You Can’t Buy Security

Executive Summary: stop buying $tupid $tuff thinking that it will make you more secure.  Fix your fundamentals; there is no magic bullet.

Recently we’ve seen a spate of encryption products show up on the market.  Not to put too fine a point on it, but other people way smarter than us have said repeatedly that you cannot buy your way to secure, and this product family goes above an beyond in support of the argument that buying more security products is wasteful and stupid.  Without naming names, these products “enhance” intranet security by “grouping” servers into trusted and untrusted zones, and offering various tricks for either encrypting communication or denying access.

Now, that sounds an awful lot like what firewalls, VPN’s, and ACL’s do.  And pretty much everyone with anything worth protecting already has those.  While this “new” technology claims to make the job easier by integrating with directory services, the result doesn’t seem to add any additional security.  Let’s examine the specifics.

Server A and server B need to exchange information, and server C, which is not part of the security group, sits on the same switch in the data center.  Server A and B, without any additional technology, can exchange their valuable data in a switched environment, and C can’t see it.  Pretty simple.  If, however, we can compromise the switched environment, via ARP-spoofing or what have you, C can snoop on the transmission.  So more security seems in order.

Add to the mix that server A & B can encrypt their traffic using certificates.  Now C can spoof it and obtain the traffic, but it’s encrypted.  If C can compromise the encryption, by obtaining a copy of the A or B certificate and then attacking the conversation with a man-in-the-middle attack, again, C can get the data.

If A & B implement two factor authentication, using something that can’t be taken off the wire by C, such as an external key, we make the transaction sufficiently complex that we can essentially disregard the threat and accept the remaining risk.

However, if the intruder has access to the network devices at all, the entire exercise is futile, because they’re already inside the perimeter.  Even if they can’t sniff the traffic, they can always compromise the servers directly, which means adding firewalls and alerting to the mix.

That results in a very strong security model, provided everything’s done right of course.

Now look at the addition of software that does all that for us for an additional fee.  What have we gained?  Encrypted communications?  Check.  Source/destination authentication? Check.  Intrusion detection?  Nope.  Wait.  What?  I still need the detection and alerting capabilities?  Yes.  No matter what you need detection and alerting.  It’s part of the fundamental security model.  And if you’ve got detection and alerting working right with everything else, you’ll spot attacks early enough to prevent loss.

You’ve got a detection and alerting system, right?  Watching for anomalies in behavior and data flow?  That’s the #1 priority if not.

But if you have that, and you add the fancy control software, have you gained anything?  Nope.  We have nothing beyond what we had using native technologies that most of the target-market companies already have in place.

What you have gained in addition, is a negative value.  The new system is going to require management.  Since you aren’t shutting off the other stuff, it’s in addition and doesn’t save you anything; it adds to cost.  The new system is going to require monitoring and alerting, which means adding it into your existing capabilities and updating rules, which is an additional cost.  The new system is going to require testing and patching, and since nothing has gone away, it’s in addition to your existing efforts, which makes it an additional cost.  Finally, it’s one more piece of software, increasing your number of attack vectors by one, which is an additional risk.

All in all, not a great day to be selling product X.

What’s worse, some of these vendors are telling people to use their encryption to pass traffic across the ‘net, ala a VPN style connection, only from server to server, and not from firewall to firewall, or at least VPN device to VPN device.  While it’s possible application vendor SoAndSo does do VPN technology better than VPN technology vendor Namebrand, I would bet that it doesn’t.  But even if they do, it’s still no gain over existing technology, meaning it’s still a cost and this is not a redeeming feature.

What it comes down to is what it’s always come down to.  You need to do the basics, and you need to do them well.  It doesn’t matter what you buy if your passwords are weak, and it doesn’t matter that you encrypt if you leave your certificates laying around.  So instead of spending $tupid monie$ on shill-ware like this stuff, invest that money in your people and in doing things right.  You don’t need yet another security tool, it won’t fix anything, and it’s a waste of money.