I have watched with facination the flow of postings on the subjects of NT,
hardened OS and related subjects. I have only been in the business 30 odd
years, so there is much I still dont know and much more probably than I have
time to learn. One thing I did learn very early on is that there is no such
thing as total elimination of risk. Therefore, risk management is a process
of trade offs to achieve an acceptable level of risk reduction. That also
implies 'affordable' but there are so many ways of measuring 'affordable'.
>From watching postings here and on other groups, 'affordable' seems to mean
low visibility cost at time of acquisition. For example, I have seen
firewall systems where very little software was purchased and special cables
were built in the MIS department, so that the visible cost of the firewall
was only a few $K. That looks pretty cheap until you cost up all the labour
and 'diverted' hardware it took to painfully build the firewall and all the
labour it then takes to keep it running. When you start pulling those costs
into the equation you can very rapidly find that it would have cost less to
hire the greediest (well maybe thats a rash statement) consultants, buy
commercial firewalling products, or even use a set of TCSEC/ITSEC certified
products. The other aspect is the cost to the corporation of having a large
part of its MIS department playing firewalls for months. OK it may be that
the department is grossly over staffed with over qualified engineers and
scientists and this has had no impact at all on the rest of MIS operations,
but if you disclose the location of this facility your Human Resources
department will get buried under applications for jobs. OK its also possible
that your scientists and engineers know far more about security and risk
containment than any vendor will ever know, but thats pretty unlikely also,
or you would have been out there selling those skills at a good profit and
out 'Bill'ing 'Bill'.
As I am old enough to remember (well on a good day when senility is less
pronounced) the days before packaged software and clone hardware, I have
heard most of these arguments before. There were computer scientists and
professionals who tried to make the case for proprietary product and those
who believed that only they had the skill to produce a reliable product with
the aid of source code. Of course most of us ignored them and went out to
buy ever cheaper packages anyway. In terms of risk management, it raises
some interesting debating points. The general wisdom still applies to
information systems as with anything else, "you dont get something for
nothing", or "you get what you pay for". In this world, nothing which is
within the wit of man to invent cannot be made cheaper and nastier by
another man, and the undiscerning are his natural prey. However, if we were
still faced with proprietary mainframe prices and the astronomical cost of
maintaining custom engineered software, the computer would not be the
ubiquetous tool which it is today. Therefore, there are those who will argue
that the risks associated with operating badly designed, poorly engineered
systems, using largely unskilled operators and minimum levels of maintenance
are more than balanced by the enormous savings which result from
computerisation. Of course no one ever really tries to find out exactly what
those 'enormous savings' are. The simple yard stick is often firing x number
of people to justify the cost of the system and then making those who remain
work to succeed in the new environment.
If you take that line of reasoning, as some senior managers do, you can
argue that there is absolutely no justification for implementing a firewall,
or any other form of risk management technology. What happens is that the
firewall is taken as a panacea at lowest price. To borrow something someone
commented to me recently, firewalls and security are like dieting and
exercise. You know you are eating too much and not taking enough exercise
and you also know that the answer is to eat wisely and take regular
exercise, but there are these slimming pills on the market. Working out a
diet and exercise chart takes skill and time. Keeping to the chart
instructions is a bore. Buying the slimming pills is easy and looks cheap.
'Bill' has got where he is today largely because he produced products which
were well marketed (or over sold - depends on your viewpoint) to people who
did not really know what they were buying but had access to those cash
levels. One thing I see frequently in risk analysis is an MIS department
trying to use 'security' as a way of regaining control over the computing
assets in their organisation, because today the unskilled users in concert
hold more processing, storage and communications power than the MIS
department does. I dont think that anyone can fairly claim any one product
is 'all good' or 'all bad'. Millions of people have recently found out that
Microsoft is more interested in selling Windows95 that in the customers who
now have crippled their old PCs and have to buy new hardware or go back to
Windows 3.x. What surprises me is that they are surprised by that discovery,
but then 30 years of risk management can make one cynical. Right now NT
doesnt have enough track record for that sort of discovery but one day it
will.
Also being old enough to remember not only the pre-'Bill' days, but also the
pre-UNIX days, I remember how some respected computer scientists said that
UNIX was total crap. Back then they had a point, the OS had several *VERY*
unlovely features (which have mostly been removed 20 odd years on) and there
was little choice of hardware. What was available was pretty puny which
explains why RDBMS coming from a proprietry background tends to be much
fatter than products like Informix which had to live with the UNIX hosts of
the early 80s. I think what UNIX brought was a flexible market. If you want
to buy pre-packaged, its there. If you buy HP (or any other type) hardware
today and want to change to something else tomorrow you have that choice and
even the toughest re-porting is not that much hassle. If you are a control
freak or have a massive ego, you can always have source. OTOH, the option to
buy source reduces risk, even if you dont buy it right now. You may take the
view that the folk who built the OS and ported it onto the hardware knew
what they were doing (probably a lot better than you) and you paid for their
time anyway. However, the fact that you can always buy source later puts a
pressure on that vendor to make sure they do a good job and if any time in
the future you have reason to doubt that, you can always go back to source.
A proprietary vendor (and that includes 'Bill') does not have that pressure
and when things go wrong he can point the finger at another vendor or at the
user. Perish the thought that 'Bill' would ever do anything like that.
There are anti 'Bill' folk around (hard though it may be to believe), but
one should not forget the story reported a while back. It seems that some
VARs in Europe who received early copies of Windows 95 also got a virus they
didnt want. According to the report, Microsoft immediately leapt to their
assistance by identifying a Microsoft sub-contractor as the guilty person
and stating quite clearly that he would never produce media for Microsoft
again - could you ask for more from a supplier? Now if a small vendor
provided product with virus included, he would cause his customers a lot of
inconvenience in taking him through the courts for the loss he caused and
some would say that he would be justly put out of business. Dealing with a
'Bill' is so much easier because you know you cant afford to take him
through the courts so you just write it off to experience and trust him not
to let it happen again (maybe).
Although I think the potential availability of source code is important, I
dont agree that it has to be the sole deciding factor, or that it should be
used necessarily. If you are taking a trusted operating system which has
been developed through extensive testing by a reputable company working
government contracts, and then been evaluated by a third party, the
resulting product will be very good but not perfect. However, the people who
built it have considerable skills and many thousands of hours have gone into
the development. The chances of a sysad finding a real fault in the code is
relatively remote unless he can devote a few lifetimes to pulling it apart.
When that type of product is available as source code, the cost of source is
naturally fairly high. The question therefore is - "is the cost of buying
source justified by forecast benefits?"
What I see is a lot of people trying to teach themselves security and
hardened OS. Re-inventing the wheel has always been a popular human activity
so maybe this is just a natural thing. OTOH there are people out there and
products which have been around a while and work pretty well and as has been
pointed out, users dont normally expect to buy source from people like
Cisco. I noticed one posting recently, from someone working for an
automobile manufacturer, where the individual was clearly stating that he
and his employers knew far more than any lesser mortal and would only ever
buy product which they could strip down and rebuild correctly. The same
company was also advertising how their expertise in vehicle design was
beyond equal (and NO, 'Bill' has not moved into car manufacture). One
wonders what their reaction would be to customers who would only buy their
vehicles if every piece of development information was included in the sale
- probably similar to the reacion of the same auto manufacturer in the early
80s when they tried beating a supplier up to give them US domestic market
prices in every country. The demand went when the supplier said OK you give
me that deal on all the vehicles I buy from you and you can have the deal on
what you buy from me. Yes - you guessed it - the auto manufacturer got more
bucks from that supplier than the supplier would ever get back.
Ian J-B
|
|
