Security That Doesn't Get in the Way
I was on the road last week, attending the RSA security conference in San Francisco, which is a great place to run into colleagues. Afterwards, I visited Disneyland, which, despite being in the same state, is surprisingly far away. What do these places have in common? Security.
At the RSA conference, I saw a lot of people I know, which made me realize how much the information security field has grown and matured. In years past, you might occasionally run across a colleague, but it was a notable experience worthy of mention and remembrance. Now, it seems as if almost everybody goes, with all of them using Facebook, Twitter and Skype as the collaboration tools of choice. I caught up with people I hadn't seen in years (and didn't really expect to see again, in some cases) with practically no difficulty. Instant messaging kept me in touch with people over great distances despite the challenges of travel. What this means to me is that technology can really make life easier, and the world smaller.
In the old days, securing our data often meant sacrificing some measure of functionality. Skype and other instant messaging services were forbidden in the company because their peer-to-peer capabilities could lead to inadvertent or intentional information leakage, and various mobile applications were great sources of concern for a security manager. Now that I have implemented real security for mobile devices, I can support this business enabler and protect my company's intellectual property at the same time. I can rest easy (in a relative way) while enjoying the advantages of mobility.
At the RSA conference, I saw many examples of new security technologies designed to make life easier and safer. To me, that's what security should do. I believe that security doesn't have to get in the way of business, and some of the emerging technologies and concepts look like they will one day change the way we think about security controls. Instead of controlling data flow through a choke point, we can now look deep into the network packets to see what's inside, and react accordingly, diverting data, blocking malicious or unapproved content, or even scrubbing out and redacting confidential content. New tools allow us to perform forensic analysis to find hidden or deleted activities on our data devices, even if people or programs try to cover their tracks, without needing to know much about the underlying protocols. And new ways of thinking about, analyzing and modeling threats will soon help us target our countermeasures on the areas of greatest risk.
Disneyland has always struck me as providing a great example of my own philosophy of low-impact, high-effect security. With the use of extensive (but unobtrusive) surveillance, employee vigilance and awareness, and preparedness, Disney provides a safe environment for its customers without annoyance. I had an opportunity to attend a presentation by Disney's CSO at another RSA show a number of years ago, where he spoke about Disney's security awareness program. It was remarkably advanced, and it's still one of the best I've seen. And here at the park, my practiced eye can detect the presence of trained security staff everywhere, and I know the regular employees are also well trained and security-conscious, but they aren't getting in the way of visitors. From my point of view, they are doing it right.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.