Oversighting Title

Security by design

January 17, 2008

Tao security published, some day ago, an article about Defensible Network Architecture 2.0.
The main idea of the article is to start monitoring, getting a deeper understanding of a network or a complex system and then proceed to securing it. While I think the article itself is very insightful, there's something I must note: there is no Design. That's something happening more and more in the real world: the absence of design. Networks start small, they grow bigger and bigger as months pass and no one got a clue of what's happening. I'm not speaking about single hosts, firewall configurations or so on: I'm speaking about the role of IT in the organization.

If you want to claim the infrastructure, one can say, you have to understand how it works. I disagree. You need the why before the how.
If you want a real governance - and security demands such a governance - you don't have to monitor what's already there and then start thinking about security. You have to think: what kind of services does my business need? What's really important, and what's not? Only when you have such a knowledge of the purpose of IT in your organization, you can start monitoring, inventoring and controlling.Designing!

We need to get back design: complex infrastructures are simply getting out of control without proper guidance, and there's no such thing as a "quick solution".

2 Comments:

  • Anonymous Fabio Pozzi
    At 18 January 2008 12:28  

    I agree with your article, but from a quick reading my first impression is different.
    Richard is talking about his way of "take security" to a customer.
    He's a consultant, so he doesn't have to design the IT infrastructure, his work is to improve the security of an existing network.
    So, as you say in the title, security must come from design, but the world is not perfect, so what we can do if we have to improve an existing situation without re-design it?
    I don't have experience but I think something can be done to improve an existing situation, but I don't think it's a "quick solution", only a less intrusive one (for a user/customer point of view).

  • Blogger Claudio Criscione
    At 18 January 2008 15:14  

    Hello Fabio, nice to read from somebody from BEST (supposing he's not an homonymous of yours).
    I think you got the point about "taking security to the customer", but that's exactly what I'm advocating: today companies rely more and more on consultants to "do security". As a consultant, what you usually do is - more or less, and only if you want to do your job properly - what Richard is describing.
    What I argue is that even as a consultant - or as the internal project manager - you have to get design back into account. We need long term projects, not quick fixes or "low impact" plans.
    Security is a process, usually a long and painful one too. What I know from my job as a Sec. consultant is that there are infrastructures so poorly designed that you really have to go back to design. Otherwise... it's just "patching sugar", and we can't afford it anymore, not in net 2.0.
    The sooner the enterprise gets the idea, the better.

Post a Comment



<< Home