Bruce Schneier, security technologist and CTO of Counterpane Internet Security, answers readers' questions about computer network defences and sloppy end users.
Q: Now that we've moved beyond the "security perimeter" paradigm for security, we seem to be stuck with impossible-to-manage solutions. What is your outlook for relief?
A: I think that the "death of the perimeter" is premature. Perimeter security defences are still valuable, and always will be. It's just that they used to be enough, and now they're not.
The firewall model of network security is based on the castle paradigm. The good guys are on the inside, and you build walls to keep the bad guys out. That worked pretty well when networks were largely self-contained and people worked inside them. Today, things are more complicated. The good guys are regularly on the outside, and the bad guys are inside. Even worse, you want the bad guys on the inside - just not doing bad things. So we have all sorts of solutions: intrusion detection systems, authentication services, VPNs and so on.
Instead of dumping the notion of a perimeter, we need a new paradigm. I think network security is like city security. In a city there are all sorts of perimeters: fences, buildings, rooms. People move in and out of those perimeters, depending on who they are. If you're a shopkeeper, you want everyone to be able to enter the store but only during business hours. And you want only employees to be able to open the door to the stockroom. I think the usability of products is the most critical Internet security problem right now, and I don't see much relief.
Q: Do you think "umbrella" security services - for example, directory services, identity management and user provisioning, single sign-on, transitive trust models - are ready for prime time?
A: Your question points to an interesting paradox in the computer world: Products are never ready for prime time until after they're widely deployed. In other words, it takes a healthy marketplace for a given technology before the problems shake out. Until they're deployed, we don't know what the problems are. We can't fix the technology until we start using it.
So no, I don't think that these services are ready for prime time. But I think we have to deploy them anyway. We need to break them in. We need to watch the bad guys attack them. And slowly, over time, they'll become more robust.
Q: While hardware and software security solutions abound, it seems like users are still the biggest security problem. How do organizations ensure that their people don't violate security?
A: Honestly, they can't. Computers and networks might be difficult to secure, but the biggest security vulnerability is still that link between keyboard and chair. People are sloppy with security; they choose lousy passwords, don't properly delete critical files, and they bypass security policies. They're susceptible to social engineering, and they fall victim to phishing attacks. They misconfigure security hardware and software. They accidentally bring worms and Trojan horses into the network. In short, they're a huge security problem.
Education is part of the solution, but I'm not optimistic about radically changing people's behaviours. I would rather see technology that takes sloppy users into account. For example, there are e-mail encryption programs that automatically secure e-mail: The user doesn't have to remember to do it, and doesn't even have to understand what's going on. Managed security monitoring provides network security even in the face of sloppy users. These types of solutions assume that insecurity - especially user insecurity - is inevitable; they try to maintain security anyway. I don't think there's any other reasonable alternative.
Q: With the advances in technology such as intrusion prevention systems (IPSs), are people becoming obsolete in network security?
A: People are the biggest security problem, and they're also a critical security resource. Even though security products are getting better all the time, attackers are getting more sophisticated. IPS is not any different than intrusion detection systems, or firewalls. They simply don't work without people.