Securing infrastructure
Today was my first day at BlackHat. Despite the early hour, the opening keynote by Douglas Merrill, COO of EMI Recordings, Inc. brought in a decent amount of people.
While the message that the speaker was trying to get across was not entirely clear to me, I was able to come away from the talk with some ideas that are forming. One observation made by Merrill was that end-point security may not be always desirable, or even possible. The example quoted was that of Google, a previous stop on his career path before ending up in his current position. At Google, software engineers are allowed to run whatever operating system they feel enabled them to perform the job the best and developers are empowered to be full local administrators on their machines.
Most CISOs in corporate environments would cringe at the thought of allowing such a growth of different end-points and the compliance nightmares would never end. By enabling end-users to do whatever they feel like, however they feel like doing it, also brings with it a number of information security challenges. Most, if not all of these challenges can only be addressed by one strategy: do not trust your end-points any more than you would trust a random user on the Internet. Taking the approach of viewing endpoints as inherently insecure forces organizations to build security into their infrastructure, rather than in their endpoints.
We see very similar scenarios in the higher education arena. Most faculty are self-governing and autonomous, and most employees are full administrator on their own machines. Does this that these machines are inherently more insecure? Yes, it does. Our operating systems and the software that we use on a daily basis is simply not good enough to treat it as a toaster. It needs regular maintenance and supervision and that requires skill to do so. However, if we can shift a lot of that maintenance and supervision away from the endpoints and into our infrastructure, we may get much better leverage of our security dollars.
Securing and hardening our infrastructure also has an added benefit: by trusting endpoints on your network as much (or as little) as endpoints on the Internet, the organization's reliance on border security as the primary line of defense will decline, and businesses will be in a position that will enable them to adopt new technology models, such as cloud computing, much more easily.
While the message that the speaker was trying to get across was not entirely clear to me, I was able to come away from the talk with some ideas that are forming. One observation made by Merrill was that end-point security may not be always desirable, or even possible. The example quoted was that of Google, a previous stop on his career path before ending up in his current position. At Google, software engineers are allowed to run whatever operating system they feel enabled them to perform the job the best and developers are empowered to be full local administrators on their machines.
Most CISOs in corporate environments would cringe at the thought of allowing such a growth of different end-points and the compliance nightmares would never end. By enabling end-users to do whatever they feel like, however they feel like doing it, also brings with it a number of information security challenges. Most, if not all of these challenges can only be addressed by one strategy: do not trust your end-points any more than you would trust a random user on the Internet. Taking the approach of viewing endpoints as inherently insecure forces organizations to build security into their infrastructure, rather than in their endpoints.
We see very similar scenarios in the higher education arena. Most faculty are self-governing and autonomous, and most employees are full administrator on their own machines. Does this that these machines are inherently more insecure? Yes, it does. Our operating systems and the software that we use on a daily basis is simply not good enough to treat it as a toaster. It needs regular maintenance and supervision and that requires skill to do so. However, if we can shift a lot of that maintenance and supervision away from the endpoints and into our infrastructure, we may get much better leverage of our security dollars.
Securing and hardening our infrastructure also has an added benefit: by trusting endpoints on your network as much (or as little) as endpoints on the Internet, the organization's reliance on border security as the primary line of defense will decline, and businesses will be in a position that will enable them to adopt new technology models, such as cloud computing, much more easily.