Monday, May 05, 2008

How much is enough?

Is IT Security/Technology Risk Management a discipline or an art, is it subjective or objective? ( Is information technology deterministic or just overly complex? )

Are IT systems and frameworks closed systems? What comparable frameworks or systems (through which value transits) must defend against sentient attackers who attempt to subvert, control or disable services?

Can organisations quantify the value of information in motion or at rest within their managed footprint? Can they independently verify/audit the flows and data objects present? Somehow the bad guys have a better appreciation for CPU, disk and BW and SERVICE than we have!

Does it come down to simple economics? How to incentivise and penalise?

Surely 'Critical Infrastructure' should be held to extremely high standards by an independent body of technical auditors?

Does it really come back to accountability? Do we/they/us/them need to get burned badly (which the miscreants don't want either!) before we are enlightened...

Can the little guys afford the head count of the big boys? (big boys who actually sometimes have *less* of a clue about their systems than the little guys in the first place!). Is it possible that sink-holing traffic centrally in the cloud will give us the visibility/control we have hoped for? Thin offices perhaps staffed with 'thin' people :)

For me it comes back to a simple paradigm. You can't manage what you can't measure. We need to return to atomic units via reductionist thought. This is what I hope shall come with cloud and utility computing. Can you or the cloud provider "afford" NON-integral CPU, DISK, FLOWS, BW, KILOWATTS... runaway code.. such that it now becomes a billing issue? Once IT shops in enterprises start properly implementing "charge-back" rather than a flat rate service we may see some changes.... this coupled with a metric/cost applicable to shared infrastructure such as network fabrics, DNS, NTP, control planes etc...

How can we secure a service when we can't even charge for a service?

Billing 2.0, Utility 2.0, Employment 2.0

1 comment:

ZX said...

Over complexity has to be part of the problem, but you have to put sloppy coding high on the list.

Your point that we don't even know enough about what is going on in the black box to charge the consumers an economic price for service elements is a very good one. QED!

Charging and pricing would certainly be a help in some areas, particularly if remedial action was properly costed. In addition there might be something to be said for attaching life long liability to coders: if their botched code screws up, they either come back and fix it for free, or get sent to the dungeons, and/or compensate the client otherwise. That would sharpen a lot of programming minds and shake a lot of crap out of the system.

Meanwhile, strong independent audits, golden age opportunities for former hackers and so on, would be a help.

Keep the questions coming!