Security, Privacy Should Never Be a Design Afterthought

By Fahmida Y. Rashid  |  Posted 2011-11-13 Print this article Print

Stephanie Balaouras, a principal analyst and research director at Forrester Research, put it a little differently at a recent press event, noting that no one designs an airplane without thinking about security at the start of the design process. "It sounds crazy to deploy and then think about security, but that's what is happening in many organizations," Balaouras told eWEEK.

Related to security, Pfleeger said the second erroneous perception was the idea that privacy could also be added back in afterward. Organizations are under pressure to get the service or product off the ground and get people interested to build buzz, he said. While he called out Facebook as one of the culprits of this kind of thinking, he said other social media sites and organizations were guilty of the same. Facebook is the poster child just because it happens to be one of the largest examples, he said.

Many security professionals say that encryption solves all security issues, but in actuality, that expectation is "overrated," Pfleeger said. While protecting the data is important, the reality is that there are problems with implementation, leaving data unprotected. Organizations also have difficulty managing the keys effectively, such as storing them in insecure locations, or not knowing where the keys are after essential employees leave the company.

It's very common to pick one product or technology and claim it is a cure-all, Pfleeger said. Antivirus, intrusion-prevention systems and network tools are all good but none of them can do it all, he said. Security tools that are effective generally tend to be very specialized, which means it can't be a "silver bullet" capable of handling all kinds of security threats. Organizations have different environments, risk levels and requirements, which means different products will address different needs.

Many executives believe that security has to be perfect, "or it's not even worth talking about," Pfleeger said. This puts the contractor in a quandary, because it isn't possible to counter all threats. but that isn't what the client wants to hear, he said. A related myth is the idea that security is easy and "we can do it ourselves."

Pfleeger used another building analogy, noting that he could probably do some aspects of construction, but he doesn't. He "lets people who have done it many times and know what they're doing" take care of the job.

To counter these misconceptions, Pfleeger recommended that IT and security professionals think like an attacker so they can learn about systems and potential threats. They should recognize the limits of technology and work accordingly and counter the erroneous notions and myths about security when they come across them, he said.



Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel