Security Roundtable - Page 2

The Other 90 Percent

Coffee: Whats the other 90 percent of the problem?

Paller: Its the configuration of the systems. Were about to come out with the first draft of a step-by-step guide to securing Oracle, and were having a terrible time trying to make it short enough so that we can publish it.

Coffee: This would be along the same lines as the joint report you released with the FBI, showing the default installation configurations and the known vulnerabilities they create are perhaps the largest problem out there?

Paller: I think its probably the biggest problem, yes.

Davidson: Alan, if you dont mind my interrupting, if you would send me that document, I promise that I will take a hard look at that, and, wherever possible, we will try to change the default configurations to make it much easier to be secure out-of-the-box. Were already doing that, and I would welcome your input.

Paller: Absolutely. Ill be happy to share it with you.

Coffee: Ed, I havent put you on the spot on this question yet, but is there anything youd like to throw into the pot on the general question of the level of willingness to acknowledge the existence of a security problem, either inside or outside the vendor organization?

Glover: I focus more on talking to customers, and what were finding is that customers are a lot more aware of the security issues out there. What Im finding from that point is that theyre not sure where to start. Theyre having a lot of difficulty trying to figure out what to do.
I think its great in a lot of ways that the vendors are putting more emphasis on security. I think more people are feeling that [they should] come out with default security in their products, which is terrific, and I support that 100 percent. But, really, at the end of the day, when people integrate these [configurations] into their environments without really understanding the true risk and understanding the vulnerabilities, a lot of times they open things up. We find that all the time in our assessments--that people take what is installed as good security and kind of make it bad security. People arent really educated on what good security is about. They recognize theres a problem, they understand theres a problem, but theyre not sure how to approach it.

Coffee: Alan, whats your assessment of the investments that enterprise organizations are demonstrating a willingness to make in training and, for that matter, just hiring enough people to do the security job correctly?

Paller: My sense is that thats a new willingness—that the shift after Sept. 11 has been from security being a job for the security department to security being a job for the operations people. As soon as they figure out that every network administrator and every system administrator actually has to know this stuff, theyre beginning to invest in reasonably large numbers in getting these people trained. Until the recession started, most of our courses were sold out. Through the recession we had lots of space, but this month weve gotten back to over half of all of our programs being sold out again.

Coffee: So, as IT spending rises, youre anticipating that security will be one of the big beneficiaries of that?

Paller: Yes. Sadly, too much of that money is going into studies and not enough into actually locking down systems.

Coffee: Let me elevate the discussion about 10,000 or 20,000 feet: Is the core technology of the Internet securable?

Paller: There have been meetings as high up as you can go in the country on exactly that topic, and the general conclusion is that, although in the short term you can do some good things, there are some fundamental changes that have to take place. By the time its all adopted, were a decade away.

Coffee: So we cant solve the problem with even massive initiatives like the .Net Framework, in its effort to provide a secure runtime environment for Microsoft services, for example?

Paller: But every one of these steps is a wonderfully important step. I dont want to belittle anything.

Coffee: Ed, Sun has been part of the core technology of the Internet since before it was a publicly aware topic. What do you view as the things that Sun is trying to do to deal with these core technology issues?

Glover: As Sun continues to come out with new technologies, security is an extremely key part of its vision and how to address it. Were dealing with a lot of inherent issues that are going to be extremely difficult to solve, just because its an afterthought, and any time you think of security as an afterthought its always going to be a problem. Sun has tried to take a leadership role in this, and tried to identify the security that needs to be implemented and built into the products. [Were] working with our vendors and our partners and our suppliers and everybody out there in trying to make sure that security is addressed properly.
The biggest thing I see out there as a problem is that, a lot of times, everybody is kind of going in various directions and trying to get standards and things agreed upon, and thats still going to pose a major problem in the future.