New Religion

From SecurityForest

Fairy Tales always begins with "Once upon a time" and ends with "They lived happily ever after".
Fairy Tales can be based on reality and real life people, but the atmosphere , color scheme and the occurrences are taken from the vivid imagination of the writer that envision them.
Information security and emotional intelligence are the golden union of the 21st century.
We discovered what has always been there, which suddenly changed before are very eyes, becoming much more important, and even monstrous, out of nowhere.
In a world where everyone is afraid of the dark, selling the monster from the dark forest is easy.
We are never afraid from what we know must happen.
We are afraid of what we do not understand, from what may happen, from the great unknown.
We are mostly afraid of fear itself.

Information security has become in many ways the gold rush of the "Virtual 21st century".
As the era of the eCommerce has reached his final death, information security has become the center of disagreement in the computing industry.
In the world that we live in today, Cyberpunk has become a mandatory part, a world where protecting your key by a trusted 3rd party
is doubtful, a world where 40 bit encryption is far from being enough.
Ask 10 security experts and you'll get a 100 different security solutions for the same problem.
We have come to the realization that illusion of security offered by SSL is nearly a step in a long way, a way where today's
spotlight has shifted to securing the end stations which are responsible of reconvening the data.
While we are fighting to try and find solutions for protecting our vulnerable end stations,
The average security professional fights to find a way for securing our credit card information on the server from the average hacker , while accepting the fact that No system is completely secured ,and nothing can be done to protect from a very
sophisticated hacker that really wants to break in.
We where told to believe that there is no such think as a secured system. Is that really the fact??

We are all Cyberpunk, Getting scared from each new security alert.
How many of us spend the time to read through the alert to the end to really understand the risk scenario and its meaning, and to logically wonder, is that really a risk?
How many of us just read the headline to later tell everyone of the great new risk to the IT industry without even spending the time to understand it?
We meet in each in security conference the "buzzword compliant" people, those that can use in each conversation and endless list of technology concepts like "men in the middle attack" in a frantic worth admiration.
Is this A Conspiracy? A strategy or a tactic? Are we facing the birth of the new "security religion"?
How many of us , Creating the security infrastructure for out Web presence and Line of business applications, are used to
separating the Presentation later from the Data layer, and both of them from Our active directory , while placing each of them
separately and securely , In its own DMZ, Behind its separate Firewall interface?
We are used to implementing security schematically, like applying mathematical function called "security' to resolve each and every calculation we must perform.
When will we come to the understanding that exactly as we all understand that a single function can not resolve each and every mathematical scenario, our old and familiar security concept has gone bankrupt and reached the end of life?

Yes our old and familiar DMZ concept which we where protecting religiously have died, and have been replaced by the old but new intelligence of IPSEC.
Our DMZ that provided us with traffic control and filter, monitoring and policy and enforcement has been replaced by the IPSEC
intelligence, providing both what we had-filtering, traffic control, monitoring and policies, while adding to it encryption , end point security, mutual authentication, and bringing the security world as we know it to new and exciting levels.
We have grown the dangerous habit of creating Web applications which are full of potential secured issues, which we patch again and again, Introduce another application with its own issues to protect out own application, adding another application to provide
secured authentication, developing our own data encryption solution ,and then adding another solution to monitor security of all the other.
When faced with the complete horrified atrocity of the monstrous result, and the 20-50 % performance hit, it is the acceptable to say "well, security is a balance between usability and security, where the customer must decide..".

We can do it differently.
We Can invest in security from step one of development and create secured applications, and not "securely patched" applications, therefore preventing the need to use another application to protect our own.
We can invest in righting secured code, and code reviews, therefore saving the later cost of security patching.
We can Use existing security data stores like Active directory and save the need to develop our own secured storage.
How you ever wondered why you are told not to deploy AD in the DMZ but later use a much less secure DB as your secure data store?Use what is standard supported, use what is there, don’t reinvent the wheel.

Fairy tails begin with "once upon a time" and usually end with "they lived happily ever after…"
Fairy tails can be very convincing and sometimes we really want to believe, but in today's security world we mist know the
ifference between a Fairy tail, and reality.