As you can probably tell I’ve been thinking a bit about security lately.
I don’t typically tend to dwell specifically on security because I really believe it should be treated as a key element of good design, not a focus area in and of itself. But I’d be remiss if I didn’t also consider security as a practice and the challenges it’s facing.
The IT ‘security’ industry is fundamentally broken for 2 historical reasons:
First, many organizations still approach security as an art (if you’re lucky) which is APPLIED TO a design after it’s been completed rather than an elemental PART OF the design..
Second, security is to IT what global warming is to politics: intentionally manufactured hysteria with the goal of motivating people to do what is common sense.
One of the most significant frustrations of my career has been the interplay between security and architecture. More accurately, the lack of it. Fingers could probably be pointed in multiple directions. Like networking, security is pretty often ignored by systems design teams until the last minute, or later. But in my experience, the security teams have become so inured to this state of affairs that they refuse to function any differently.
The end result? Systems architects and teams are forced to work with minimal security support (if they’re lucky they are able to get an interpretation of some vaguely worded security ‘standard’) and complete designs (or worse, products) are delivered to the security team for analysis at some gate. I could continue to go to seed on this point about overworked reviewers who simply can’t understand the ins and outs of a system including the constraints and true risks. What’s the typical response? One of two: a) bolting on a load of dis-integrated technologies that burden or break the solution, or b) tossing the solution back over the wall to the architects to start over.
A second great frustration throughout my career has been the constant tenor of the security discussion. On one level it’s difficult to fault security professionals and vendors for the constant doomsday approach to security topics. Security has to fight against human nature. There are a lot of things that common sense tells us we should be doing. We shouldn’t be pumping tons of crud into the atmosphere; I should be getting on the treadmill more often (and putting away the snacks, and…). Unfortunately it seems that when dealing with people, stating common sense isn’t enough, especially when it costs money, and the only way to get people to stop sitting on their proverbial hands and do the right thing is to manufacture an emergency.
The problem is that this approach now typifies the security industry as a whole, demanding ever more dramatic ‘emergencies’ to deal with the emerging and evolving nature of risk. In the end, the exhausted CIO (and the architects who work for him) are just tired of hearing it.
There’s another impact. This emergency based approach undermines the creation of a sound and holistic enterprise architecture that can evolve over time to respond to emerging threats. Instead, the latest emergency only generates the funding to bolt on the latest and greatest security technology. In the end we get ossified environments (rather then flexible ones) which simply break when they’re presented with disruptions in the industry…just like the ones we’re going through today.
There has to be a better way…