Feeds

All I want for Christmas...

Security wish list

Beginner's guide to SSL certificates

Mark Rasch takes a step back and offers his holiday and New Year's wish list of all things security - items that should exist, be made available and be easy to use for everyone over the coming year.

It is traditional this time of year for people to make lists of what they want for the holidays. You know, a Nintendo Wii, a PS3, a Treo 700p... depending on whether you have been naughty or nice (I hope you all are taking notes). But for the information security-minded, I have developed my own personal wish list of technologies and applications which, as both a lawyer and an information security professional, I would like to see both developed and implemented in the coming year. Now I know that individual aspects of these technologies actually already exist - some of them for many many years. And I know that niche products may meet some or all of the goals I want to achieve here. I welcome comments about how a particular technology may meet the needs. What I want for Christmas (or Hanukkah, Kwanzaa, Eid, or whatever) is a solution that works seamlessly and with no user input. So here is my Christmas list:

1. Easy encryption

Lets face it, communications and files are not secure. What I want is to send an e-mail just the way I always do: look up an address (or click on a link, or retrieve a stored address) and have it sent in a way that cannot be intercepted, read or interfered with by anyone other than the intended recipient. Oh, and authentication of both the sender and receiver would be nice as well, so I can block spam more easily, and so the recipient can know the mail came from me. I want this done with little or no overhead costs, and no user input. I just want to send secure e-mail.

The files on my computer also should be encrypted seamlessly and effortlessly. In other words, when (note I say when, and not if) I lose my laptop computer, I want to know that the only thing they got that was useful was the hardware itself no data, and I mean absolutely no data should be compromised. Imagine if the Veterans Administration had something like that. Yeah, I know RSA and PGP have programs that do this, and that Vista will do the same thing, but I want it to be idiot-proof, or at least idiot resistant. I want the stuff scrambled without my input. So much for data breach notifications.

On the other hand, as an administrator, manager or compliance officer, I want to be able to monitor everything going on inside the company. I want free range (with appropriate auditing) to look at any files within the company I need to see. Nobody said this was going to be easy or even possible. Remember, as Ralph Waldo Emerson said, a foolish consistency is the hobgoblin of little minds.

2. Know what you know...search for the rest

I can conduct a Google search of a few billion web pages in about 3.2 seconds, including the use of boolean searches, key word searches, and other kinds of searches to find relevant information. But, as a lawyer and litigator, if I get a document request in discovery for all documents relating to the Jones contract, it takes months to sort through all the files in the company and index them to find the right documents. In fact, most companies see the process of inventorying, collating and examining documents as a necessary evil in preparation for or in response to litigation or threats of litigation.

What this means as a practical matter is that the company is spending money and resources to help out the person suing them to learn what happened in a particular transaction or series of transactions. This is silly. What a company should be able to do is to conduct a search of all documents oh, and I mean all documents (documents, spreadsheets, e-mails, instant messages, chat sessions) within the company (on every desktop, laptop, and server anywhere in the world) no matter how it is maintained (or stored on i Pod, thumb drive, and so on) It should be able to find these documents long before and irrespective of any litigation.

The law presumes that a collective entity known as a company, a partnership, or a government agency knows everything that any part of that entity knows. So if Employee X in Chicago knows one thing, and Employee Y in Santiago Chile knows something else, then the Company knows both things. We all know that this presumption is absurd. The problem is, as a decision maker, you should have the ability to at least find the information that is collected within the IT systems of the company as easily as you could find a decent pair of tennis shoes. Moreover, you shouldn't wait for a lawsuit to do this. It is important to know what you know as you are making decisions, not afterwards.

Of course, this would require not only indexing and searching every bit of digital information within the enterprise, but also deciding in advance who would have the authority to search for these files, and for what purposes. Oh, and remember where I said above that everything in the company would be encrypted? Again, consistency is not essential here, we are talking Santa Claus today. This is a wish list. If Santa can fit down the chimney of my gas powered fireplace, surely he can do this.

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
Desperate VXers enslave FREEZERS in DDoS bot
Updated Spike malware targets Asia
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.