2000-01-27-16:22:18 It's The Zoooomer:
> Not to mention the time taken to rebuild everything
> that the hacker went in and changed so it doesn't
> happen again.
A big point to add to the "assets to protect and costs of failing to
protect 'em" side of the ledger, thanks!
> So basically IT DOES come down to MONEY, TIME, EFFORT...
... and CONVENIENCE. With enough time and effort (which translate to
money:-) you can give users adequate security for some situations
without any inconvenience on their part. For the very highest
security they have to be prevented from using some apps. And some
apps can be allowed with good security, but only by investing in
additional effort to make them secure.
One way to greatly stretch the envelope, getting far better security
without visible hits on user convenience, is to analyze their needs
and use patterns in detail. This will often let you tighten down
servers a great deal, and if you additionally migrate critical data
and code that have been allowed to live on desktops for historical
reasons, move it to secured servers, you can sometimes make a win.
Add highly automated periodic auditing of desktop workstations and
you can approach high security without eliminating apps, sometimes.
This sort of exercise is where some advanced tools can be a big
help. A secure desktop OS is a critical component; without it you're
just banking on no intruder having a clue. Strong internal auth
is a major help. Kerberos, or some other cryptographically strong
distributed single-signon solution can be a big help. If we had a
desktop OS that could be flexibly configured to sandbox apps, that
would be an enormous help. But these fantasies all lie in the area
where I like to spend most of my time, where you have an effectively
infinite budget of time and effort to invest in getting terrific
security with minimal inconvenience.
-Bennett
PGP signature
