[Discuss] NAS: encryption

Rich Braun richb at pioneer.ci.net
Wed Jul 8 22:46:24 EDT 2015


Rich Pieri wrote:
> Paranoia is an 
> irrational fear. We should not be paranoid. We should be rational about 
> security.

On this flogged-to-death topic, I finally spotted a statement that I can agree with (the other) Rich on! Brought a smile to my face.

A lot of the statements in this heated discussion aren't necessarily mutually exclusive. Open-source definitely has its place, but so do proprietary solutions. One example I worked on last year was Vormetric's whole-disk solution which is overpriced but fills a niche that none of the open-source projects do.

Comments about FIPS-140-2 certification are beside the point. If you're relying on that cert, you're still fighting last year's (or last decade's) war against intruders who are upping their game much faster than any compliance-monitoring company can manage. Google for the fips-140-2 certified-products list and you'll find almost nothing cloud-related yet, at a time when data centers are migrating to the Cloud at warp speed.

It's an arms race between white-hats and black-hats, plain and simple. It's currently escalating, and at some point even AES itself will be compromised. For now, most security revolves around tight management of ldap/authentication-directory servers, improvements in key-store systems, multi-factor auth, and disk encryption schemes.

Security is hard because if you make it too inconvenient, our enfeebled human brains will come up with a backdoor around most any IT manager's policies. It still chills me to think that most anyone with a calm voice and a copy of a stock-brokerage statement can social-engineer their way into my accounts by merely hijacking my email and then  threatening to stop doing business with the firm unless the call-center flunky turns off multi factor auth, issues a password-reset email, and let "me" into "my" own darned account. I'm not at all convinced many large enterprises knows how to deal with those exceptions properly without royally pissing off legitimate customers, given the primitive state of security technology currently available.

There's a lot left to do in the security software biz. I suspect today's undergrads can pursue PhDs and then a full career in it, and still not get bored half a century from now.

-rich




More information about the Discuss mailing list