Without doubt the hot issue over the next year is cloud computing. It’s a compelling and inevitable extension of the general trend towards virtualization created by networks. Cloud computing might mean different things to different people, but the key proposition is that you let go of the management of your infrastructure and applications in order to benefit from greater economies of scale and, hopefully, safety in numbers.

It all sounds promising. Why struggle to get your IT working efficiently on your own? The problem is not the logic but the fact that there is as much madness as wisdom in crowds. There are huge benefits as well as big risks in following herds. Today we hear all about the promised benefits from vendors. But we know little about the risks. That’s because we haven’t yet experienced them. Technologies always emerge well before we notice the problems they bring.

There are lessons for security professionals. The first is not to imagine that a technology is safe just because nobody has yet experienced a problem. The second and more important learning point is that security must change from its traditional focus on historical controls and theoretic future risks. The future is uncertain in terms of risks, incidents and impacts. We can’t predict it, nor can we assume that our traditional controls are adequate.

But, increasingly, the future lies more in the hands of people, which suggests that our security strategy should change. We would be far better, for example, spending more time trying to identify and compensate for the root causes of incidents - which are mainly human failings - rather than wasting time guessing the impact of theoretical future risks.   

This is no less than the ‘new security’ that we all need: an approach rooted in learning points rather than guesswork. Just imagine how much better our security would be if we’d addressed long standing weaknesses, such as weak passwords, rather than wasting time on risk assessments. But, unfortunately, that would be far too logical, and real life is not like that. Contemporary security practice is based on consultancy lines of business, vendor products, and public policy enshrined in tablets of stone. It’s time for a shake-up.

Delicious

Digg

Reddit

Facebook

StumbleUpon