Mary Ann, Oracle CSO kirjutab niimoodi:
I was reminded in a frightening way recently that people worship new technology without in many cases either analyzing what problem it solves or whether the benefits are worth the risks. Specifically, I recently heard a highly placed official in the Department of Defense opine about the fact that DoD wants to embrace Web 2.0 because (to paraphrase), “We need to attract and keep all these young people and they won’t work here if we don’t let them use Facebook in the workplace.” What are people going to use Facebook for in the Defense Department, one wants to know? <”Hi, my name is Achmed and I am an Al Qaeda operative. I like long walks on the beach and IEDs. Will you be my friend?” I don’t think so.>
The official went on to say that industry really needed to secure all these Web 2.0 technologies. At that point, I could not contain myself. I asked the gentleman if the Department of Defense was planning on taking container ships and retrofitting them to be aircraft carriers, or buying Lear jets and making them into F-22 Raptors? No, he said. Then why, I offered, does DoD think that the IT industry can take technologies that were never designed with security in mind and “secure them?” Why is IT somehow different that we can, ex post facto, make things secure that were never designed for the threat environment in which they are now deployed?
Your “tools” need to be designed for the environment in which they are going to operate. If they aren’t, you are going to have trouble my friend, right here in River City (with apologies to Meredith Willson). To put it even more succinctly (more apologies to Meredith Willson): “You gotta know the territory.” Meredith Willson was not writing about security when he wrote The Music Man, but “you gotta know the territory” is as succinct a description of a security weenie’s responsibilities as ever there was.
Mind you, I understand that the idea of collaboration is a powerful one and, if it is appropriately secure, can be a powerful construct. We read, for example, that the intelligence community has created an internal Web 2.0 construct called Intellipedia (along the same lines as Wikipedia). It makes sense that, instead of having one expert on, say, Syrian antiaircraft defense, that that person’s knowledge can be written down and accessed by others. In a way, that kind of collaboration facilitates “legacy” because someone who knows something valuable can share it with others far more easily than through one-on-one oral transmission. But there is a big difference between “let’s embrace collaborative constructs” and “let’s allow insecure and unsecurable Web 2.0 technologies into a classified environment.”
The key to the new is remembering the universal truths of old – legacies. This is particular true in security in that, while the attack vectors may change as the technology does, there are principles of security that do not change (“trust, but verify” works just as well for IT security as for arms control).
Suurepärane artikkel, soovitan soojalt lugeda.