Vin McLellan passed along the list of the "Top Security Threats Facing
Corporate America," as defined by Pinkerton's annual survey of security
directors of Fortune 1000 companies, most of which were obviously "insider"
threats. Ken Simmons <KenS @
>This will continue to worsen given the trend towards the use of Temps
>and other disposable workers. We are seeing an increase in internal
>firewalls and other security measures. My favorite though is the shop
>with the firewall and the Temp security admin.
Your "disposable worker" point is well-taken, but those trends may
only reflect a short-term corruption of "management" practice by executives
obsessed with pumping up the quarterly reports for their shift. Healthy
companies will succeed because they value and husband their human capital.
(Note the prices paid in recent corporate mergers in IT where, often, most
of the corporate assets are human.)
There are other trends, however, which also tend to break down the
secure perimeter and bring more strangers in behind the (fire)walls. You
may not see them in the military, but in a number of major industries
(manufacturing, distribution, retail, etc.) the best and most efficient
management practices are opening up corporate networks to suppliers,
Just-in-time manufacturing might require a major car company, for
example, to allow personnel from _hundreds_ of suppliers access to
corporate databases. Distribution and sales operations also have moved
rapidly toward network interconnections for the best of reasons:
efficiency, savings, profits.
The point is, the impulse toward opening up the corporate network
to "outsiders" is not something that better management, or better HR, or
even better risk management will reverse or mitigate. I think the "secure
perimeter" has always been half myth, but something important is happening
here. A popular security paradigm is being discarded or ignored because
capable managers, winners, have decided that other values are more
important to their organizations. Infosec professionals will have to come
up with a new response to the requirements of these new "open" corporate
operations. I'm hopeful that PKI and X509 v.3+ Certs will provide a lot of
the answer, but Kerberos will doubtless see a resurgence -- and <with a lot
of grumbling and nibbling at crow> I think the folks on this List will also
have to consider again the best of government practice for multi-level
networks and data-labelling.
"Cryptography is like literacy in the Dark Ages. Infinitely potent, for
good and ill... yet basically an intellectual construct, an idea, which by
its nature will resist efforts to restrict it to bureaucrats and others who
deem only themselves worthy of such Privilege."
_ A thinking man's Creed for Crypto/ vbm.
* Vin McLellan + The Privacy Guild + <vin @
53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548