problem.

The major issue is the vast and largely unresolvable difference between security policies and business rules. For example, at 0900 today the business could decide that the line between Gold and Platinum changes from $100k sales/month up to $150,000 because there are too many Platinum resellers. Oh, and that reseller in South America has been screwing us on large deals, so they will still not be allowed access to this area…

That’s why I always draw a major distinction between “Let the Good Guys In” and “Keep the Bad Guys Out” – major different drivers.

By: Rob Lewis

Rob Lewis — Fri, 27 Mar 2009 19:23:45 +0000

I think that part of the problem in achieving that balance is the disconnect between the language of business operations and resulting rules, and that of IT security policies.

I think what is needed post authentication is an authorization component that has traditionally been missing, and for that authorization component to be successful, it should incorporate the language and rules of business operations.

By: Kevin Rowney

Kevin Rowney — Thu, 26 Mar 2009 19:00:19 +0000

This is an excellent response to the recent outbreak of blog posts claiming the info-sec sky now falls. There are plenty of reasons to be optimistic and its just basic realism to embrace the manageable risks that come together with the huge benefits of information technology.

And anyway, Its just never productive to forecast maximum doom. Like John Dutra at Sun says, “The quickest way to become irrelevant in any conversation is to say ‘the sky is falling’.”

Of course, there is plenty of room for improvement. Breach rates are high and rising. Malware capabilities are advancing rapidly. There’s many skirmishes between enterprises and bad guys where the bad guys come out on top.

I remain optimistic because of: A) ongoing new advances in technical capabilities, and B) new trade-craft; that both point towards a future where the rising tide of breach events can be stemmed and where the malware-driven perimeter incursions can be kept to a tolerable level of damages relative to the (enormous) benefits that a connection to a network provide.