Firewall Wizards mailing list archives
RE: The Future of Security
From: "Crumrine, Gary L" <CrumrineGL () state gov>
Date: Wed, 1 Dec 1999 07:25:13 -0500
Not to disagree with the esteemed Mr. Ranum... I'd like to add to what he has said. I think the industry as a whole is going to change drastically, as corporate pressure to perform will force individuals and service providers to take more responsibility for the work they now perform. Let's face it, in the last few years, there have been a great deal of major league players in the game performing "Services" without really understanding what they were doing... and frankly stealing their customers blind. Now before anyone lights the flame throwers, I think it fair to say that there has been a lot of poor quality work done in the past, and the complaints come from everywhere you look. It is not focused on one industry segment, or about one firm doing the dirty deed etc. The problem is that when mediocre work is performed at the fortune 500 level, the trickle down effect is that we all get a black eye. So that is why I think that the market will force so called experts to do a better job. Secondly, I disagree with Marcus on the niche prediction. Although this will always be the case in certain levels of any industry, I think the truly successful person will be more focused on the systems approach. The individual that is able to look at an enterprise as a complete whole, and deal with the issues from that perspective is going to be the one that proves to be a key player in any organization. I also think that you will see so called experts grouping together into some sort of service bureau or clearing house, and offering their services to clients at more affordable rates. Intrinsic to this, will be additional service offerings such as remote network management, centralized monitoring and reporting etc. I think outsourcing of this function will become the only affordable solution in many cases... especially in the small to medium sized company. Businessmen will focus more on their business of making money, not worrying about their network functions. By sharing the management overhead costs with many other clients, the service becomes more affordable, and in many cases will be the only option for small business. On a side note, there also appears to be a growing amount of evidence that large corporations are moving towards outsourcing their IT engineering and networking management as they tighten belts and increase bottom lines... Salaries will continue to skyrocket for the foreseeable future. On a Hardware/Software note, I have said in the past, and will say it again. I see an integrated product suite that includes firewalls, IDS, VPN etc. in the short term... an area in which we have seen great progress, and for long term, I think the products will include virus scanning, and usage statistics. Also, the appliance should gain momentum when performance, logging, flexibility and applicability match the big boys. I see more work being done on the hardware to address the needs of secure remote management and better solutions for remote users and satellite offices.
-----Original Message----- From: Marcus J. Ranum [SMTP:mjr () nfr net] Sent: Tuesday, November 30, 1999 7:37 PM To: Mark Veronda; 'firewall-wizards () nfr net' Subject: Re: The Future of SecurityI am interested to know where the experts see the security industry move towards during the next 1-5 years. What security skills are in demandtodayand what will be needed in the future?My guess is that not much will change at the broad level. Most of the security problems we have today (active content, transitive trust, trojan horses, firewall permeability) are problems we have had for a long time. Security experts' most crucial skills, in my opinion, are the ability to synthesize common sense from a large number of conflicting and apparently unconnected inputs. In other words, you need to see the forest and the trees, and understand how trees imply forests and vice versa. That's a useful skill in just about any profession, from security analyst to stock broker, CEO, or restaurant owner. On the technical side, I think the biggest issue for all of us will be making sense of the bewilderingly complex menu of offerings in modern networks. What, of a host of options, works, and what does not - and why. This is going to be particularly dicy when it comes to all the myriads of new applications which are and will be coming out. My prediction is that security experts will specialize into niches based on what they're interested in. Others will specialize in tying together many niches. Some of this process has been going on for a long time. For example, there are security folks whose entire focus is NT, or Netware, or Java, or browsers. There are others who don't focus on details but worry about the implications of combined security issues in how (for example) browsers interact with NT. To me, what's endlessly fascinating about the field is that the vulnerabilities and problems relate to the cross product of entities deployed. For example, if you are worried about security of browsers on Win98, NT, UNIX, and Macs, and there are 2 (let's keep it simple!) browsers for those platforms, there are 8 or so different problem domains to worry about at a detailed level, and 4 or 2 at a higher level. Keeping track of that kind of stuff is going to be full-time jobs for a lot of smart people. Another place I see security heading in the next 5 years is the whole issue of tracking users to their actions over the Internet. Depending on what laws get passed, etc, that could be a very interesting problem. It's going to be directly related to whatever resolution occurs with respect to the problems in Ecommerce, online auctions, denial of service, spamming, etc. These are all places where Internet society is torn between its love of anonymity and its desire to catch and strangle miscreants. I think many things will become appliances, as computers move into an ever-increasing household penetration. This will bring up new sets of problems. What if someone hacks your toaster oven? OK, that's probably not realistic, but what about Dreamcast, and Playstation 2, which will have humongous installed bases and which will all run IP?? My Dreamcast has a browser and a terrifying logo on the front that it is made for Windows CE. Again, there will be fascinating niches for specialization. About the only thing that scares me is that security may become a problem that everyone hates because it never goes away. I don't want to see security experts lumped in with lawyers and insurance salespeople, as "people you hate to but have to do business with." Security, eventually, will have to solve something. Someday. Of course, I'm one of the security guys that operates at the "forest level" rather than the "tree level" (I got sick of building trees!) and at the forest level a lot of our problems appear to be unsolvable. Sorry to ramble! mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- Re: The Future of Security Damir Rajnovic (Dec 01)
- Re: The Future of Security Randy Witlicki (Dec 02)
- Re: The Future of Security Don Helms (Dec 03)
- Re: The Future of Security David LeBlanc (Dec 06)
- Re: The Future of Security Don Helms (Dec 03)
- <Possible follow-ups>
- RE: The Future of Security Crumrine, Gary L (Dec 01)
- RE: The Future of Security Randy Witlicki (Dec 02)
- RE: The Future of Security Eric Budke (Dec 03)
- RE: The Future of Security David LeBlanc (Dec 06)
- RE: The Future of Security Randy Witlicki (Dec 02)
- Re: The Future of Security Rick Smith (Dec 03)
- Re: The Future of Security David LeBlanc (Dec 06)
- RE: The Future of Security Scott, Richard (Dec 03)
- RE: The Future of Security Scott, Richard (Dec 05)
- RE: The Future of Security R. DuFresne (Dec 06)
- Re: The Future of Security ark (Dec 06)
- RE: The Future of Security Rick Smith (Dec 06)
(Thread continues...)
- Re: The Future of Security Randy Witlicki (Dec 02)