Of course, which is why it is not uniformly done. Yes, it can be mitigated with additional hardware, but it's not a zero-cost option. (Plus, the extras add complexity, which is also a source of security vulnerabilities...)
*ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> *Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market…* On Sun, Dec 22, 2013 at 9:59 PM, Webster <webs...@carlwebster.com> wrote: > Just asking but wouldn’t encrypting ALL traffic from/to every > source/destination kill performance? > > > > Thanks > > > > > > Webster > > > > *From:* listsad...@lists.myitforum.com [mailto: > listsad...@lists.myitforum.com] *On Behalf Of *Andrew S. Baker > *Sent:* Sunday, December 22, 2013 8:54 PM > *To:* ntsysadm > *Subject:* Re: [NTSysADM] RE: 40 Million CC breach at Target.... > > > > *>>**OTOH, if we did use colo - and I'm pushing it for backups/DR/BC -* > > > > *it'll be on machines that have encrypted file systems, using encrypted > links, and it'll be monitored at least as well as the internal > infrastructure.* > > > > What do you believe that monitoring will do for you as it relates to this > discussion? > > > > So, you're going to encrypt *all* traffic of every type from the machines? > More power to you if you manage to pull it off, but most orgs don't make > that trade-off until forced. > > > > I'm not implying that it is undesirable to provide full encryption. I'm > suggesting that there are often business objectives/decisions that preclude > it except in the Utopian realm of online discussion. > > > > Are you encrypting all of your traffic today?!? > > Are you using any Data Leak Prevention technologies today? > > Have you forbidden all wireless access to your network today? > > > > Just asking/saying... > > > > > > > > > > *ASB * > *http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> > *Providing Virtual CIO Services (IT Operations & Information Security) for > the SMB market…* > > > > > > On Sun, Dec 22, 2013 at 9:44 PM, Kurt Buff <kurt.b...@gmail.com> wrote: > > On Sun, Dec 22, 2013 at 11:33 AM, Andrew S. Baker <asbz...@gmail.com> > wrote: > > Kurt, half of your points also apply to 3rd party infrastructure hosting > (co-location, etc), > > and unless you're providing your own telecom services, or encrypting the > data end-to-end, > > there is always a huge reliance upon 3rd parties. > > Yes, my objections do apply to 3rd party infrastructure hosting. Our > business doesn't colo, and we have IPSec tunnels between our offices - > I'm also pushing for a second ISP. We have an internal PBX. Yes, > everyone relies on 3rd parties to some degree. It's the nature of the > world - after all, I can't manufacture the computers on which the > business runs. > > OTOH, if we did use colo - and I'm pushing it for backups/DR/BC - > it'll be on machines that have encrypted file systems, using encrypted > links, and it'll be monitored at least as well as the internal > infrastructure. > > > > >>One can argue that public cloud providers are better at IT operational > security than most internal IT staff. > > > > > There's no argument: Most internal IT teams lack knowledge and/or > resources for adequate security when > > compared with cloud providers. Perform enough security assessments of > different types of organizations > > and the patterns will become very, very clear. > > Except when suborned or perverted by money, patriotism or blackmail: > > http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220 > > > > If your argument is that internal is always safer than cloud, then you > have to remember that many cloud > > systems *are* in fact internal to someone. Just remember: Amazon's > cloud infrastructure is internal to Amazon. > > Amazon's cloud is external to its customers - Amazon's staff, > procedures and infrastructure are a risk to its customers. I don't > argue that internal is always safer - but it's incontrovertible that > 3rd parties add risk, because the more complexity you add to any > situation, the more risk there is - if for no other reason than that > there's more chance for things to go wrong. Whether the 1st party is > competent is a different matter, and one that's more tractable a > problem than 3rd party risk, IMHO. > > Kurt > > >