One of the biggest complaints I hear about security is the associated operational overhead. IT personnel are constantly adjusting multiple technologies in an effort to provide access to the good guys while locking out the bad guys.
If you want to see a metric of this behavior in action, look no further than your network Access Control List (ACL) rules. ACLs in large organizations have several characteristics:
1. Few organizations cleanse their ACLs so they get longer and longer all the time.
2. One ACL rule may be redundant to another.
3. One ACL rule may be in conflict to another.
4. Networking groups have dedicated staff who focus exclusively on ACLs.
5. ACLs can become so complex that they actually impact switching/routing performance.
Is this the best we can do? No. ACLs were made for a simpler time when it was easy to identify the good guys from the bad. In today's threat landscape, ACLs belong in the Computer Museum alongside Token Ring and the VAX PDP-11.
I'm a firm believer in service-oriented networks, where security is layered on top of the basic switching and routing infrastructure, protects the network from end-to-end, and is driven by business requirements not security check points.
Networking firms like Enterasys, 3Com, HP and Juniper get this as do some VC-backed startups like Applied Identity, Identity Engines and Infoblox. Cisco gets it to but wants to control the whole enchilada. Since it owns most of said enchilada, this is understandable for financial reasons but Rome is starting to burn.
My point is this: The world's bleeding-edge IT shops still manage security as if they were digging tunnels with spoons. This is pretty scary given how sophisticated the bad guys are.
The tech industry needs more cooperation from all participants as it has a moral and ethical obligation to address its antiquated security defenses and protect its customers ASAP. Am I the only one with this opinion?